Caveat Mercator

Inside the Internet.
Feb. 11 2000 3:30 AM

Caveat Mercator

Don't spend a lot of time worrying about online credit card fraud. Unless you're a merchant.


Is it safe to buy things online? News reports make charging things on the Web sound as dangerous as shopping in downtown Grozny. A hacker recently stole thousands of credit card numbers from e-tailer CD Universe and is holding them hostage until the company accedes to his demands. An MSNBC reporter revealed the lax security at seven Web sites by accessing credit card info on them. And a consumer who shopped at is blaming the company for the fraudulent billings that subsequently appeared on his credit card.


The short answer is shopping online is safe as long as everybody does their homework. The longer answer is too many merchants are flunking Computer Security 101.

Credit card fraud predates the Internet, of course. New cards are routinely stolen from mailboxes. Dumpster divers steal credit card receipts for the valid numbers printed on them. Bunco artists call unwitting consumers and pry card info out of them. Other crooks broker the purloined numbers to their fellow criminals.

Despite all this rampaging fraud, most consumers suffer only the slightest of dings. Under the Fair Credit Billing Act, consumer liability for fraudulent card charges is limited to $50, and many card companies cover those damages, depending on the circumstances. Moreover, some merchants (such as will refund that $50 if the fraud was their fault. Bricks-and-mortar merchants, who run the physical credit card through a credit card reader—and who can also check signatures and ask for photo IDs—are also indemnified by credit card companies for fraudulent charges. But online and mail-order merchants are a different case. They must swallow every fraudulently billed credit card dollar.

But before we explore the Web merchants' credit card nightmare further, let's make sure you're shopping safe.

As described in a previous " WebHead," the "SSL protocol" in the latest browsers securely transfers your information to the merchant. The link between the merchant and the payment processor is equally secure. And the payment processors, the companies that actually authorize your credit card information, tend to have the best security money can buy.

The weakest link in the chain is the merchant. MSNBC's reporter successfully hacked those merchant sites because the proprietors hadn't changed the database's default user name and password. But no hacker would have gotten as far as the database sign-in page at a properly designed Web site. Another vulnerable zone is internal security. Disgruntled employees are always walking off the job with credit card information, and other naughty employees sometimes take advantage of poor internal security to program "back doors" in the site's code so they can slip in undetected and steal information.

There's no way for you to know which merchants practice safe shopping. Although several independent organizations perform security audits of e-commerce systems, merchants have yet to publicize the results in any organized fashion. Not surprisingly, the larger, more established online merchants tend to be the most vigilant about security.

But even at the big-name sites, merchants have a hard time spotting a fraudulent transaction unless the card has been reported stolen. When a credit card purchase is made on the Web or over the phone the card issuer (American Express or a bank that issues Visa or MasterCard) makes a rudimentary attempt to verify the customer's identity by comparing the address given to the merchant with the card's billing address on file. The "Address Verification System" used by card issuers only looks at the first five digits of the street address and the first four digits of a ZIP code. Cards issued internationally don't typically use AVS, for legal (some European privacy laws forbid it) and technical (some European banks are just plain low-tech) reasons. As a result, the fraud rates on these cards are so high that some U.S. merchants won't take them.

Card issuers routinely detect fraud by analyzing card usage. In the old days, the best way to exploit a physical stolen card was to "burn it to the ground"—charge goods rapidly at a bunch of different stores before the theft was reported. Most banks now detect suspiciously high "transaction velocities" with software from HNC and deny further purchases until the cardholder is contacted. I have a friend whose legitimate shopping spree triggered the transaction-velocity tripwire and caused a few retailers to grill him.



Blacks Don’t Have a Corporal Punishment Problem

Americans do. But when blacks exhibit the same behaviors as others, it becomes part of a greater black pathology. 

I Bought the Huge iPhone. I’m Already Thinking of Returning It.

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

Lifetime Didn’t Think the Steubenville Rape Case Was Dramatic Enough

So they added a little self-immolation.

Two Damn Good, Very Different Movies About Soldiers Returning From War

Medical Examiner

The Most Terrifying Thing About Ebola 

The disease threatens humanity by preying on humanity.

Students Aren’t Going to College Football Games as Much Anymore, and Schools Are Getting Worried

The Good Wife Is Cynical, Thrilling, and Grown-Up. It’s Also TV’s Best Drama.

  News & Politics
Sept. 19 2014 9:15 PM Chris Christie, Better Than Ever
Sept. 19 2014 6:35 PM Pabst Blue Ribbon is Being Sold to the Russians, Was So Over Anyway
Inside Higher Ed
Sept. 19 2014 1:34 PM Empty Seats, Fewer Donors? College football isn’t attracting the audience it used to.
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Slate Picks
Sept. 19 2014 12:00 PM What Happened at Slate This Week? The Slatest editor tells us to read well-informed skepticism, media criticism, and more.
Brow Beat
Sept. 19 2014 4:48 PM You Should Be Listening to Sbtrkt
Future Tense
Sept. 19 2014 6:31 PM The One Big Problem With the Enormous New iPhone
  Health & Science
Medical Examiner
Sept. 19 2014 5:09 PM Did America Get Fat by Drinking Diet Soda?   A high-profile study points the finger at artificial sweeteners.
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.