 |
 |
|
|
||
| |
From ZDNet IT Resource Centers Maria
Atanasov, Smart
Business When Western Union Holdings' Web site was hacked last September, the result was any company's worst nightmare: The intruders stole close to 16,000 credit card numbers belonging to customers who had used WesternUnion.com to make online money transfers. The company had to contact every one of those people to let them know about the breach. "No fraudulent transactions were consummated, which was our No. 1 priority," says Western Union spokesman Pete Ziverts. Luckily, customers' Social Security numbers were not kept on the server with the credit card data. Just a week after the break-in, customer levels had rebounded. "People could see that we handled the situation responsibly," Ziverts says. Still, plans for the site's full-scale launch have been pushed back. He says, "It becomes difficult to go through an experience like this and say, 'Hey, WesternUnion.com is here.' " They're Out
to Get You It's this repercussion that scares many merchants into covering up Internet credit card fraud and intrusion rates—and makes measuring the extent of online fraud extremely complex. For e-commerce sites, losing customers' trust can be a bigger hit to the bottom line than paying to fix security breaches and covering costs for fraudulent purchases. What's more, companies fear, revealing specific damage to their systems may only serve to let hackers know exactly where their weaknesses are. While the threat
of online credit card fraud to individual consumers is real, e-shoppers
have less at stake than the commerce sites do. That's because consumers
have protection—in the form of limited liability— and
a course of action, says Jonathan Rusch, special counsel for fraud
prevention at the U.S. Department of Justice. "It's the online
merchant who is more likely to get burned," Rusch says (see
"What's the Damage?" below). What's the
Damage? In fact, consumers shouldn't fear shopping online with a credit card any more than they fear shopping with it over the phone, through a catalog, or at local stores. "It would be like hopping in a car and worrying [every time] that someone is going to broadside you," says Gregg James, special agent in the financial crimes division of the Secret Service. The fact is, there is not a documented incident of someone's credit card number or personal data being intercepted in transit during a transaction where encryption technology is used, says Allan Trosclair, executive director of the National Coalition for the Prevention of Economic Crime. "You need to be a sophisticated operator to break the encryption," he says. Adds Betsy Broder, assistant director for planning and information at the Federal Trade Commission's Bureau of Consumer Protection, "People think that when they push that button, that is when the danger [exists]. But when the database is not secure is where the real problem lies." To be sure, credit cards are the safest mechanism for shopping online, making up 93 percent of online payment transactions, according to the GartnerGroup. People reporting fraud to the National Consumer League's Internet Fraud Watch (www.fraud.org) in 1999 blamed only 5 percent of the incidents on credit card fraud. Money orders (46 percent) and personal checks (39 percent) were the most common forms of payment related to reported scams, with auction sites generating the most complaints. Online merchants suffer the brunt of losses from disputed transactions, known as chargebacks. The fees can wipe out e-tailers' already razor-thin margins. In transactions in brick-and-mortar stores, a customer presents a card, the clerk swipes it through an electronic reader, and the customer signs. When a charge is disputed, the signature makes all the difference. If it's there, the issuing bank eats fraudulent charges. But in transactions on the Internet, through the mail, or over the telephone, with no signature as proof, the merchant absorbs the cost. "Credit cards were never intended to be used in a card-not-present environment," says Trosclair. "Regulations actually stipulate that you are supposed to get a copy of the card through an electronic swipe or imprint, and a signature. If you're a crook, there is total anonymity in the online world. No eyeball to eyeball." This anonymity exacerbates the problem of online fraud. Crime rings spend lots of money and time pulling off large-scale credit card scams in the real world. But just one individual with the technology know-how can do the same damage online in a matter of minutes. This has law enforcement officials worried, admits Martha Stansell-Gamm, the Justice Department's chief of computer crime and intellectual property. "Things that happen online have a tendency to be bigger and more widespread. The Internet acts as a force multiplier," she says.
In situations where the physical card isn't swiped, fraud is at 0.15 percent, according to Visa. When online transactions are isolated, the rate is a bit higher, says Visa spokesperson Sean Healy. To put it into perspective, Visa's worldwide sales totaled $1.6 trillion in 1999. Of that, 2 percent of transactions came from the Internet, totaling $32 billion. Estimating conservatively for online credit card fraud at 0.15 percent, that comes to $48 million. And that's just Visa transactions. In September, CyberSource, a credit card security-check authorization vendor, polled 100 e-businesses including Starbucks, Ford, Nike, and Beyond.com to find that 83 percent agreed that online fraud is a problem, up from three-quarters in 1999. On average, respondents estimated fraudulent transactions and fraud loss to be at 4 percent. On the other hand, ActivMedia Research reported in November that Internet credit card fraud is no big deal. Eighty-six percent of 432 merchants did not view fraud as a problem. Online fraud rates, they said, were often lower than offline fraud rates. Also in November, Ziff Davis Smart Business polled readers. We found that of those who sell their products or services online, most (81 percent) said they had not lost revenue to online fraud. For its part, the Secret Service, known as the leader in investigating credit card crimes, says that online and offline fraud rates are about the same. Why the difficulty measuring fraud? The Secret Service and other law enforcement agencies hear about crimes only after consumers or merchants report them. Actual fraud rates may be much higher. Merchants, wary of bad publicity, may avoid consumer backlash and weakened sales by not reporting incidents. To avoid scaring off customers, credit card issuers play down fraud rates as pennies for every hundred dollars spent. What's more, credit card issuers can only extrapolate from their issuing banks' responses, which until now haven't distinguished mail and telephone orders from Net transactions. There is no universal standard for reporting credit card fraud. Some report fraudulent cards as counterfeit, some as stolen. An even bigger problem is that fraud tends to get lumped in the statistics for all disputed claims, whether the incidents constituted actual fraud or plain old customer dissatisfaction. And security software vendors have an interest in highlighting the highest published fraud rates to drum up business.
Most information used to commit online fraud is gathered in the offline world. Less sophisticated thieves resort to shoulder surfing (peeking over your shoulder to get credit card, phone card, and personal identification numbers, as well as other private information) and Dumpster diving. Today's tech-savvy crooks use credit card skimmers in locations like stores and restaurants, or credit card–algorithm generators that are readily available for download. In the case of algorithm generators, there's nothing illegal about the software. "There's no copyright on generating a credit card number," says Allen Jost, VP of business development at HNC Software's financial services group in San Diego. "You can't own a set of 16 numbers." (Eighty percent of credit cards in the United States are covered by HNC's fraud management software. HNC's customers include Sears.com and Circuit City's Web site.) Although these algorithms were developed in the 1960s, generator software appeared in the early 1990s as a problem online. Abuses often take place in the Far East, where thieves take advantage of time differences to shop online while banks here shut down for processing. The most advanced thieves hack Web sites looking for full account information on weak or exposed merchant servers, clone sites to look like part of the real thing, and set up bogus merchant sites simply to gather personal info. The more information a crook gets, the more damage he can do. A credit card number and an expiration date is enough to start. If the thief has no date, since most cards expire within three years, he can guess it within 36 tries. Next comes a legitimate address, name, Social Security number, and date of birth. In some states, like Virginia, a person's Social Security number is the same as his or her driver's license number. A thief who steals that number has everything necessary to steal that person's identity. Hacking merchant servers to steal credit card account data is a problem—and probably the type of fraud most Web shoppers worry about. But simple hacks into databases to steal credit card numbers are just one way thieves get their hands on customers' private information. Identity theft is among the biggest problems related to online fraud. Half the identity theft complaints received by the Internet Fraud Complaint Center (www.ifccfbi.gov) since it was launched in May 2000 have included credit card fraud, says the FTC's Broder. However, unless you shred all your mail, it's easier for someone to rummage through your trash for credit card or utility bills, preapproved credit card applications, bank checks, or store receipts to steal your identity than it is to steal your account data online. Still, armed with just your name, thieves can find your phone number and address on a Web directory like Switchboard (or, if you're unlisted, they can pay $25 to $150 to get a dossier on you from companies like Discreet Data Systems). Merchants
pay the price "We didn't know how many accounts had been tampered with by that point," says Western Union's Ziverts. "Whoever did this didn't come anywhere close to having access to the heart of our money-transfer system, so the opportunity for false money transfers was never there." Many companies are afraid to admit publicly that they've been hit by online fraud or hacker intrusions. When companies hacked in the past 12 months were asked what they did to combat the problem, 44 percent said they did not report the crime at all, 20 percent reported the incident to their legal counsel, and 25 percent reported the crime to law enforcement, according to the 2000 CSI/FBI Computer Crime and Security Survey. (For the record, 85 percent also said they patched the security holes.) Asked why they didn't report the intrusions to police, 52 percent said they wanted to sidestep negative publicity, 39 percent viewed it as giving away competitive advantage, 12 percent said they were unaware they could report it, and 55 percent said they'd rather take the matter into their own hands. Companies also ranked disgruntled employees as a more likely source of attack than independent hackers. Regardless of whether they report being victimized, merchants bear the security and financial burden that results from fraud and hacking. Online merchants not only absorb much of the costs for chargebacks, they also pay 2.5 percent plus a fee of between 20 cents and 30 cents on average in interchange fees (the cost the merchant pays to use the credit card for each transaction). These fees are about two-thirds more than brick-and-mortar retailers pay, according to Avivah Litan, vice president of payment services at GartnerGroup. (Offline merchants pay about 1.5 percent plus 2 cents to 30 cents per transaction.) Why are the fees so much higher for e-tailers? Risk. "A merchant subject to too much in chargebacks can go out of business," Litan says. "Credit card companies protect themselves against this by increasing the rate." The fees continue to grow exponentially. An outsourced connection to a credit card verification network adds 22 cents for authorization and settlement. Pile on another 22 cents for fraud protection using transaction-risk scoring services from providers like Clear Commerce, CyberSource, Digital Courier Technologies, or HNC Software, Litan says. On a $10 baseball cap, an online merchant will pay roughly 89 cents in fees. Eventually, he will pass these extra fees on to customers Stand guard "A very large Web site may have 40,000 concurrent shoppers as we blink our eye," says Tom Arnold, chief technical officer at CyberSource. "That's more shoppers than the largest Wal-Mart store has in an instant. With a conversion rate of 2.5 percent to 3 percent of visitor clicks on the buy button, you can't physically review 1,000 orders every five minutes. You have to make an instant decision. Who are the good ones and the bad? It has nothing to do with credit rating. You don't have time to do that in 2.5 seconds." Securing a server isn't enough anymore. Secure electronic transaction, or SET, protocol has seen almost no operational use in the United States since it was introduced in 1996. Instead, most merchants use secure sockets layer (SSL) encryption technology, which protects information in transit as a basic e-commerce safety measure. "But SSL doesn't do anything before or after it gets to your server," Litan says. Authentication is the key. Your e-commerce site needs a combination of firewalls, digital certificates, intrusion detection, access control, reusable passwords, antivirus software, and possibly biometrics or neural network software to authenticate that consumers are who they say they are. Companies like VeriSign and TRUSTe, and organizations like the Better Business Bureau OnLine, provide seals of approval if your site meets certain security criteria. Something as simple as address verification helps prevent fraud by matching the address submitted online to the one the issuing bank has on file. The downside to address verification software, of course, is that a merchant may inadvertently throw out legitimate orders with different shipping addresses than those listed in the files. What if the customer purchases a gift? Or the billing address is a post office box? With screening, one in 10 sales is rejected, according to ActivMedia. It can be expensive for e-tailers to turn down legitimate orders. Asking for a
card verification value, known as CVV and CVV2—the three-digit
number above the signature panel on the back of the credit card—makes
it impossible for fraudsters who have used credit card generators
or thieves who have the number but not the card itself from making
purchases. Doing CVV2 checks in card-not-present transactions can
reduce chargebacks by as much as 26 percent, according to Visa.
Choose Your
Weapons |