Posted by Andrew Senske on 1/12/2012 to
Just the other day we received a call from a customer who was concerned about the security of his online transaction with us. The customer had ordered CPAP equipment online using his credit card, and he had done something unique. Something he said he's never done before. He entered his wife's name as the name on the credit card. A little while later (I don't know exactly how much later) the customer said his card was used fraudulently - with his wife's name as the name on the card. Since his wife's name was a unique identifier, he called us to let us know we must have some sort of security breach somewhere in our system.
The interesting aspect of this scenario, though, is that we don't have a security breach anywhere. The only plausible scenarios are 1) that the customer is trying to sell security services to merchants like us, 2) the customer may have entered the exact same credit card information on an insecure website when making a purchase for something else, or 3) that the customer is the one with the security breach.
If he's not a security services salesman, and if he hasn't provided the credit card information over the internet through an insecure website, I believe he likely has malware - specifically spyware - installed on his computer.
Malware is malicious software (for example, a virus, trojan, spyware, adware, etc.) that gets installed on a computer when a user downloads the software without knowing anything bad is being downloaded. This could happen by visiting a malicious website and downloading a malicious file. It's often difficult for the casual web surfer to recognize potential malware distribution mechanisms. You can get malware from websites or from email attachments. Your existing anti-virus software may or may not be able to detect and remove all types of malware.
While viruses are typically designed to create widespread mayhem and disruption, other more sinister forms of malware are often designed to steal people's information - identity, credit card numbers, passwords, etc. Some malware is designed to record everything a computer user types, and to pass the information to the bad guys.
Anti-virus software can help you feel confident in knowing your computer is relatively secure. However, typical viruses are just a subset of malware, and most anti-virus software isn't capable of detecting all forms of malware. The best way to know if you have malware installed on your computer is to install a malware detection program. I recommend Malwarebytes. I've used it personally to help others detect and remove malware from their systems - systems which were "protected" by Norton and McAfee anti-virus software - and to give myself peace-of-mind knowing I don't have malware installed on my own computers. This isn't always an easy task since malware can make your computer system unusable. In the past I've had to remove hard disks from computers, hook them up to unaffected computers, and run the software on the infected hard disk from the unaffected computer. Easy for me, but not easy for my parents, or grandparents or children or for anyone who would typically accidentally download malware.
Malwarebytes comes in two flavors: free and paid. With the free version you can run scans manually, which is suitable for most of us. With the paid version you can get real-time protection and setup automatic scan schedules. If you've got good anti-virus software running all the time (like Norton, McAfee, or AVG), and if you scan for malware periodically using Malwarebytes, you'll be as safe as you can be when you're using your computer online or offline.
You might be wondering why we're so confident the security breach isn't in our system. Let me explain.
Industry-Standard 128-bit Encryption
We use industry-standard encryption during all orders - just like the big guys like Amazon.com, eBay or anyone else. When you go to our checkout page online, you'll go to a secure page. You can tell it's secure because the web address starts with https. The "s" is the designation for "secure". Your web browser will likely show you some sort of security symbol as well, like a lock. The lock means the web page is secured with industry-standard encryption.
The encryption means that as the data is being transferred from your computer to our server, it's scrambled and unintelligible. Useless for anyone on the outside looking in and trying to intercept the data.
We're payment card industry (PCI) compliant. This means we have to follow strict rules regarding the recording and storage of credit card information. For example, we cannot see full credit card numbers once an order is submitted. We can only see the last four digits. We don't store the credit card security code that many merchants - including us - require to place orders. We also use a service that checks our system for PCI compliance on an ongoing basis. Being PCI compliant means that no one can get complete useful credit card information out of our system for fraudulent purposes. We can't even get it. Even if hackers gained unauthorized access to our online order fulfillment system, they wouldn't be able to steal any useful payment information. They simply wouldn't be able to see anything but the last four digits of your credit card number.
Our servers our located offsite in a world-class high-security data center. Coupling this physical security with the digital security described above, means no one is getting unauthorized access to the data you submit to us when you place an order.
I wholeheartedly appreciate the feedback we received from our customer about his security concerns the other day. Of course, his suspicion and uncertainty is what prompted me to write this article to share with you. If I were in that customer's position, I'd be wondering what the heck is going on, too. It's important to have this type of ongoing dialog. It makes us think about the things that are important to our customers, and it helps our customers understand that online security is an issue that must be addressed not just by the merchant, but by the consumer as well. Our 11-year history is a good one. Being accused of a security breach once in 11 years is a pretty good record. If we had a systematic problem with security on our end, I think we would have heard a lot more about it from a lot more customers.
Buying CPAP equipment online is safe, as long as you're prepared. We've done everything we can on our end to ensure a high level of security for all transactions. I hope my thoughts on malware outlined above will help you become even better prepared to order CPAP equipment - or anything else, for that matter - online safely and securely. If you're already prepared for a safe online experience (with up-to-date real-time anti-virus software and periodic malware detection scans with Malwarebytes), then I hope you feel confident knowing you've found a partner for buying CPAP equipment that's just as prepared as you are.
Please let us know if you have any comments or questions. We're always open to learning more about online security, especially as it relates to the concerns of our customers. We very much look forward to assisting you with all of your CPAP equipment needs.
CPAP-Supply.com is a leading online retailer of CPAP equipment. Located in Spokane, WA CPAP-Supply.com has been serving thousands of customers around the world since 2001. Founded on a belief that patients are their own best primary care providers, CPAP-Supply.com understands the importance of educating patients and customers on both the effects of and treatment for obstructive sleep apnea. For more information visit CPAP-Supply.com or call toll free 1-888-955-2727.