Caveat Mercator

Don’t spend a lot of time worrying about online credit card fraud. Unless you’re a merchant.

Is it safe to buy things online? News reports make charging things on the Web sound as dangerous as shopping in downtown Grozny. A hacker recently stole thousands of credit card numbers from e-tailer CD Universe and is holding them hostage until the company accedes to his demands. An MSNBC reporter revealed the lax security at seven Web sites by accessing credit card info on them. And a consumer who shopped at Amazon.com is blaming the company for the fraudulent billings that subsequently appeared on his credit card.

The short answer is shopping online is safe as long as everybody does their homework. The longer answer is too many merchants are flunking Computer Security 101.

Credit card fraud predates the Internet, of course. New cards are routinely stolen from mailboxes. Dumpster divers steal credit card receipts for the valid numbers printed on them. Bunco artists call unwitting consumers and pry card info out of them. Other crooks broker the purloined numbers to their fellow criminals.

Despite all this rampaging fraud, most consumers suffer only the slightest of dings. Under the Fair Credit Billing Act, consumer liability for fraudulent card charges is limited to $50, and many card companies cover those damages, depending on the circumstances. Moreover, some merchants (such as Amazon.com) will refund that $50 if the fraud was their fault. Bricks-and-mortar merchants, who run the physical credit card through a credit card reader—and who can also check signatures and ask for photo IDs—are also indemnified by credit card companies for fraudulent charges. But online and mail-order merchants are a different case. They must swallow every fraudulently billed credit card dollar.

But before we explore the Web merchants’ credit card nightmare further, let’s make sure you’re shopping safe.

As described in a previous ” WebHead,” the “SSL protocol” in the latest browsers securely transfers your information to the merchant. The link between the merchant and the payment processor is equally secure. And the payment processors, the companies that actually authorize your credit card information, tend to have the best security money can buy.

The weakest link in the chain is the merchant. MSNBC’s reporter successfully hacked those merchant sites because the proprietors hadn’t changed the database’s default user name and password. But no hacker would have gotten as far as the database sign-in page at a properly designed Web site. Another vulnerable zone is internal security. Disgruntled employees are always walking off the job with credit card information, and other naughty employees sometimes take advantage of poor internal security to program “back doors” in the site’s code so they can slip in undetected and steal information.

There’s no way for you to know which merchants practice safe shopping. Although several independent organizations perform security audits of e-commerce systems, merchants have yet to publicize the results in any organized fashion. Not surprisingly, the larger, more established online merchants tend to be the most vigilant about security.

But even at the big-name sites, merchants have a hard time spotting a fraudulent transaction unless the card has been reported stolen. When a credit card purchase is made on the Web or over the phone the card issuer (American Express or a bank that issues Visa or MasterCard) makes a rudimentary attempt to verify the customer’s identity by comparing the address given to the merchant with the card’s billing address on file. The “Address Verification System” used by card issuers only looks at the first five digits of the street address and the first four digits of a ZIP code. Cards issued internationally don’t typically use AVS, for legal (some European privacy laws forbid it) and technical (some European banks are just plain low-tech) reasons. As a result, the fraud rates on these cards are so high that some U.S. merchants won’t take them.

Card issuers routinely detect fraud by analyzing card usage. In the old days, the best way to exploit a physical stolen card was to “burn it to the ground”—charge goods rapidly at a bunch of different stores before the theft was reported. Most banks now detect suspiciously high “transaction velocities” with software from HNC and deny further purchases until the cardholder is contacted. I have a friend whose legitimate shopping spree triggered the transaction-velocity tripwire and caused a few retailers to grill him.

I f a credit card purchase passes the address and velocity hurdles (and the customer hasn’t exceeded his spending limit), the transaction is authorized. Now the merchant waits anxiously for a “charge back” notice—a bank message informing him that the cardholder has disputed the charge. Each “charge back” costs the merchant the amount of the charge, plus a fine, plus a potential increase in the credit card fees the merchant must pay the bank.

To reduce “charge backs,” online merchants use common sense to flag suspicious purchases. For instance, an online store that typically takes $50 orders does a double take when it gets a $1,000 order. But clever thieves fly below the radar by making infrequent, relatively small purchases at a variety of shops. A cardholder who doesn’t check his statements assiduously may not notice the fraud for many months.

Some credit card fraud cannot be foiled. An accomplished “identity thief” armed with your Social Security number and a few other critical facts about you (I’m not telling!) can set up a credit card under your name, but have it sent to his P.O. Box. He can quickly run up big bills that he’ll never pay and damage your credit in the process.

Fraud rates are highest on digital products such as a subscription to an online magazine or downloadable software. With no shipping address, the identity thief cannot be tracked down. Another popular scam is the “Real-Time Triangular Trace,” in which credit card thieves reap cash. Here’s how it works: The thief advertises a $500 color printer on eBay for $250, and the lucky person who wins the auction sends the check for $250 to the thief’s P.O. Box. Meanwhile, the thief purchases the printer from an e-tailer with a stolen credit card and sends it to the auction winner’s address. (Some credit card fraud is perpetrated less professionally, as from my company’s files illustrates.)

Commercial fraud-screening software from CyberSource, HNC, and other companies helps to spot the bad guys. Every Internet connection requires an IP address—a numeric identifier issued to every computer connected to the Internet. So, if the street address of the cardholder making a purchase is in Texas, but the connection’s IP address is in Russia, screening software can sniff out the possible crime. The problem with screening software is that it turns up occasional false positives, such as when a Texan shops online from a Russian hotel. What’s a merchant to do? Let the potential fraud through or insult a valid customer? And even when fraud is presumed, sleuthing it out is not a top priority for law enforcement. These are small-scale crimes, difficult to trace across state lines and international borders. FBI and Interpol aren’t interested. Believe me, my company has called them.

Thieves and merchants will continue to duel on the Internet, as more inventive scams challenge more sophisticated screening software. Eventually, the merchants and card issuers will get the help they need from law-enforcement agencies, and the card issuers will tighten up their security. But until then, watch your wallet, read your credit card statement, and think twice before buying stock in online merchants. (Oh, did I just write that?)