Web Thefts Expose Credit Card Risks
Web Thefts Expose Credit Card Risks
Mar. 12, 2000
NEW YORK (AP) _ Stung by a string of credit card thefts online, card companies are trying to teach merchants better security.
Not doing so, they fear, could cause an erosion in consumer confidence, impeding e-commerce and the use of cards online.
Threat of credit thefts has long existed in unscrupulous waiters copying down cards, or store clerks mishandling carbons. Online, the difference is magnitude: A single Internet strike can net a thief thousands of numbers.
Two weeks ago, for instance, SalesGate.com of Buffalo, N.Y., joined the growing list of e-commerce victims when it discovered hackers had stolen thousands of numbers from a site it thought to be safe.
``If you don't take measures to protect yourselves, this can become a playground for organized crime,'' said Stephen Orfei, vice president of emerging technologies at MasterCard.
Late last year, a hacker stole 300,000 credit card numbers from CD Universe and released thousands of them on a Web site when the music retailer refused to pay a ransom.
In February, another hacker infiltrated RealNames, an Internet search service with as many as 20,000 card numbers on file. The company did not know for certain if numbers were stolen, so it asked card issuers to cancel accounts as a precaution.
The break-in coincided with three days of attacks that shut down Yahoo! and other prominent Web sites for hours. Although no card numbers were stolen, the rush of fake traffic drew attention to other potential security breaches.
``The industry as a whole needs to pull its socks up,'' said Alex van Someren, who heads security vendor nCipher in the United Kingdom. Merchants, he said, should maintain ``high standards'' if they want customers to return.
Security experts recommend merchants scramble credit card numbers once they complete transactions. They also should move such data to computers unattached to those running the Web sites.
At ProMobility.net, a Canadian company that sells wireless and Internet services, card numbers sat unscrambled on the same computer that runs its Web site. Last month, a hacker took advantage of a software security hole and stole almost 50,000 cards.
In hindsight, maybe the company shouldn't have handled its own security, said Eric Geiler, a Promobility executive. His advice to other merchants: ``If you don't know what you're doing, hire somebody.''
So far, no spending sprees have been reported. In most cases, card issuers canceled accounts in time. And, in general, liability for individual cardholders is capped at $50, with many banks waiving even that.
But inconvenience alone can cost customers.
Take Dale Kemery, a Web designer in Wheeling, Ill., who gave RealNames his card number. Now, he's reconsidering his reliance on magic plastic.
``I was quite startled, needless to say,'' he said. ``That was followed by fear and loathing.''
Erica Proto, a New York public relations executive, shopped online for the first time at Christmas only to wind up with more than $500 in fraudulent charges at other sites, some of them pornographic.
Although card issuers eventually canceled the charges, she plans to shop online in the future.
``It was a major hassle for me waiting for new cards,'' Proto said. ``I had to fight with them at first.''
Even before recent attacks, many consumers cited security as their top concern about e-commerce. Customers are becoming more comfortable about credit card use, but the hacking attacks could wipe out the gains.
Most browsers, including those by Netscape and Microsoft, now come with scrambling features that make it virtually impossible to intercept a credit card number. And customers about to send card information can look for signs of security, such as the closed padlock symbol at the bottom of the browser window.
Beyond that, security is largely up to the merchant.
Many retailers take extra precautions, especially after they've been hit. But it's difficult for customers to tell which merchants do simply by looking at the site. Many sites, including Amazon.com and ProMobility, won't reveal their security measures.
And because retailers don't often publicize break-ins, it's unclear just how big the risk may be.
Credit cards dominate online transactions largely because no alternative is yet viable. Cash and checks take too long, and Internet currencies resembling gift certificates or prepaid phone cards are still obscure.
Deborah Williams, research director at Meridien Research Inc. in Newton, Mass., predicted more merchants will embrace online currencies in the next few years. That, she said, could threaten the online dominance of credit cards.
``There are certainly doubts in the air,'' she said. ``Without some significant effort, they are in jeopardy of not being the payment of choice.''
On the Net: Information on credit card security and fraud: http://www.scambusters.org; http://www.fraud.org.