Caveat Mercator

Caveat Mercator

Caveat Mercator

Inside the Internet.
Feb. 11 2000 3:30 AM

Caveat Mercator

Don't spend a lot of time worrying about online credit card fraud. Unless you're a merchant.


Is it safe to buy things online? News reports make charging things on the Web sound as dangerous as shopping in downtown Grozny. A hacker recently stole thousands of credit card numbers from e-tailer CD Universe and is holding them hostage until the company accedes to his demands. An MSNBC reporter revealed the lax security at seven Web sites by accessing credit card info on them. And a consumer who shopped at is blaming the company for the fraudulent billings that subsequently appeared on his credit card.


The short answer is shopping online is safe as long as everybody does their homework. The longer answer is too many merchants are flunking Computer Security 101.

Credit card fraud predates the Internet, of course. New cards are routinely stolen from mailboxes. Dumpster divers steal credit card receipts for the valid numbers printed on them. Bunco artists call unwitting consumers and pry card info out of them. Other crooks broker the purloined numbers to their fellow criminals.

Despite all this rampaging fraud, most consumers suffer only the slightest of dings. Under the Fair Credit Billing Act, consumer liability for fraudulent card charges is limited to $50, and many card companies cover those damages, depending on the circumstances. Moreover, some merchants (such as will refund that $50 if the fraud was their fault. Bricks-and-mortar merchants, who run the physical credit card through a credit card reader—and who can also check signatures and ask for photo IDs—are also indemnified by credit card companies for fraudulent charges. But online and mail-order merchants are a different case. They must swallow every fraudulently billed credit card dollar.

But before we explore the Web merchants' credit card nightmare further, let's make sure you're shopping safe.

As described in a previous " WebHead," the "SSL protocol" in the latest browsers securely transfers your information to the merchant. The link between the merchant and the payment processor is equally secure. And the payment processors, the companies that actually authorize your credit card information, tend to have the best security money can buy.

The weakest link in the chain is the merchant. MSNBC's reporter successfully hacked those merchant sites because the proprietors hadn't changed the database's default user name and password. But no hacker would have gotten as far as the database sign-in page at a properly designed Web site. Another vulnerable zone is internal security. Disgruntled employees are always walking off the job with credit card information, and other naughty employees sometimes take advantage of poor internal security to program "back doors" in the site's code so they can slip in undetected and steal information.

There's no way for you to know which merchants practice safe shopping. Although several independent organizations perform security audits of e-commerce systems, merchants have yet to publicize the results in any organized fashion. Not surprisingly, the larger, more established online merchants tend to be the most vigilant about security.

But even at the big-name sites, merchants have a hard time spotting a fraudulent transaction unless the card has been reported stolen. When a credit card purchase is made on the Web or over the phone the card issuer (American Express or a bank that issues Visa or MasterCard) makes a rudimentary attempt to verify the customer's identity by comparing the address given to the merchant with the card's billing address on file. The "Address Verification System" used by card issuers only looks at the first five digits of the street address and the first four digits of a ZIP code. Cards issued internationally don't typically use AVS, for legal (some European privacy laws forbid it) and technical (some European banks are just plain low-tech) reasons. As a result, the fraud rates on these cards are so high that some U.S. merchants won't take them.

Card issuers routinely detect fraud by analyzing card usage. In the old days, the best way to exploit a physical stolen card was to "burn it to the ground"—charge goods rapidly at a bunch of different stores before the theft was reported. Most banks now detect suspiciously high "transaction velocities" with software from HNC and deny further purchases until the cardholder is contacted. I have a friend whose legitimate shopping spree triggered the transaction-velocity tripwire and caused a few retailers to grill him.