The New Oil

Next week, gift-giving season officially beginning in the United States (and at least a few other places, I presume) with Black Friday. As such, I figured this would be a great time to discuss safe shopping tactics. In what is becoming my own yearly tradition here at The New Oil, below are my list of online shopping tips, updated to reflect any techniques or strategies I've picked up in the last year. (Note: some of the services I suggest offer affiliate programs which The New Oil has signed up for. Affiliate links are clearly marked and are totally optional.)

• Pay with cash in person. There’s a large push for credit card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-paranoid, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.

• Of course, online shopping has long been popular and even moreso during Cyber Monday (not to mention some services are online-only). For online transactions, use pre-paid cards or card-masking services like Privacy.com, MySudo, or ViaBuy (if you live in Europe) to avoid having your real information stolen. If a scammer steals your info, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. So I definitely encourage you to use a masking service of some kind. Be aware that Privacy.com and MySudo essentially function as banks in this scenario, so they will ask for some personal information that some people may not be comfortable with. If that's the case, call your bank and ask if they offer virtual card services. Some banksk do – including large ones – and it's becoming more popular. You won't have the privacy benefit of having your transactions shielded from the bank, but you'll get the security of not having your card number stolen. Personally I’m a fan of Privacy.com for a lot of reasons (I actually have an affiliate link you can use here if you're interested) but this isn’t the time or place. Feel free to check out all of the solutions suggested and see if any of them are right for you.

• Use HTTPS. HTTPS is a powerful and effective encryption method for data-in-transit (aka web traffic) that helps protect your sensitive information as it shoots across the web. The vast majority of the internet is now securely encrypted so you’re probably covered, but be vigilant anyways. All four of the browsers I recommend on my site – Brave, Firefox, LibreWolf, and Tor Browser – offer some type of “HTTPS-Only Mode” that will automatically upgrade connections when possible and warn you when it's not. On Brave, go to Settings > Privacy and Security > Security and enable Always use secure connections. On Firefox, Librewolf, and Tor Browser, go to Settings > Privacy & Security and scroll all the way down to HTTPS-Only Mode. Make sure you select Enable HTTPS-Only Mode in all windows.

• Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the cybercriminal who hopefully didn’t steal your information because you already implemented the above bullet points.

• Use alias email addresses. These are services such as SimpleLogin (affiliate link here) and AnonAddy that offer you email addresses that automatically forward to your inbox. The website you sign up for only ever sees your alias email address, but it all arrives in the same easy-to-manage place. The privacy protection here is that it keeps you from being cyberstalked (there are lots of ways I can find your various other accounts just from an email address) and makes it slightly harder for companies to track you. The security benefit is that it changes your login on each site and makes it harder for credentials caught up in data breaches to be weaponized against you (see credential stuffing). And as a practical benefit, once you've signed up for these sites, they usually spam you with offers, newsletters, and other marketing crap. Usually you can simply click “unsubscribe” but some of the scummier sites don't respect that request. With an alias email address, you simply turn it off and stop getting the spam. Imagine having a peaceful, organized inbox again. Wonderful.

• On the topic of security benefits, be sure to use strong passwords with a good password manager and use two-factor authentication (2FA) on all accounts that offer it. I know the holidays are a hectic time for most people with travel and family and such, but it also usually means more paid time off for most people. Take advantage of some of that time off and set aside an hour or two to pick a good password manager, change your passwords and password habits, and enable 2FA. This is one of the single most effective things you can do to protect your online accounts, and on top of that it's free and easy, yet still few people do any of this stuff. Doing this step alone is one of the one most powerful things you can do to protect yourself year-round. Speaking of year-round...

• Don’t quit on December 26. The thing about these habits is that they’re great any time, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. HTTPS can protect your Facebook login from a random cybercriminal just as much as your card number. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. HTTPS is something that takes just a few seconds to ensure is enforced and you never have to think about it again. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work. Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.