Credit Card Theft

Credit card theft is experienced by many businesses and individuals. As a consumer, you are not usually held responsible for charges to a credit card that has been stolen. In some cases, however, you might have to pay $50 or whatever amount was charged, but other than that and the headache of having to get a new credit card, the cost is minimal. For businesses, though, the cost of credit card theft is astronomical. For everyone from the merchant who will not get paid because the credit card company can back out of the charge to the insurance company that has to pay out money each year for stolen merchandise to the credit card company that has to incur the cost of reissuing the card, the costs mount up along the way. When Egghead.com was hacked in late 2000, it spent numerous man hours tracking the attack; in addition, banks and credit unions paid millions of dollars to reissue credit cards (it costs a credit card issuer $2–$5 to cancel and reissue a card) and compensate workers for hours worked. Also, consumers had to check their bills to see whether their cards were stolen. In another case, an online credit card scam cost Visa USA at least $48 million last year. From this one hacker attack, millions of dollars were potentially spent and huge amounts of time were wasted. When one hacker failed to extort money from Creditcards.com, he posted about 55,000 credit card numbers on the Internet. The costs in contacting customers and replacing those cards, loss of revenue through use of those card numbers by other people, and time wasted were very high for all parties involved.

Who is to blame for credit card theft via the Internet or use of technology? Is it the consumer, who should be responsible for how he uses his cards, or is it companies for not using the correct technology to secure data, or maybe society for not putting a stop to hacker activity? This is a rhetorical question because we can't blame anyone—we can only attempt to make it difficult in the future to have credit card information stolen, especially with technology. It can be argued that a company with good security should be able to stop an attack. But security is just a point-in-time event. If you think your systems are secure today, tomorrow a brand new exploit can become known that will find a new hole in your security defenses. After an attacker does breach security defenses, it takes a lot of time and effort to track what was done to the systems and ensure that no other weaknesses were introduced to the environment by the attack, further escalating the costs of an attack.

The reason many attackers go after credit cards is because they're easy to use. On the Internet, no picture ID is required, and performing any kind of verification of who is making the purchase is difficult. In most cases, verification is not performed thoroughly because of the costs associated in doing so.

Older methods of stealing credit card information, such as shoulder surfing (peeking over your shoulder to get credit card, phone card, and personal identification numbers, as well as other private information) and searching the trash for credit card receipts, are no longer necessary for hi-tech crooks. Devices such as credit card skimmers are used in restaurants and stores to capture all the information on a card for later use. Programs that can generate legitimate credit card numbers are available to those in the know about such technology. It's not even illegal to write credit card number generators. A credit card number can be easily generated using a known algorithm. Many programs are available that can generate a seemingly valid credit card number. If the number is not checked at the time of purchase by the vendor for valid name, address, and number with the credit card company, the hacker can make purchases with a false yet seemingly valid credit card number.

For a small merchant who accepts credit cards, the sophisticated software security tools might not be cost effective to implement, enabling a hacker to more easily break into a small, poorly secured site and steal information. After he breaks into a site with your credit card information, the odds are very high that he can get more personal information, such as home address and telephone number, from the same database. Stolen credit card information is an easy path to stealing someone's identity.

The most recent event of credit card theft is that of a Russian hacker who stole thousands of credit card numbers. He even put a Web site up on the Internet to show the information. The site showed more than 25,000 numbers with cardholder names, addresses, and expiration dates. The hacker—known as Maxus—broke into CDUniverse to get this information. The database stolen had more than 300,000 customers in it. The site was put up by the hacker after a failed attempt at extorting money from CDUniverse. The ease of how this was done suggests that future attacks will follow along the same path, and some companies will end up paying the extortion bill to keep their names out of the press.

Measuring the result of credit card theft is extremely difficult. Merchants lose customers' trust, which can't be measured; fixing problems involves time and effort, which can be hard to measure; and the consumer might make fewer purchases because of fear, uncertainty, and doubt about using new technologies. The barriers to becoming knowledgeable about credit card theft are very low. With some time and effort, anyone can find information on how to hack, learn how to use credit card generators, or even find guides to stealing information on the Internet. The ability to be anonymous through this whole process makes it even harder for companies and law enforcement to track credit card theft. Even with the limited liability that consumers have because of theft, it still affects their use of the Internet and credit cards in immeasurable ways.

U.S. federal law protects credit card users against fraud online with the Fair Credit Billing Act. Liability is capped at $50 of unauthorized charges. For ATM cards, a cardholder's liability is $50 if the card is reported lost within 48 hours and up to $500 if reported stolen after a charge is made. The major issuers, such as Visa USA, MasterCard International, and American Express, do not make the consumer pay anything for unauthorized purchases. Even with these financial guarantees to the customer, having your information stolen can be a very personal and shocking event that causes you to distrust the Internet and shy away from its use, which is of no benefit to anyone.

Although we are not proponents of people stealing credit cards, it important for consumers to know several of the methods of how this could possibly be done. Some basic types of steps that cybercriminals can take to purchase in your name include the following:

• Compromising a site— A hacker simply breaks into a company and steals its database of credit card information.

• Creating a card— A hacker downloads a credit card account generator and makes a card based on the Luhn formula, which card companies use to make cards with 13–16 digits.

• Skimming— Retail and restaurant employees use skimmers to steal information. These devices read information from the magnetic strip and cost several hundred dollars.

• Cloning a site— On the Internet, a hacker can copy a site and redirect traffic to his site. He then captures the information and passes on the valid order to the real site. The consumer would not know the difference.

• Creating false sites— Fictional sites are created that purport to sell a service or product but just are set up temporarily to capture credit card information and then shut down.

From the consumer's point of view, a limited number of options is available for protecting credit card and other personal information stored in some company's database. After you have submitted that information, it's pretty much out of your control. What you can do to help protect yourself is know where you are submitting your information and what possible controls that company might have in place. Several steps you can take to better protect your information include

• Check the site's security— That little lock icon in your browser lets you know whether the site is using security and encryption. Each browser can bring up a site's security certificates, which you can check to see whether you are actually using the real site of the company you are buying from. The lock also lets you know your information is being encrypted as it is sent so you do not have to worry about someone stealing your traffic as it makes its way to the company.
  
  
• Use specific credit cards— Set aside a credit card that you use only for Internet shopping that you can always check and know it's only for Internet purchases. This card should have a low limit for spending, and you should have information readily on hand to cancel it if necessary.
  
  
• Destroy receipts carefully— If you throw out whole receipts in the trash, the possibility exists that someone can go through your trash and find that receipt, and then use it to make purchases.
  
  
• Check your credit report— You should periodically check your credit report to see whether activity is occurring that you do not know about or whether your credit history is being abused. The three main credit reporting agencies are Equifax (800-685-1111), Experian (800-311-4769), and Trans Union (800-888-4213).
  
  
• Check the site's policies— Each site you visit will have some form of a privacy policy or a statement regarding its stance on privacy and security. At a minimum, if it does not, you should probably not use that site.
  
  

Merchants have to take more responsibility to ensure that the consumer's credit card is not stolen. Simple things like securing the e-commerce site with necessary defense measures, such as with firewalls, routers, digital certificates, intrusion detection systems, antivirus software, and other forms of access controls, can greatly cut down on hacker attacks and compromises of smaller merchants. After the technology is in place, the processes need to be followed that provide additional security, such as verifying addresses with what the bank has on file for the credit card. If the criminal can't change the shipping address, the card can't be used to buy material goods. Credit cards also have a card verification value, (CVV and CVV2), which is a 3-digit to 4-digit value on the card that does not get imprinted. The purchaser must have the actual number for the order to be processed; a stolen database of card numbers would not have this number. If merchants would limit the amount of information they capture, stolen information would have less of an impact on the consumer. It's not always necessary to have every bit of information about the consumer in a database somewhere. And finally, insider threats are just as dangerous as outside hacker threats. Employees have much greater access to sensitive information, so limiting their access is a good idea.

A Gartner Group survey of 166 retailers—half of whom sell on the Internet—found that online credit card fraud equaled 1.13% of transactions. Online credit card fraud for Visa was approximately 0.15%, or $48 million. The Secret Service takes an active role in investigating credit card crimes, but little or nothing is actually ever done with minor cases or cases that involve only a few individuals. Because people sometimes do not report online fraud and companies especially want to avoid becoming known for being taken advantage of by fraud and cyberthefts, the exact numbers are difficult to calculate.