A Trusted Friend in a Complicated World

The Most (and Least) Secure Online Retailers in the Country

There's nothing more convenient than shopping online...except for that nagging worry you're opening yourself up to identity theft. Luckily, some of these e-retailers have gone that extra step to make sure your data is safe. Unfortunately, we can't say that for all...

1 / 10
Milan, Italy - August 10, 2017: Apple website homepage. It is an American multinational technology company that develops, and sells electronics, software, and services. Apple logo visible.
Casimiro PT/Shutterstock

The most secure: Apple

Experts forecast this holiday season will push 2018’s online sales to a record-breaking $124.1 billion (a 15 percent increase over last year), so data security is more important than ever, the folks at LastPass, a free password management app, tell Reader’s Digest. That’s why LastPass dug into the data security policies practiced by the top 10 U.S. e-retailers (ranked as such based on e-retail sales in billions during 2018) to rank them from most to least secure. Apple ranked as most secure e-retailer among the top ten e-retail sites for the following reasons:

  • The site runs on HTTPS (the secure version of HTTP), although so do all the e-retailers listed here, even the bottom five.
  • The registration process offers guidance on choosing a strong password, including a password strength meter.
  • It doesn’t permit registration by linking to a social media account, which might seem convenient, but actually puts your data from both the shopping site and the social media account at risk.
  • It asks for security questions.
  • It offers two-factor authentification for customer accounts (2FA), which greatly decreases your odds of being hacked, according to LastPass. The way 2FA works is you not only need to enter your password to log in, but also a code that is sent to your phone. If you’re offered 2FA, LastPass says you should always take it.

Find out the 12 telltale signs you’re shopping on a fake site.

2 / 10
Milan, Italy - August 10, 2017: Bestbuy website homepage. It is an American multinational consumer electronics corporation. Bestbuy logo visible.
Casimiro PT/Shutterstock

Admirably secure: Best Buy

Like Apple, Best Buy runs on HTTPS, offers password guidance and doesn’t permit registration via any social media account. Although Best Buy scores points for requiring your phone number, that step doesn’t quite rise to the level of 2FA, pushing it into second place, behind Apple. Find out the things you shouldn’t buy online.

3 / 10
Milan, Italy - August 10, 2017: Homedepot.com website. It is an American home improvement supplies retailing company that sells tools, construction products, and services. Home depot logo visible.
Casimiro PT/Shutterstock

Admirably secure, with a caveat: The Home Depot

Like Apple and Best Buy, The Home Depot runs on HTTPS and offers password guidance. It also generates a 15-character random password made up of upper- and lower-case letters as well as numbers, although please note: if you choose that password, it gets stored in your Google account if you’re using Chrome as a browser. While that might seem convenient, it isn’t great for your data security, for the same reason linking your account to social media isn’t.

4 / 10
Milan, Italy - August 10, 2017: Amazon website homepage. It is an American electronic commerce and cloud computing company. Amazon.com logo visible.
Casimiro PT/Shutterstock

Admirably secure, with a caveat: Amazon

Amazon is the only other e-retailer of the ten listed here, besides Apple, to offer 2FA (which is actually a rarity among online shopping sites, with only 13 percent of online e-retailers are using it, compared with 45 percent of all businesses). While Amazon offers 2FA and uses HTTPS, it allows you to link social media accounts and fails to offer password guidance. Stumped at what to get that hard-to-shop-for friend? Here are some gift ideas from Amazon.

5 / 10
Milan, Italy - November 1, 2017: HSN logo on the website homepage.
Casimiro PT/Shutterstock

Pretty secure: Qurate Retail Group (QVC, HSN, Zulily)

Although the Qurate shopping sites use HTTPS, provide password guidance, asks security questions, and even requires a phone number or street address to create an account, none of the sites allow for passwords longer than 20 characters, and two of the sites (HSN and Zulily) permit social media registration and log-in.

6 / 10
Milan, Italy - August 10, 2017: Costco.com website homepage. It is the largest American membership-only warehouse club. Costco logo visible.
Casimiro PT/Shutterstock

Less secure: Costco

Costco falls into the bottom half of the top ten e-retailers, according to LastPass, because it doesn’t allow passwords longer than 20 characters, doesn’t require passwords to contain special characters or numbers, and doesn’t support any form of 2FA.

7 / 10
Milan, Italy - August 10, 2017: Macy's website homepage. It is a department store owned by Macy's, Inc. Macy's logo visible.
Casimiro PT/Shutterstock

Less secure: Macy’s

On the plus side, according to LastPass, Macy’s runs on HTTPS and requires a birthday when creating an account (which is a form of authentication, although it doesn’t rise to the level of 2FA). On the downside, Macy’s doesn’t allow passwords that are longer than 20 characters and doesn’t require special characters or numbers. These are the online scams you need to know about—and how to avoid them.

8 / 10
Milan, Italy - May 7, 2017: Homepage of ebay website. eBay is a multinational e-commerce corporation, facilitating online consumer-to-consumer and business-to-consumer sales.
Casimiro PT/Shutterstock

Less secure: eBay

Although eBay runs on HTTPS, it allows you to sign in with Facebook or Google, which LastPass sees as a significant enough risk to your data security to cause it to rank in the bottom three e-retailers. LastPass would advise you not to take that “convenient” option and instead sign in to eBay singularly. Here’s how to protect yourself online to avoid being scammed.

9 / 10
Milan, Italy - August 10, 2017: Walmart website homepage. It is an American multinational retailing corporation that operates as a chain of hypermarkets. Walmart logo visible.
Casimiro PT/Shutterstock

Less secure: Walmart

Although it runs on HTTPS and doesn’t allow for social media registration, Walmart doesn’t allow for passwords longer than 12 characters, which LastPass identifies as a significant weakness in its data security. The shorter the password, the folks at LifePass tell us, the easier and more likely it is to be hacked. In addition, Walmart passwords can be all lower case letters, which just adds to the hacking risk.

10 / 10
Milan, Italy - August 10, 2017: Wayfair.com website homepage. It is an American e-commerce company that sells home goods. Wayfair logo visible.
Casimiro PT/Shutterstock

Least secure: Wayfair

Wayfair is lagging way behind in terms of data security due to these issues identified by LastPass:

  • Wayfair allows Google registration and login.
  • NO minimum password length
  • No password guidance
  • No 2FA
  • If you forget your password, they’ll send you an email with a link that lets you sign in without creating a new password.

Next, learn the secrets an identity thief doesn’t want you to know.

Lauren Cahn
Lauren has covered knowledge, history, the British royal family, true crime and riddles for Reader's Digest since 2017. Having honed her research and writing skills as an attorney in the 1990s, she became one of HuffPost's first bloggers in the early 2000s, graduated to reporting hyperlocal news in the 2010s and has been researching and writing news and features for a wide variety of publications ever since. Aside from Reader's Digest, her work has appeared in Mashed, Tasting Table, Eat This, Not That!, Grown and Flown, MSN, Yahoo, AOL, Insider, Business Insider and many others.