Payments through Shopify

I recently fell victim to a scam purchase where the payment was transacted through Shopify (or “Shop”). Shopify weren’t particularly helpful but included the following:

“Just a heads-up, Shop is a tracking and shopping assistant app that helps you follow your orders, store payment methods through Shop Pay, and discover new stores. We don’t run or manage the businesses that sell through the app or Shopify platform — meaning we don’t have access to store-specific order, product, or refund tools.”

I had previously had dealings through Shopify which I led me to attribute more confidence in them than they appear to deserve.

In the meantime, NAB negotiated a credit to my VISA account which has resolved the matter.

Shopify seems to have a Paypal connection. I always use Paypal to buy things online and will not buy if my CC/DC card details are required. But Shopify will then track my purchase… I have slipped up just once and paid through Shop but it was OK, been on guard ever since.

I was shocked to have my details filled into an online shopping cart today. Everything! I am so careful to NEVER “save details for faster checkout”, but I guess I missed one. This is the first time I’ve encountered Shop/Shopify - I certainly didn’t know I had an account with them. (Now deleted, I think/hope.)

One only need checkout with a business that uses Shop as their processor and you are done. Getting ‘undone’ is a challenge. It is a serious intrusion on privacy but some consumers like how simple it makes many purchases. Business love it because it is what it is.

Put something in the cart and go to payment. From then on you might only need enter a PIN and everything else just happens - payment details, shipping address, contact. It is appalling. The business’ privacy policy enables them to share information to complete the sale, and Shop is what can happen.

IIRC I entered either an email address or a phone number, and the whole form was filled in. I NEVER allow a credit card to be saved on a shopping site, but there it was. I’m not even sure the CVV wasn’t there.

Recently, a friend of mine was horrified to see credit card details being automatically filled in on an online checkout page, although autofill was off in the browser, or so she thought. Autofilling payment methods is a separate item from other browser autofilling, and in her browser it was still on.

Check your browser’s settings for “autofill” and see if autofill’s turned on for payments. You should also be able to see if any credit card details have been saved, and remove them.

This article might help find the setting in your particular browser.

Card details magically appearing is not limited to Shop - I recently got my renewal card and most of the web sites already had the new expiration date. Some already had it in the stored payment details and others I had to click a few things but the new date was pre-filled.

Card Security?

I asked DuckDuckGo’s AI about this, and it says

image822×258 29.8 KB

This appears to be correct. Eg, see

… which to me is pretty horrifying. This seems to happen entirely at the merchant’s instigation, without authorisation from the owner of the card.

Yet another reason it can be so difficult to cancel automatic renewal and payments that are no longer required, and especially those that one has tried their best to cancel yet the debit keeps following the card, and sometimes the replacement card(s) with different numbers from the same issuer.

Our first experiences of SHOP aka Shopify today were informative, despite one of us claiming never to have joined or saved details to Shopify, installed the App or created an account. It was evident some form of tracking was in place with automatic pre-filling of all the details including CC when making an online purchase with a known Australian Brand “ooGee”.

Initially we thought Safari was the source of the details and CC - however (refer to link below to check) we found that there were no saved CC details attached to Safari and only limited contact details insufficient for the order to be pre-filled for shipping. It would appear an online purchase some weeks or months prior with another business may have provided the details to Shopify to save. A cookie or two or other forms of user tracking may have completed the link.

It’s not totally clear how this other business contributed. We attempted a trial order of the earlier used site. It offered a direct order by completing their web order form and using any of the popular CC choices EG AMEX, VISA, PAYPAL, …. Or separately to click on the SHOP logo to pre-fill all and order. It would appear that if one uses the retailer’s order form with a manual entry, it is likely connected to Shopify and may be their form. An added option at the end to save your details for the next time you use that retailer. Somewhere in the fine print or T&C’s we think our purchaser did not observe any advice connecting Shopify to the form just completed or the save option. IE in saving the information when filling out a direct order with the retailer one was agreeing subsequently to saving that content with Shopify. It only needs a small SHOP logo at the end of the text from experience elsewhere. A logo that may not mean anything to some.

It’s arguable that a decision to use SHOP (Shopify) by a retailer as a service lowers their risk of loss of a customers CC and other personal information. Shopify attest to having a secure system of encryption of such data. Please consider how secure is relative to none and never 100% guaranteed.

We ultimately accessed Shopify and the personal account the user had created despite the user believing they had never created one. To note both ooGee and the previous retailer were revealed in the purchase history.

It is possible to delete ones Shop (Shopify) account including all personal details. It came with advice this could take up to 30 days and all purchase history would also be deleted. Note deletion might affect orders in progress or the ability to retrieve past order details available through a Shopify link.

We noted with ooGee that the order placed had sent a conformation email with several links included. The large blue button in the email to track the order actually transferred one to Shopify’s website. Fortunately in lesser text was a link direct to the shipping agent independent of Shopify. The Shopify link also encouraged one to connect to or create an account.

Aside from the questionable promotion of the SHOP (Shopify) business model one potentially serious concern with how the account is managed. To connect to your account one only needs to provide an email, upon which a 6 digit code is sent to that email to confirm on the web connection one is the owner. While key personal details are incomplete once connected/logged in there are details of all recent purchase history. I’ll leave it for others to consider whether that is an adequate level of security, or the usefulness to someone gaining access.

RE SAFARI and Pre-Fill Settings.

For APPLE devices and the Safari browser, the following provides guidance on enabling (the default) or disabling.

To note my experience of using Safari is it asks one before it pre-fills details on a form and requires one to accept. Safari also by default allows one to select any from your contacts list for the pre-fill.