Credit Card Theft a Major Risk
Date: October 15, 2003Source: Computer Crime Research Center
By:
Pat LaMastro, the head of PC Services, knows the benefits of selling over the Internet. He also knows the
potential consequences. In "Internet merchants fight back," MSNBC's Mike Brunker wrote about credit card fraud
that has affected LaMastro, along with other online merchants.
LaMastro nearly sold $15,000 worth of computer parts to a customer in Romania. Fortunately, he was soon notified that the credit card number was fraudulent, and he was able to halt the UPS order before it reached the destination. He was out $600 for shipping, but he was luckier than many online merchants were.
Internet sales are surging. There is no doubting this. According to an article printed in the Feb. 18, 2000, edition of The Kansas State e-Collegian, "Internet sales constituted .5 percent of all 1998 retail sales and were expected to increase to .725 percent in 1999. Internet sales making up less than 1 percent of all sales may not sound impressive, but consider this: the jump in 1999's online sales were up 45 percent over '98's sales.
Credit cards certainly are not new, and neither is credit card fraud. For legitimate customers using credit cards wisely, these plastic cards can be of great ease. Carrying a Visa card means that a consumer does not need as much cash on hand. When away from home on a trip, rather than have several hundred dollars ready in case of emergency, it is easier and less risky to carry a credit card. A simple swipe or pushing a few buttons on a keypad is all it takes to make a purchase. And when ordering by telephone, using a credit card in place of a check cuts down on shipping time, since the merchant receives the number at that instant.
However, credit cards have been an ideal medium for illegitimate customers, as well, and much of the fraud is done overseas. The risk of fraud has seemed to rise with the increase in technology and with the number of outlets through with a customer can order. For the consumer's sake, as well as the merchant's, ID verifications can be made at the register. But when there is no register, in the traditional sense, such with phone and Internet orders, there is no way of being sure that the person ordering is the actual owner of the credit card. Most of the risk lies in the hands of the merchant. If there is a fraudulent order made, the merchant is left to absorb the loss. There is actually relatively little risk for the consumer. According to MSNBC's Brunker, in his article, "E-business vs. the perfect cybercrime," consumers are generally not held personally responsible if their credit cards are used fraudulently. In cases of fraud, the $50 which consumers can be required to pay "is usually waived by the issuing bank," according to the article.
There are not a lot of secrets behind the growth in Internet sales. Whether the consumer is buying music, flowers, cars, computers, or health supplies, he can order from anywhere in the world and have it shipped to anywhere in the world. Also, since the "middle man" is often bypassed, the costs to consumers are often cheaper online than they would be at a store.
For online sales, the primary purchasing medium is indeed the credit card. Consumers rarely pay by check when ordering online. But protecting the merchant and consumer is far from perfect. This is due to faults of merchants, in terms of encryption, as well as of the government, in terms of prosecuting. Also at fault are credit unions, when they fail to notify customers. And not all of the necessary technology to combat online fraud has been developed yet.
In "E-business vs. the perfect cybercrime," Bunker writes that "Officials at Visa and MasterCard said that they are in the process of establishing tracking systems for fraud committed over the Internet."
Fraud in the traditional sense still exists in online sales. When someone steals a credit card, he has the capability of ordering over the Internet until the owner of the card discovers the purchases and cancels the card.
However, this example of fraud is not where the biggest fraud risk exists. The largest risk, a risk new to commerce, is the risk of a hacker having access to thousands of card numbers or more. In the past, before e-commerce, it was much more difficult for someone to steal a large number of card numbers. A thief would steal a card or take information out of the mailbox. Or, more recently, a phone tap during a telephone order could make a card number known. Now, however, a talented hacker can sit at a computer and have access to an entire database of card numbers.
According to "E-business vs. the perfect cybercrime," "most of the credit card information used for the fraudulent online purchases apparently is obtained the old-fashioned way: stolen from mailboxes or 'swiped' through a card reader by accomplices working in restaurants or stores. The stolen credit card information is then transmitted to the thief or thieves overseas, who begin their electronic assault on Internet merchants by charging as much merchandise as they can in as short a time as possible."
This article mentions that the estimate "anecdotal evidence suggests the international fraud artists are netting many millions of dollars each year." Although these many small-scale operations do cause millions of dollars of losses each year to businesses, they did not have the individual potential to damage merchants as the large-scale thefts of credit card numbers that have been occurring lately.
"Vast online credit card theft revealed," also written by MSNBC's Brunker, discusses a theft that occurred in January of this year, in which 485,000 credit cards were stolen from a single site. Equally surprising is that the hacker stored the numbers on a site owned by the U.S. government. "The Internet retail site from which the data was stolen has also since been identified," the article states, "but [Secret Service spokesman Jim] Macken declined to name it."
"There was no evidence that any of the cards were used to commit fraud and some of the accounts were not active," according to the article. However, this does not minimize the significance of this theft.
MSNBC discovered this after receiving from an anonymous employee at the Navy Federal Credit Union a copy of a letter written by Visa. Having 19 million member, this credit union is the world's largest. "Officials at the credit union took no action to warn customers whose account numbers were among those stolen by the hacker," according to "Vast online credit card theft revealed. "Instead, they ordered a 'spot check' of 50 to 100 accounts and then decided that no further action was necessary, the source said."
Going on, the article states that "the same procedure was followed two weeks later, when Visa alerted the institution of the theft of data on 300,000 credit cards from the CD Universe Web site -- the biggest theft of credit card data over the Internet that previously had been made public." The source told MSNBC that "It was deemed not the credit union's responsibility."
The article states that "Banks and credit card companies often point out that consumers are responsible only for the first $50 of fraudulent online purchases -- and that is nearly always waived. But stolen credit card information can be used to commit fraud against unsuspecting Internet merchants, who in most cases bear the cost of the crime, or for the identity theft -- a practice in which criminals use personal data to obtain new credit, borrow money or make big-ticket purchases."
Unlike credit card theft, which leaves the owner largely unresponsible, "identity theft is by no means a victimless crime," according to the article. The Treasury Department has found identity theft "a growing and major criminal threat."
Along with those two large-scale incidents of illegal credit card access, Bob Sullivan's article, "Can hackers kill credit cards?" printed on MSNBC, discusses one anonymous hacker who has made a name for himself. "Curador," the self-proclaimed "Saint of E-Commerce," is "up to 25,000 records now from 13 Web sites, and still going. Despite all that the financial risk and all that violation of personal privacy, no one can stop him," the article states.
The article states that he "started posting his catalog of stolen credit card numbers on his Web page." Brunker later writes that, "Of course, authorities have removed Curador's Web site -- at least a dozen times. No matter; he uses the many free, anonymous Web hosting services available on the Internet. And as fast as his Web page is taken down, 'Curador' puts up another one. The 18-year-old computer intruder, who also goes by the nickname 'mind gimp,' is located somewhere in Europe."
Methods to prevent theft will likely improve over time. Sullivan wrote that "The raging success of online thieves, some say, will force the hand of banks, merchants, credit card companies and consumers to change the way we spend money much sooner than we intended." His articles later states that "The familiar plastic currency was designed to be physically handed to the merchants, who could at least make a cursory check to see if signatures on the card and the sales slip matched. Online, commerce is anonymous. There is no way to see who's entering the credit card numbers into a Web page, an anonymity that heavily favors the fraud artists."
The article mentions that "Several technologies hope to tip the scales against thieves by implementing systems that require some real-world physical...
Next
Add comment
Email to a Friend
