Despite the dynamic growth of e-commerce, security and fraud concerns continue to keep many consumers from conducting transactions over the Internet.
They typically fear that their credit card and personal information will be intercepted, or that Web merchants are not taking the proper steps to protect private information once it is received.
In reality, there are no documented cases of consumer information being stolen directly from networks during a transaction. In fact, most Internet transaction frauds are actually committed by consumers against merchants or by merchants against banks.
A recent report from HNC Software says Internet fraud causes merchant losses of anywhere from 1% to 10% of sales, depending on the merchant's software and fraud screening procedures. The total could actually be higher, because these types of fraud are rarely tracked and reported by merchants for fear that negative publicity will keep consumers from their site.
The most common types of Internet fraud include using stolen credit card numbers, identity theft, and check fraud. One type of fraud that has been acknowledged since 1991, and is increasing rapidly, is account generation fraud, the creation of valid but illegitimate credit cards.
How do crooks create valid account numbers? If they are illegitimate, how can they be valid? The answers are surprisingly simple.
Credit card companies create new account numbers for clients by using numbering algorithms. People who have advanced programming skills and know how these algorithms work can create applications that generate valid credit card numbers by the hundreds. Combine one legitimate credit card number with the algorithm, and it is possible to extrapolate other card numbers issued from the same bank.
Even more alarming, these account number generator programs are often posted to Web sites in a ready-to-run, downloadable format made available to millions of Web surfers. One such program is Credit Master.
And it's legal! As long as these Web sites contain a statement waiving responsibility for the use of the generator, it is completely legal and protected by the First Amendment. Not surprisingly, many hacker/cracker sites contain card number generators that can be reached through most search engines just by typing the phrase "credit card generator."
The problem began a few years ago, when the generator programs were used to create counterfeit cards. Visa and MasterCard quickly addressed this problem by embedding their cards' magnetic stripes with codes that query the card issuer to match the information on the card itself, such as the account number and expiration date. If this information does not match, the transaction can be denied.
In this card-present environment, where the card is swiped, the issuing bank is responsible for fraud losses. This no doubt prompted the fast response from the card associations.
With the rapid expansion of e-commerce, the problem is appearing in a slightly different form. Credit card thieves no longer need to create counterfeit cards. Instead, they are able to generate the account numbers, which they can use to make purchases electronically. This type of transaction, called card-not-present, gives thieves a security loophole around the magnetic stripe coding that was originally used to combat the problem.
When merchants decide to accept credit cards in a card-not-present environment, they incur full responsibility for the transaction and any fraud losses that might occur.
Why has the business community been slow to fight credit card fraud over the Internet? By law, credit card issuers, acquiring banks, and card associations have only limited liability for losses (or none at all) and will not respond to a fraud problem that does not affect their revenue. Merchants that are affected do not typically have the resources or knowledge to create systems and policies that fight fraud effectively in the card-not-present environment.
There are ways, however, for Internet merchants to lower their risk of fraud. Over the past few years some traditional credit card fraud software companies have begun to shift their focus to the Internet. They have created software packages designed to filter out possible fraudulent transactions.
Some merchants have focused less on the credit card and more on the person making the purchase. Because almost everything purchased on the Internet requires delivery to a physical mailing address, merchants use data providers to verify a person's name and address.
Other companies are trying to use large databases to rate a transaction on a number of characteristics. Many feel this will be the most effective way to control online fraud against merchants.
Though some merchants are moving in the right direction in trying to slow fraud, there are thousands of small Internet merchants who have very little protection against online credit card fraud, because the price of software and databases, as well as their implementation, is too high.
If these merchants have decided to accept credit cards worldwide, their risk of exposure has increased dramatically because of a lack of consumer information outside the United States. These are the merchant vulnerabilities that criminals specifically target in order to carry out their fraudulent schemes. The losses that result often drive small merchants out of business and help large merchants dominate the marketplace.
The battle against account generation fraud continues, and advances in technology will soon provide merchants with more security against this type of crime.
Unfortunately, the same technology that helps us fight criminals also helps them create new ways to steal from us. In other words, while we are concentrating on closing the door, they are coming in through the window.
Mr. Trosclair is the executive director of the National Coalition for the Prevention of Economic Crime in Richmond, Va. Mr.Willox is the chief executive of the National Fraud Center in Horsham, Pa. Mr. Fichtman is president of RiskWise, a risk Management technology company in St. Cloud, Minn.
