PS Consultants - ideas & solutions

Security on the net
April 2000

The internet's growth as a trading medium has carried on almost oblivious to the early fears of security of credit card transactions - for most users, that's now history. However, the consequences of lax identity control means that around half of all reported credit card fraud now occurs on the net, although only 5% (very max) of trading is done on the net. How so..?

Wait a moment before you rush to shred you cards and cancel the account numbers, this fraud has almost no consequences for card holders - the fall guys are the e-tailers who get charged back by the card "acceptance" companies every time there is the merest sniff of a dodgy deal. I'd love to hear from any read who has suffered loss as a purchaser over the net - because I still don't know of any authentic losses incurred by card holders themselves.

I know of loads of stiffed e-tailers who accepted cards in good faith, got the "OK" from the card companies and duly delivered goods, only to have the charged refuted because of subsequent revelations of fraud, most usually on digital downloads (software and music) where there is no physical delivery address to supply to. It's so pathetically simple - hang around the bins at the back of the Chinese restaurant and fish out the credit card counterfoils. Then fill your hard disk with stolen digital data.

It's the same wheeze as afflicts the "Pay as you go" cellphones, and it's really a case of the credit card companies and banks being guilty of being stupid. But there is also now a wheeze that takes advantage of the "comfort" of a delivery address - after all, how can the trader go wrong with a legit delivery address to support the purchase?

Easy! The scamster with the stolen credit card advertises goods on an auction site at an "attractive price", and lays in wait for a victim to bite. Curious - but suspicious about the low price - the victim asks the seller for more information. The seller then offers to ship the goods directly to the shopper, no questions asked, no money upfront.  The scamster just asks for a promise  from the victim  to return  the goods, or send the dosh.

Since the goods are every bit as expected  when they turn up , the scamster  usually  gets the dosh wired over to an accommodation address, and everyone is happy. The fact that bank  accommodating the address in one scam was a Latvian bank might have raised a few eyebrows - but hey, this net thing is a global phenomenon, right?  However, have you tried suing anyone in Latvia lately? No? I thought not. Don't bother, either.

How and why do banks allow this sort of thing, you may wonder, when it's so darned obvious. Well, the land of the CC is the USA, and I have a lovely conspiracy theory that I would like to share with you. Remember prohibition..? Well, one of the factions most opposed to ending prohibition turned out to be those who made money from running the booze, and it's just possible that seriously organised US crime is responsible for making a lot of money from the presently imperfect nature of credit cards. Maybe some large bank executives who have tried to clamp down have woken up with a horse’s head on the pillow next to them, capice? Who knows?

The notion of "secure server certification" has been around for a while, and this means that secure servers are registered through a process of trusted third parties who make an effort to only issue certificates to people who are who and what they say they are. This is not a perfect process, there are no inspectors visiting to make certain that this is not a scam to collect credit cards, just a diligent process much like establishing identity when applying for a passport - ie: not infallible. And at the end of the day, these certificates are only "soft" and thus easily misappropriated or otherwise purloined. However, they are tied to specific system host names and thus a degree of traceability is possible.

But there is no such thing as a "Secure purchaser certificate" (yet), and with dynamic IP allocations, unless an ISP is remarkably more diligent than most, it's difficult to trace any dial-up user with certainty.

But the obvious solution is... erm "obvious". Only a hardware device that can be issued securely against a specific identity is going to solve this problem for the card companies. They know it, but they are just slow to address the matter. A smart card is the only way forward in electronic identity (subcutaneous transponders aside) and it's a relief to see that this particular penny has started to drop.

Now the next battle to fight is the proliferation of standards in Smart Cards as banks will be banks, and will want to try and fence off bits of the e-scape for themselves, in their traditional manner. But thanks to an accident of banking, the Mondex cash card scheme started before the net was even an issue has emerged to take the lead and show everyone the way. In the same way TCPIP provided the common data management route that made the net happen, so the Mondex inspired card operating system - Multos - could provide the open structures for a sensible smart card strategy for the net. Keep your fingers crossed.