When Western Union Holdings' Web site was hacked last September, the result was any company's worst nightmare: The intruders stole close to 16,000 credit card numbers belonging to customers who had used Western Union.com to make online money transfers. The company had to contact every one of those people to let them know about the breach.
"No fraudulent transactions were consummated, which was our No. 1 priority," says Western Union spokesman Pete Ziverts.
Luckily, customers' Social Security numbers were not kept on the server with the credit card data. Just a week after the break-in, customer levels had rebounded. "People could see that we handled the situation responsibly," Ziverts says. Still, plans for the site's full-scale launch have been pushed back. He says, "It becomes difficult to go through an experience like this and say, 'Hey, WesternUnion.com is here.' "
Online credit card scams cost Visa USA at least $48 million last year. The real story behind the biggest threat to e-commerce - and how you can protect your business and yourself.
It's this repercussion that scares many merchants into covering up Internet credit card fraud and intrusion rates - and makes measuring the extent of online fraud extremely complex. For e-commerce sites, losing customers' trust can be a bigger hit to the bottom line than paying to fix security breaches and covering costs for fraudulent purchases. What's more, companies fear, revealing specific damage to their systems may only serve to let hackers know exactly where their weaknesses are.
While the threat of online credit card fraud to individual consumers is real, e-shoppers have less at stake than the commerce sites do. That's because consumers have protection - in the form of limited liability - and a course of action, says Jonathan Rusch, special counsel for fraud prevention at the U.S. Department of Justice. "It's the online merchant who is more likely to get burned," Rusch says.
In fact, consumers shouldn't fear shopping online with a credit card any more than they fear shopping with it over the phone, through a catalog, or at local stores. "It would be like hopping in a car and worrying [every time] that someone is going to broadside you," says Gregg James, special agent in the financial crimes division of the Secret Service. The fact is, there is not a documented incident of someone's credit card number or personal data being intercepted in transit during a transaction where encryption technology is used, says Allan Trosclair, executive director of the National Coalition for the Prevention of Economic Crime. "You need to be a sophisticated operator to break the encryption," he says. Adds Betsy Broder, assistant director for planning and information at the Federal Trade Commission's Bureau of Consumer Protection, "People think that when they push that button, that is when the danger [exists]. But when the database is not se cure is where the real prob lem lies."
To be sure, credit cards are the safest mechanism for shopping online, making up 93 percent of online payment transactions, according to the GartnerGroup. People reporting fraud to the National Consumer League's Internet Fraud Watch (www.fraud.org) in 1999 blamed only 5 percent of the incidents on credit card fraud. Money orders (46 percent) and personal checks (39 percent) were the most common forms of payment related to reported scams, with auction sites generating the most complaints.
Online merchants suffer the brunt of losses from disputed transactions, known as chargebacks. The fees can wipe out e-tailers' already razor-thin margins. In transactions in brick-and-mortar stores, a customer presents a card, the clerk swipes it through an electronic reader, and the customer signs. When a charge is disputed, the signature makes all the difference. If it's there, the issuing bank eats fraudulent charges. But in transactions on the Internet, through the mail, or over the telephone, with no signature as proof, the merchant absorbs the cost.
"Credit cards were never intended to be used in a card-not-present environment," says Trosclair. "Regulations actually stipulate that you are supposed to get a copy of the card through an electronic swipe or imprint, and a signature. If you're a crook, there is total anonymity in the online world. No eyeball to eyeball."
This anonymity exacerbates the problem of online fraud. Crime rings spend lots of money and time pulling off large-scale credit card scams in the real world. But just one individual with the technology know-how can do the same damage online in a matter of minutes. This has law enforcement officials worried, admits Martha Stansell-Gamm, the Justice Department's chief of computer crime and intellectual property. "Things that happen online have a tendency to be bigger and more widespread. The Internet acts as a force multiplier," she says. Depending on whom you ask, online credit card fraud rates vary from more severe than to equal that of the offline world. The GartnerGroup surveyed 166 retailers, half of whom sell on the Internet, to find that online credit card fraud equalled 1.13 percent of transactions, more than 18 times higher than the fraud rate on all credit card transactions, which Visa USA reports to be as low as 0.06 percent.
In situations where the physical card isn't swiped, fraud is at 0.15 percent, according to Visa. When online transactions are isolated, the rate is a bit higher, says Visa spokesperson Sean Healy. To put it into perspective, Visa's worldwide sales totaled $1.6 trillion in 1999. Of that, 2 percent of transactions came from the Internet, totaling $32 billion. Estimating conservatively for online credit card fraud at 0.15 percent, that comes to $48 million. And that's just Visa transactions.
In September, CyberSource, a credit card security-check authorization vendor, polled 100 e-businesses including Starbucks, Ford, Nike, and Beyond.com to find that 83 percent agreed that online fraud is a problem, up from three-quarters in 1999. On average, respondents estimated fraudulent transactions and fraud loss to be at 4 percent.
On the other hand, ActivMedia Research reported in November that Internet credit card fraud is no big deal. Eighty-six percent of 432 merchants did not view fraud as a problem. Online fraud rates, they said, were often lower than offline fraud rates. Also in November, Ziff Davis Smart Business polled readers. We found that of those who sell their products or services online, most (81 percent) said they had not lost revenue to online fraud.
For its part, the Secret Service, known as the leader in investigating credit card crimes, says that online and offline fraud rates are about the same.
Why the difficulty measuring fraud? The Secret Service and other law enforcement agencies hear about crimes only after consumers or merchants report them. Actual fraud rates may be much higher. Merchants, wary of bad publicity, may avoid consumer backlash and weakened sales by not reporting incidents. To avoid scaring off customers, credit card issuers play down fraud rates as pennies for every hundred dollars spent. What's more, credit card issuers can only extrapolate from their issuing banks' responses, which until now haven't distinguished mail and telephone orders from Net transactions.
There is no universal standard for reporting credit card fraud. Some report fraudulent cards as counterfeit, some as stolen. An even bigger problem is that fraud tends to get lumped in the statistics for all disputed claims, whether the incidents constituted actual fraud or plain old customer dissatisfaction. And security software vendors have an interest in highlighting the highest published fraud rates to drum up business.
If you're in the business of selling anything - online or off - you can't afford to ignore credit card fraud. With the odds that one in three people fall victim to white-collar crime, your customers - and you as an individual - are ripe to become targets.
Most information used to commit online fraud is gathered in the offline world. Less sophisticated thieves resort to shoulder surfing (peeking over your shoulder to get credit card, phone card, and personal identification numbers, as well as other private information) and Dumpster diving. Today's tech-savvy crooks use credit card skimmers in locations like stores and restaurants, or credit cardalgorithm generators that are readily available for download.
In the case of algorithm generators, there's nothing illegal about the software. "There's no copyright on generating a credit card number," says Allen Jost, VP of business development at HNC Software's financial services group in San Diego. "You can't own a set of 16 numbers." (Eighty percent of credit cards in the United States are covered by HNC's fraud management software. HNC's customers include Sears.com and Circuit City's Web site.) Although these algorithms were developed in the 1960s, generator software appeared in the early 1990s as a problem online. Abuses often take place in the Far East, where thieves take advantage of time differences to shop online while banks here shut down for processing.
The most advanced thieves hack Web sites looking for full account information on weak or exposed merchant servers, clone sites to look like part of the real thing, and set up bogus merchant sites simply to gather personal info. The more information a crook gets, the more damage he can do. A credit card number and an expiration date is enough to start. If the thief has no date, since most cards expire within three years, he can guess it within 36 tries. Next comes a legitimate address, name, Social Security number, and date of birth. In some states, like Virginia, a person's Social Security number is the same as his or her driver's license number. A thief who steals that number has everything necessary to steal that