Checking it Twice: 2018’s Online Retailer Naughty and Nice List

Woman typing on keyboard

It seems the holidays start earlier every year – we’ve seen Christmas décor in stores before Halloween – and retailers are already starting to advertise their Black Friday deals. Recent research predicts online sales will hit a record $124.1 billion during the 2018 holiday season, nearly 15 percent higher than last year. But with more people shopping online than ever before, it means that more than just savings are at stake.

We did some digging into the top 10 U.S. e-retailers by e-commerce sales in 2018, made a list and checked it twice to see which sites best protect your personal information from all too common data breaches so your steals and deals don’t cost more than they should.

Specifically, we researched key password requirements and other account security features to develop a ranking of the five most and least secure retail sites, based on whether and how well they met a set of criteria. Check out our results below.

So what should you look out for when you’re shopping on these and other sites this holiday season? Here are some tips and best practices:

  • Use two-factor authentication.
    Only two of the ten top retailers, Apple and Amazon, offer two-factor authentication (2FA) for customer accounts. 2FA provides an additional layer of security toward preventing unauthorized access to an account and retailers cannot underestimate its importance. When setting up an online account with an e-retailer (or any website), be sure to check the security settings and set up two-factor authentication whenever possible.
  • Just say no to social media sign-on.
    Five of the top e-retailers let you use social media logins for Google or Facebook, for example, to create accounts on their sites without having to set a new password, a practice referred to as single sign-on. While single sign-on means one less password to create and remember, it also means that if that social media site is compromised, all the personal information shared with other sites accessed via that login become at risk of attack or compromise, too. Facebook, for example, recently disclosed that the personal information of nearly 50 million users was exposed.
  • The more requirements, the better.
    Security experts agree that the longer and more complicated the password, the more secure your account. Eight out of the 10 e-retailers allow passwords up to 20 characters. It’s always a good sign when a website requires you to include a variety of uppercase and lowercase letters, numbers and symbols. Just make sure to create a long password even if it’s not required.
  • Generate new passwords as you sign up for accounts.
    Our research shows that the fear of forgetting a password is the biggest reason for reuse, but luckily, most e-retailers make it fairly easy to create a new password if you forget it. Every single account that you create online should have a different password. Using a password manager is one easy way to ensure you have a new, strong password for every online account without having to worry about remembering it.
  • If you don’t know, don’t go.
    We were glad to see that all 10 of the top e-retailers secure your session on their site, denoted by an HTTPS rather than plain HTTP in the search bar. Beyond that, the most basic but important advice we can give is to stick with companies you know. Sure, you can check for Yelp or social media reviews, but those are easy to fake, so your best bet is confirming a site’s legitimacy first or avoiding it altogether.

How’d We Get These Results?
We conducted the online retailer account security research in October 2018. Using market research firm eMarketer’s list of the top 10 U.S. retailers based on e-commerce sales in 2018, LastPass researched key password requirements and other account security features to develop a ranking of the most and least secure retail sites. Each site was analyzed based on a set of 17 criteria, with a scale of either 0 to 2 or 0 to 10 points depending whether and how well the criteria were met.

Criteria includes the following: password requirements, including minimum/maximum characters and character types allowed; whether these requirements and any helpful tips are given; whether the websites employ a password strength meter to encourage longer passwords; the use of security questions; whether HTTPS is used when any information is entered; how much personal information is collected (name, birthday, address, email, phone); the use of two-factor authentication; whether sites allow sign-on using social media logins; and, what companies do if a user forgets their password.