Caveat Mercator

Inside the Internet.
Feb. 11 2000 3:30 AM

Caveat Mercator

Don't spend a lot of time worrying about online credit card fraud. Unless you're a merchant.


Is it safe to buy things online? News reports make charging things on the Web sound as dangerous as shopping in downtown Grozny. A hacker recently stole thousands of credit card numbers from e-tailer CD Universe and is holding them hostage until the company accedes to his demands. An MSNBC reporter revealed the lax security at seven Web sites by accessing credit card info on them. And a consumer who shopped at is blaming the company for the fraudulent billings that subsequently appeared on his credit card.


The short answer is shopping online is safe as long as everybody does their homework. The longer answer is too many merchants are flunking Computer Security 101.

Credit card fraud predates the Internet, of course. New cards are routinely stolen from mailboxes. Dumpster divers steal credit card receipts for the valid numbers printed on them. Bunco artists call unwitting consumers and pry card info out of them. Other crooks broker the purloined numbers to their fellow criminals.

Despite all this rampaging fraud, most consumers suffer only the slightest of dings. Under the Fair Credit Billing Act, consumer liability for fraudulent card charges is limited to $50, and many card companies cover those damages, depending on the circumstances. Moreover, some merchants (such as will refund that $50 if the fraud was their fault. Bricks-and-mortar merchants, who run the physical credit card through a credit card reader—and who can also check signatures and ask for photo IDs—are also indemnified by credit card companies for fraudulent charges. But online and mail-order merchants are a different case. They must swallow every fraudulently billed credit card dollar.

But before we explore the Web merchants' credit card nightmare further, let's make sure you're shopping safe.

As described in a previous " WebHead," the "SSL protocol" in the latest browsers securely transfers your information to the merchant. The link between the merchant and the payment processor is equally secure. And the payment processors, the companies that actually authorize your credit card information, tend to have the best security money can buy.

The weakest link in the chain is the merchant. MSNBC's reporter successfully hacked those merchant sites because the proprietors hadn't changed the database's default user name and password. But no hacker would have gotten as far as the database sign-in page at a properly designed Web site. Another vulnerable zone is internal security. Disgruntled employees are always walking off the job with credit card information, and other naughty employees sometimes take advantage of poor internal security to program "back doors" in the site's code so they can slip in undetected and steal information.

There's no way for you to know which merchants practice safe shopping. Although several independent organizations perform security audits of e-commerce systems, merchants have yet to publicize the results in any organized fashion. Not surprisingly, the larger, more established online merchants tend to be the most vigilant about security.

But even at the big-name sites, merchants have a hard time spotting a fraudulent transaction unless the card has been reported stolen. When a credit card purchase is made on the Web or over the phone the card issuer (American Express or a bank that issues Visa or MasterCard) makes a rudimentary attempt to verify the customer's identity by comparing the address given to the merchant with the card's billing address on file. The "Address Verification System" used by card issuers only looks at the first five digits of the street address and the first four digits of a ZIP code. Cards issued internationally don't typically use AVS, for legal (some European privacy laws forbid it) and technical (some European banks are just plain low-tech) reasons. As a result, the fraud rates on these cards are so high that some U.S. merchants won't take them.

Card issuers routinely detect fraud by analyzing card usage. In the old days, the best way to exploit a physical stolen card was to "burn it to the ground"—charge goods rapidly at a bunch of different stores before the theft was reported. Most banks now detect suspiciously high "transaction velocities" with software from HNC and deny further purchases until the cardholder is contacted. I have a friend whose legitimate shopping spree triggered the transaction-velocity tripwire and caused a few retailers to grill him.



The Self-Made Man

The story of America’s most pliable, pernicious, irrepressible myth.

The GOP Senate Candidate in Iowa Doesn’t Want Voters to Know Just How Conservative She Really Is

Does Your Child Have “Sluggish Cognitive Tempo”? Or Is That Just a Disorder Made Up to Scare You?

The Supreme Court, Throughout Its History, Has Been a Massive Disappointment

Why Indians in America Are Mad for India’s New Prime Minister

Damned Spot

Now Stare. Don’t Stop.

The perfect political wife’s loving gaze in campaign ads.

Building a Better Workplace

You Deserve a Pre-cation

The smartest job perk you’ve never heard of.

Rehtaeh Parsons Was the Most Famous Victim in Canada. Now, Journalists Can’t Even Say Her Name.

Parents, Get Your Teenage Daughters the IUD

The XX Factor
Sept. 30 2014 12:34 PM Parents, Get Your Teenage Daughters the IUD
Sept. 30 2014 12:04 PM John Hodgman on Why He Wore a Blue Dress to Impersonate Ayn Rand
  News & Politics
Sept. 30 2014 2:36 PM This Court Erred The Supreme Court has almost always sided with the wealthy, the privileged, and the powerful, a new book argues.
Building a Better Workplace
Sept. 30 2014 1:16 PM You Deserve a Pre-cation The smartest job perk you’ve never heard of.
Sept. 30 2014 1:48 PM Thrashed Florida State’s new president is underqualified and mistrusted. But here’s how he can turn it around.
  Double X
The XX Factor
Sept. 30 2014 12:34 PM Parents, Get Your Teenage Daughters the IUD
  Slate Plus
Behind the Scenes
Sept. 30 2014 3:21 PM Meet Jordan Weissmann Five questions with Slate’s senior business and economics correspondent.
Brow Beat
Sept. 30 2014 4:45 PM Steven Soderbergh Is Doing Some Next-Level Work on The Knick
Future Tense
Sept. 30 2014 2:38 PM Scientists Use Electrical Impulses to Help Paralyzed Rats Walk Again
  Health & Science
Bad Astronomy
Sept. 30 2014 7:30 AM What Lurks Beneath the Methane Lakes of Titan?
Sports Nut
Sept. 28 2014 8:30 PM NFL Players Die Young. Or Maybe They Live Long Lives. Why it’s so hard to pin down the effects of football on players’ lives.