Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
You’re shopping online; you find the perfect item, proceed to checkout, and pay. Your browser remembers your username. It might even remember your password, based on what you’ve entered in the past.
But then it asks whether you want it to save your credit card information. Can you trust your browser with keeping that secure? Should you avoid Autofill altogether? And how can your browser keep your financial data safe when you’re visiting websites?
What Exactly Is Autofill?
We trust our browsers with a huge amount of data, mostly because we feel we have to. You must have confidence that your browsing history, for instance, won’t be leaked en masse. Yet many of us are wary of the private information collected and used for advertising.
Nonetheless, we become complacent and let Autofill (a feature in web browsers like Google Chrome) and Autocomplete do the hard work for us.
No one likes filling in forms, and so Autofill will add in your email, phone number, and address for you if you want. You have to have this function turned on, of course—we’ll come back to this later on because you’ll need to know how toggle settings. Most mainstream browsers do this, notably Google Chrome, Safari, and Microsoft Edge, which boast the lion’s share of the market.
You can also use Autocomplete on Opera and Mozilla Firefox, both of which are especially well-known for their focus on maintaining your privacy.
You might think this is all done through cookies stored automatically, but implementation is more complex than that. It’s not simply a case of storing information: it’s also about presenting it in the appropriate fields.
There’s a section devoted to Autofill on your browser, so you can add in your credit or debit card information and rely on that in future. On Chrome, all you need to do is visit chrome://settings/autofill and enter payment methods.
But wait. Before you do that, you should know the dangers…
Should You Use Autofill for Payment Methods?
The problem with using Autofill for credit card information isn’t about trusting your browser. It’s about hackers gaining access to this through phishing sites.
Phishing is simply a fraudulent means of obtaining personal information. Websites set up by cybercriminals may have text boxes for basic information which we regularly give up anyway. Despite the value of personal data, we often submit our names and email addresses. They don’t feel like a valuable commodity anymore because we use them to sign up for social networks, online shops, and newsletters.
If you’ve got Autofill turned on, these text boxes will be automatically filled in. But some phishing sites have hidden elements. These won’t be seen by users, but dig into a page’s script, and malicious code reveals secret intents. These trick your Autofill function into adding private data which you’ve not approved of on the site but have within your browser.
Not all browsers do this. Chrome and Firefox only add credit card details into boxes you specifically click on. If a form element isn’t visible, then you don’t click in the box, so Autofill doesn’t relinquish any further data.
That’s not the only concern, though. Your main worry should be: what happens if someone else gets access to your browser?
This is possible in a couple of notable ways. The first is simple. Someone uses the same device. You probably trust the people you share a computer with, but junked or recycled hardware can be a serious security threat. Ideally, you’ll clean all data from any devices you’re passing on.
Another means is, once more, through phishing. Take Vega Stealer for example. This malware was spread through an email campaign primarily targeted at the marketing and PR sector. Vega Stealer’s main purpose was to collect details stored within Chrome and Firefox, i.e. cookies and credentials stored for Autofill.
Essentially, you store data locally, but that doesn’t mean a third-party can’t access it.
Can You Trust Your Browser to Transmit Data?
If you can’t entirely trust your browser to Autocomplete your financial details, how can you trust it with payment details at all?
Browsers recognize that they have a duty of care. If they don’t look after users, those disgruntled customers will switch to one of their competitors.
Data sent between your device and a site’s server should be encrypted. This means private information is rendered unreadable to anyone without the correct decryption key, i.e. your password. Check a site is secure by looking at the URL; if it reads “HTTPS”, that extra “S” stands for “Secure”.
You could also use a Virtual Private Network (VPN), which acts as a tunnel between two destinations. Picture a tunnel between your PC and the website you’re using. No other parties can look at what’s going through that tunnel unless they’re at either end-point. VPNs even protect your data when your device is connected to a public network.
VPNs are typically a regular expense, but Opera has one already built-in. It’s not turned on by default, so you’ll need to go to the browser settings, then Privacy and security > Enable VPN.
Sadly, other browsers don’t boast this same feature. This is partly because VPNs stop the collection of cookies, which many consider enhance your online experience—though, as Vega Stealer demonstrates, they can also be exploited.
And let’s not forget that you don’t have a choice but to trust your browser to some degree. If you shop online, you must have confidence that your browser takes the necessary security measures. Otherwise, you’re reduced to solely visiting bricks-and-mortar stores.
How Do You Turn Off Autofill?
The process is different depending on the browser you use. Still, it’s typically very easy to do. On Chrome, for example, click on the vertical ellipsis in the top right-hand corner then go on Settings. Or take a shortcut by going to chrome://settings/autofill.
From there, you can turn Autofill off completely, or just instruct Chrome not to collect payment methods. Our look at Autofill’s privacy implications explains how to disable this feature in all mainstream browsers.