Vigilance needed to thwart credit-card identity fraud

Staying Ahead

Dollars & Sense

January 23, 2000|By Jane Bryant Quinn

JUST WHEN we're starting to get used to shopping on the Web, along comes a mystery crook, "Maxim," to remind us that life isn't safe.

And it's not only Web shoppers who have to worry. So does everyone who uses a credit card.

Maxim is a cyberthief, possibly in Eastern Europe. He claims to have stolen more than 300,000 credit-card files from an online music retailer called CD Universe.

He demanded that CD Universe pay $100,000 for him to destroy his copy of the files. When the company refused, he started posting customers' names, addresses and credit-card numbers on the Web.

Maxim's site has been closed. But in the two weeks it was up, several thousand visitors downloaded more than 25,000 credit-card numbers, according to the New York Times.

The easy answer, you might think, is never to buy anything by Web. Many e-tailers let you use an 800 number, instead.

But when you order by phone, where does the merchant keep your card number? Most likely, right in the general credit-card database, where the Maxims of the underworld might find it.

Ordering from catalog

The same could be true when you order from a catalog or put down your actual card at a local store.

"It all depends on which computer the merchant keeps your card number in," says Elias Levy, chief technology officer of SecurityFocus.com, a computer security firm in San Francisco.

It might be the same computer as the one accessible by Web, or it might not. You have no idea.

CD Universe faces a public-relations mess because the thief disclosed the company's name. But other firms have been attacked and consumers never knew, privacy experts say.

The known cases are only the tip of the iceberg, says security expert Peter G. Neumann of SRI International in Menlo Park, Calif. Still, the relative number of break-ins is small.

Merchants say you don't have to worry. By law, you're liable for no more than $50, if an unauthorized person uses your card. Many banks don't even charge that.

Crooks use information

But the problem isn't the $50 or the hassle of replacing your card. "The real issue is identity fraud," Neumann says.

It's not only addresses and credit-card numbers that slosh around the Internet. So do birthdays and Social Security numbers. Crooks can put them all together, then apply for credit in your name.

You don't see the bills, so you have no idea that "another you" is running up debt. By the time you discover the fraud, your credit is wrecked. The damage from identity theft can take years to mend.

What can consumers do? Alas, not much.

There are simple rules:

Don't give your credit-card number over a cell phone. Guard the carbons, when you pay in person. When you shop by Web, check the lock or key icon on the screen, to make sure it's whole. A broken icon indicates that the site is not secure. Even well-known sites break down sometimes.

Keep one card for Web

Doug Tygar, a professor and information specialist at the University of California at Berkeley, suggests that you keep one card only for Web use. If the number is stolen, you'd then have a single card to cancel. But of course, this doesn't prevent identity theft.

The larger problem isn't the security of your individual transaction. It's the level of security the merchant applies to its database. Maxim didn't "sniff" individual credit-card numbers as they wafted over the wires. He lifted them wholesale out of CD Universe's computer.

Says Tygar: "It's like the merchant who carefully puts each credit-card slip in a drawer but doesn't lock the drawer at night."

Web customers should check each merchant's privacy policy to see how it handles your data. But these policies almost never mention how the merchant protects its own database. Some merchants aren't doing enough.

Maxim's method unknown

It's not known how Maxim accomplished his virtual second-story job. Once in, he may have used a common credit-card verification program called ICVerify to transfer customers' money to his own credit-card account, Levy says.

(CyberCash in Reston, Va., which sells ICVerify, would not comment.)

CD Universe alerted its customers to the theft. It also hired security experts "to make sure we're rock-solid safe going forward," spokesman Brett Brewer says.

But how rock-solid is any customer database? "What's scary about this is that [CD Universe's] network was compromised," says Elaine Rubin, head of Shop.org, an e-tailers association.

Every merchant should take note.

WASHINGTON POST WRITERS GROUP

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.