The internet's growth
as a trading medium has carried on almost oblivious to the
early fears of security of credit card transactions - for most
users, that's now history. However, the consequences of lax
identity control means that around half of all reported credit
card fraud now occurs on the net, although only 5% (very max)
of trading is done on the net. How so..?
Wait a moment before
you rush to shred you cards and cancel the account numbers,
this fraud has almost no consequences for card holders - the
fall guys are the e-tailers who get charged back by the card
"acceptance" companies every time there is the
merest sniff of a dodgy deal. I'd love to hear from any read
who has suffered loss as a purchaser over the net - because I
still don't know of any authentic losses incurred by card
I know of loads of
stiffed e-tailers who accepted cards in good faith, got the
"OK" from the card companies and duly delivered
goods, only to have the charged refuted because of subsequent
revelations of fraud, most usually on digital downloads
(software and music) where there is no physical delivery
address to supply to. It's so pathetically simple - hang
around the bins at the back of the Chinese restaurant and fish
out the credit card counterfoils. Then fill your hard disk
with stolen digital data.
It's the same wheeze
as afflicts the "Pay as you go" cellphones, and it's
really a case of the credit card companies and banks being
guilty of being stupid. But there is also now a wheeze that
takes advantage of the "comfort" of a delivery
address - after all, how can the trader go wrong with a legit
delivery address to support the purchase?
Easy! The scamster
with the stolen credit card advertises goods on an auction
site at an "attractive price", and lays in wait for
a victim to bite. Curious - but suspicious about the low price
- the victim asks the seller for more information. The seller
then offers to ship the goods directly to the shopper, no
questions asked, no money upfront. The scamster
just asks for a promise from the victim to
return the goods, or send the dosh.
Since the goods are
every bit as expected when they turn up , the
scamster usually gets the dosh wired over to
an accommodation address, and everyone is happy. The fact that
bank accommodating the address in one scam was
a Latvian bank might have raised a few eyebrows - but hey,
this net thing is a global phenomenon, right? However,
have you tried suing anyone in Latvia lately? No? I thought
not. Don't bother, either.
How and why do banks
allow this sort of thing, you may wonder, when it's so darned
obvious. Well, the land of the CC is the USA, and I have a
lovely conspiracy theory that I would like to share with you.
Remember prohibition..? Well, one of the factions most opposed
to ending prohibition turned out to be those who made money
from running the booze, and it's just possible that seriously
organised US crime is responsible for making a lot of money
from the presently imperfect nature of credit cards. Maybe
some large bank executives who have tried to clamp down have
woken up with a horse’s head on the pillow next to them,
capice? Who knows?
The notion of
"secure server certification" has been around for a
while, and this means that secure servers are registered
through a process of trusted third parties who make an effort
to only issue certificates to people who are who and what they
say they are. This is not a perfect process, there are no
inspectors visiting to make certain that this is not a scam to
collect credit cards, just a diligent process much like
establishing identity when applying for a passport - ie: not
infallible. And at the end of the day, these certificates are
only "soft" and thus easily misappropriated or
otherwise purloined. However, they are tied to specific system
host names and thus a degree of traceability is possible.
But there is no such
thing as a "Secure purchaser certificate" (yet), and
with dynamic IP allocations, unless an ISP is remarkably more
diligent than most, it's difficult to trace any dial-up user
But the obvious
solution is... erm "obvious". Only a hardware device
that can be issued securely against a specific identity is
going to solve this problem for the card companies. They know
it, but they are just slow to address the matter. A smart card
is the only way forward in electronic identity (subcutaneous
transponders aside) and it's a relief to see that this
particular penny has started to drop.
Now the next battle to
fight is the proliferation of standards in Smart Cards as
banks will be banks, and will want to try and fence off bits
of the e-scape for themselves, in their traditional manner.
But thanks to an accident of banking, the Mondex cash card
scheme started before the net was even an issue has emerged to
take the lead and show everyone the way. In the same way TCPIP
provided the common data management route that made the net
happen, so the Mondex inspired card operating system - Multos
- could provide the open structures for a sensible smart card
strategy for the net.
Keep your fingers crossed.