Caveat MercatorDon't spend a lot of time worrying about online credit card fraud. Unless you're a merchant.

Is it safe to buy things online? News reports make charging things on the Web sound as dangerous as shopping in downtown Grozny. A hacker recently stole thousands of credit card numbers from e-tailer CD Universe and is holding them hostage until the company accedes to his demands. An MSNBC reporter revealed the lax security at seven Web sites by accessing credit card info on them. And a consumer who shopped at Amazon.com is blaming the company for the fraudulent billings that subsequently appeared on his credit card.

PRINTDISCUSSE-MAILRSSRECOMMEND...SINGLE PAGE

FacebookMySpace Mixx Digg Reddit del.icio.us Furl Ma.gnolia SphereStumbleUponCLOSE

The short answer is shopping online is safe as long as everybody does their homework. The longer answer is too many merchants are flunking Computer Security 101.

Credit card fraud predates the Internet, of course. New cards are routinely stolen from mailboxes. Dumpster divers steal credit card receipts for the valid numbers printed on them. Bunco artists call unwitting consumers and pry card info out of them. Other crooks broker the purloined numbers to their fellow criminals.

Despite all this rampaging fraud, most consumers suffer only the slightest of dings. Under the Fair Credit Billing Act, consumer liability for fraudulent card charges is limited to $50, and many card companies cover those damages, depending on the circumstances. Moreover, some merchants (such as Amazon.com) will refund that $50 if the fraud was their fault. Bricks-and-mortar merchants, who run the physical credit card through a credit card reader—and who can also check signatures and ask for photo IDs—are also indemnified by credit card companies for fraudulent charges. But online and mail-order merchants are a different case. They must swallow every fraudulently billed credit card dollar.

But before we explore the Web merchants' credit card nightmare further, let's make sure you're shopping safe.

1. Is your computer secure? Click here to make sure.
2. Are you running the latest version of your browser, the one with all the latest security patches? (Click here to download the newest version of Internet Explorer. For the latest Navigator, go here.)
3. Be cautious. Don't give out your vital numbers to strangers. Or your mother's maiden name. Don't share passwords.

As described in a previous "WebHead," the "SSL protocol" in the latest browsers securely transfers your information to the merchant. The link between the merchant and the payment processor is equally secure. And the payment processors, the companies that actually authorize your credit card information, tend to have the best security money can buy.

The weakest link in the chain is the merchant. MSNBC's reporter successfully hacked those merchant sites because the proprietors hadn't changed the database's default user name and password. But no hacker would have gotten as far as the database sign-in page at a properly designed Web site. Another vulnerable zone is internal security. Disgruntled employees are always walking off the job with credit card information, and other naughty employees sometimes take advantage of poor internal security to program "back doors" in the site's code so they can slip in undetected and steal information.

There's no way for you to know which merchants practice safe shopping. Although several independent organizations perform security audits of e-commerce systems, merchants have yet to publicize the results in any organized fashion. Not surprisingly, the larger, more established online merchants tend to be the most vigilant about security.

But even at the big-name sites, merchants have a hard time spotting a fraudulent transaction unless the card has been reported stolen. When a credit card purchase is made on the Web or over the phone the card issuer (American Express or a bank that issues Visa or MasterCard) makes a rudimentary attempt to verify the customer's identity by comparing the address given to the merchant with the card's billing address on file. The "Address Verification System" used by card issuers only looks at the first five digits of the street address and the first four digits of a ZIP code. Cards issued internationally don't typically use AVS, for legal (some European privacy laws forbid it) and technical (some European banks are just plain low-tech) reasons. As a result, the fraud rates on these cards are so high that some U.S. merchants won't take them.

Card issuers routinely detect fraud by analyzing card usage. In the old days, the best way to exploit a physical stolen card was to "burn it to the ground"—charge goods rapidly at a bunch of different stores before the theft was reported. Most banks now detect suspiciously high "transaction velocities" with software from HNC and deny further purchases until the cardholder is contacted. I have a friend whose legitimate shopping spree triggered the transaction-velocity tripwire and caused a few retailers to grill him.

If a credit card purchase passes the address and velocity hurdles (and the customer hasn't exceeded his spending limit), the transaction is authorized. Now the merchant waits anxiously for a "charge back" notice—a bank message informing him that the cardholder has disputed the charge. Each "charge back" costs the merchant the amount of the charge, plus a fine, plus a potential increase in the credit card fees the merchant must pay the bank.

To reduce "charge backs," online merchants use common sense to flag suspicious purchases. For instance, an online store that typically takes $50 orders does a double take when it gets a $1,000 order. But clever thieves fly below the radar by making infrequent, relatively small purchases at a variety of shops. A cardholder who doesn't check his statements assiduously may not notice the fraud for many months.

Some credit card fraud cannot be foiled. An accomplished "identity thief" armed with your Social Security number and a few other critical facts about you (I'm not telling!) can set up a credit card under your name, but have it sent to his P.O. Box. He can quickly run up big bills that he'll never pay and damage your credit in the process.

Fraud rates are highest on digital products such as a subscription to an online magazine or downloadable software. With no shipping address, the identity thief cannot be tracked down. Another popular scam is the "Real-Time Triangular Trace," in which credit card thieves reap cash. Here's how it works: The thief advertises a $500 color printer on eBay for $250, and the lucky person who wins the auction sends the check for $250 to the thief's P.O. Box. Meanwhile, the thief purchases the printer from an e-tailer with a stolen credit card and sends it to the auction winner's address. (Some credit card fraud is perpetrated less professionally, as this anecdote from my company's files illustrates.)

Commercial fraud-screening software from CyberSource, HNC, and other companies helps to spot the bad guys. Every Internet connection requires an IP address—a numeric identifier issued to every computer connected to the Internet. So, if the street address of the cardholder making a purchase is in Texas, but the connection's IP address is in Russia, screening software can sniff out the possible crime. The problem with screening software is that it turns up occasional false positives, such as when a Texan shops online from a Russian hotel. What's a merchant to do? Let the potential fraud through or insult a valid customer? And even when fraud is presumed, sleuthing it out is not a top priority for law enforcement. These are small-scale crimes, difficult to trace across state lines and international borders. FBI and Interpol aren't interested. Believe me, my company has called them.

Thieves and merchants will continue to duel on the Internet, as more inventive scams challenge more sophisticated screening software. Eventually, the merchants and card issuers will get the help they need from law-enforcement agencies, and the card issuers will tighten up their security. But until then, watch your wallet, read your credit card statement, and think twice before buying stock in online merchants. (Oh, did I just write that?)

PRINTE-MAILRECOMMEND...RSS

FacebookMySpace Mixx Digg Reddit del.icio.us Furl Ma.gnolia SphereStumbleUponCLOSE

SPONSORED CONTENT

• Measuring the Palin Effect
  Is the Alaska governor responsible for record Web traffic in September?
  Chris Wilson | Oct. 9, 2008
• Why Is the Internet So Infuriatingly Slow?
  Plus, two horrible things your Internet service provider wants to do to make it speedier.
  Chris Wilson | Sept. 5, 2008
• The Lazy Man's Guide to Web 2.0
  FriendFeed crawls Twitter, Flickr, and YouTube so you don't have to.
  Paul Boutin | Aug. 6, 2008
• Search for more Webhead articles
• Subscribe to the Webhead RSS feed
• View our complete Webhead archive

• Dentyne Says "Go Away!"
• Spelt It Out
• Wasted Time Warner

• Sign Up for The Root’s Day of Service
• The Gifted Ones
• Bailout for The Common Man

• Your New Small Business Committee Chairwoman
• Count Yourself In On the Money-making
• The Obama Stimulus Plan and Small Business

• [audio] New High-Tech Laugh-O-Meter Can Measure 11,000th Of A Titter
• People Like Food
• Area Teen Accidentally Enters Teen Center

• Inauguration to Close Off Most Bridges to District
• Advisers May Trump the Cabinet
• Obama Tax Cuts Under Scrutiny

• Israel: Why Humans form Primal Attachments to Land
• The Day After
• Fineman: Obama's Bumpy January