Internet security: Credit cards vs PayPal vs Visa Load&Go

Trust is a delicate thing, and I’ve been losing mine bit by bit for years.

It started with a hacked credit card in the real world. An organised gang tampered with the EFTPOS terminals in my local supermarket, and half of Warrandyte ended up hacked. The banks reimbursed us and we all received new cards, but that experience made me wonder how safe my online purchases might be.

Always cautious, I signed up with PayPal thinking that it would be safer to have my credit card accessed by one company than many. For those who have never used PayPal, the system works like this:

  • I give PayPal access to my credit card account.
  • When I want to buy something online I use my PayPal account to pay for it.
  • PayPal pays the merchant and reimburses the payment from my credit card account.

In a sense, PayPal acts like my bank and is [almost] as safe unless:

  • PayPal itself is hacked or,
  • PayPal does a sweetheart deal with Microsoft.

The latter happened to me. I bought something from the Microsoft website and used my PayPal account to pay for it. No problems there. The problem happened the next time I wanted to buy something from Microsoft. When I selected PayPal as the payment option, the transaction went through without my having to log in to PayPal and authorise the payment. What the…?

To this day I don’t know exactly how that transaction went through the way it did, but I haven’t used PayPal since. Think about it. I’d logged into my Microsoft account okay, but that account is not as secure as logging into a bank, or PayPal. Yet that not-so-secure Microsoft website had direct access to my PayPal account which had direct access to my bank account…

‘Nuff said about PayPal and Microsoft. I went back to using my credit card until just recently when I noticed a very odd transaction on my internet banking:

Transaction record shown on internet banking

Now, before I begin unpacking this part of the story, I need to explain that Amazon Web Services [AWS] does not deal in piddly little retail transactions. I also need to explain that as an Indie author, I have absolutely no use for Amazon Web Services. Nor did I have an account with them.

<<Cue alarm bells>>

I went down all sorts of paths to find out what the hell was going on but:

  • Almost everything on Amazon.com is automated,
  • If your query doesn’t match one of the available categories you’re screwed,
  • The support for Amazon Web Services is all online,
  • You cannot access Amazon Web Services support unless you log in to their online website,
  • You can’t log in to the Amazon Web Services site unless you have an Amazon Web Services account…

<<Cue tearing of hair and ripe language>>

In the end, I had to create an AWS account in order to ask for an explanation. After a great deal of to-ing and fro-ing, including me to my bank, it transpired that the amount of the mystery transaction corresponded to my purchase of two ebooks from Amazon.com [currency conversion from USD to AUD taken into consideration].

So…Amazon.com processed that transaction. It then went through to my bank where the transaction was shown as having come from AWS. According to AWS, it was not their problem and my bank must have mis-categorised the transaction.

But…but…why would an Australian bank miscategorise a transaction coming from the US? More importantly, how would an Australian bank even know about AWS?

As it’s almost impossible to talk to a real person in Amazon.com, I gave up searching for more definitive answers, but my trust was shaken. Logging in to my Amazon.com account, I attempted to disable the 1-click payment option. I discovered that:

  • I can disable 1-click for all purchases except…ebooks,
  • If I wanted to continue buying ebooks from Amazon.com I’d have to live with 1-click,
  • Given that I can’t live without books and Amazon is the best place to buy them, I had to do something.

But first a question: why do I no longer trust 1-click?

The answer has to do with how Amazon’s 1-click works. With 1-click, I don’t have to enter credit cards numbers, expiry dates, and security codes each time I purchase something. Just a single click and I’m done.

1-click is very convenient, especially when you buy as many ebooks as I do, but there is a downside and that downside is that 1-click only works if my credit card details are available to Amazon all the time.

Now I have absolute faith that Amazon has no interest in cleaning out my bank account, but by the same token, I can’t think of any other way that a retail purchase from Amazon could have been miscategorised as an AWS payment.

I’d like to think that the miscategorisation was a simple, innocent computer glitch. Things do happen. But even that’s not comforting. And this, ladies and gentlemen, is where the pre-paid card comes in. Call it paranoia if you will, but after discovering how all our data — including credit card details- can be analysed to strip us of our privacy, I’d rather be paranoid than sorry.

According to my research, pre-paid cards are a bit like digital cash because you get to spend the value in the card without having to link it to your bank account. Think of it as a reloadable gift card that you can use anywhere.

Great in theory, but which pre-paid card and would it work as advertised?

After yet more online research — with DuckDuckGo as the search engine — I discovered that Visa offer a pre-paid card via my local Australia Post outlet. Better yet, the card can be re-loaded — i.e. topped up — via the ‘Pay Anyone’ option of my internet banking facility [or via Australia Post].

<<cue ‘Yay’>>

So off I went to purchase a prepaid card. The cost of the card itself was $6 and change, and I had to deposit a minimum of $20 right there at the post office. Not a problem.

I also had to provide a couple of pieces of ID, much the same as when you open a new bank account [here in Australia]. For me, the ID was driver’s licence and Medicare card.

The last thing I had to do was nominate a 6-digit ‘access code’. The nice man behind the counter explained that I would have to enter the access code when I registered the card. I would also need it to setup phone access. [The instructions are inside the packaging that comes with the card].

“You’ll get an sms on your phone.”

I did. The message contained a link to an Australia Post website. Following the link on my phone I could either log in via the phone or log in via the email they’d sent me.

As I have no intention of ever using my phone to access the pre-paid card, I found the email [in spam, of course] and completed the registration process via the large screen comfort of my computer.

The registration process is pretty much the same as you’d get on any website and has value for 2 reasons:

  • it allows you to change the access code you selected at the post office. This is kind of, critically, important as the post office is a public space and multiple people heard the temporary access code I selected,
  • it allows you to view your pre-paid card balance.

Although there are multiple ways of topping up the card, the Australia Post website is the only place where you can actually see how much you’ve got left to spend. Unless you have the skills of a math genius and the memory of an elephant, this is kind of critical too.

Okay, time for some pictures. The first one shows the back of my shiny new pre-paid card:

My pre-paid card minus all the naughty bits

Things to remember:

  • you have to sign the card just like any other credit/debit card,
  • the 3-digit security code is on the back of the card, in the yellow area where you have to put your signature [deleted from the screenshot],
  • Customer service numbers are on the back of the card. The good thing is that the overseas one displays the country code you’d have to include to call home from another country. The bad part is that the type is so small, I literally need a magnifying glass to read it,
  • if you want to set up a ‘Pay Anyone’ account for internet banking, the BSB and Account No. are both on the back of the card.

I hate to look stupid in public, but it took me forever to realise that the BSB and Account No. were actually right there, on the back of the card:

Visa pre-paid card, BSB number

Clearly I missed it because the type was so small….

Okay, so I created a new ‘Pay Anyone’ contact [using ‘Load&Go’ as the account name] and immediately topped up my spending money:

Pay Anyone with the Bendigo Bank

<<cue another ‘yay’>>

Now for the real test: would the new card work as advertised?

As I’d begun this whole quest in order to make Amazon’s 1-click process safer [in my mind if nothing else], I logged into my Amazon.com account and added the new Visa card. It worked! To be honest, I was worried that Amazon would reject the pre-paid card, but no, everything went through smoothly.

Next, I took a deep breath and deleted the credit card information that was still linked to my Amazon account. No alarms went off, no sirens, nothing.

<<cue utter relief>>

When I checked my 1-click settings, there it was, the new Visa pre-paid card. The screenshot below shows my old credit card, deleted and the new card set as default:

I was tempted to buy a new ebook right there and then, but I knew I had something more important to spend my money on, and it was on GoDaddy, not Amazon.

Back in the mists of time I bought a domain name and hand coded a dinky little website for myself. I think maybe two people ever found that website and eventually I got sick of paying hosting fees. Nevertheless, I could quite let the domain go so it’s been parked at GoDaddy ever since. You know, just in case…

What I didn’t realise until just recently was that my real world contact details were available to anyone who bothered to do a ‘WhoIs’ search on the domain name. Now, as I said, my old website was a flop, but in light of the recent Facebook/Cambridge Analytica revelations, that ‘WhoIs’ data suddenly worried me, a lot.

Luckily, GoDaddy offers a privacy option…for a small yearly fee.

<<cue mild sarcasm>>

For obvious reasons, I can’t show you the ‘before’ screenshot, but this is the ‘after’ one:

This is the ‘After’ screenshot

And yes, my new pre-paid card worked like a charm. Paranoid or not, I feel a whole lot safer. I was never foolish enough to believe the internet was a benign paradise, but recent developments have shown that it’s a lot darker than I ever suspected.

If you’re wondering whether privacy is really such a big issue, please read my article on digital stalking. Then read how the data we give up is used to manipulate us using Behaviour Modification techniques. Finally, you might want to read about how geo-location via our phones can track you in real life.

acflory