Electronic commerce merchants are getting tired of carrying all the risk in the online use of credit cards.
"Hacking isn't our major problem - it's the unauthorised use of credit cards," says Ihug e-commerce manager Frances Wiese. Wiese should know all about the dangers of hacking and cracking - Ihug lost 4500 Web sites after a successful break-in late last year. But she says that no hacker has successfully intercepted an e-commerce transaction and that even with relatively low levels of encryption, 40-bit, it is too difficult to break in such a short space of time.
For Wiese, the real problem lies with the credit card scheme and the way banks approach the problem of fraud.
"Merchants carry all the risk. If the card is stolen, or if the numbers are generated and don't belong to a particular card, the merchant is the one that loses out." Wiese says even if the merchandise is recovered, which is highly unlikely, it isn't returned to the merchant until the case has been tried and the culprit convicted. That usually takes so long that the product in question, a PC for example, is now no longer worth recovering.
Credit cards are the preferred method of payment of e-commerce transactions but they are vulnerable to abuse in a number of ways, says Wiese.
"The card might have been stolen, or the numbers lifted from a receipt or a statement. They might even have been generated by a card number generator, and there are a number of those available on the Net." These generators produce random card numbers that fit the algorithm used by banks when they create card numbers.
"The merchant will only receive notification that the transaction is accepted or declined. They never receive the card details, they don't know if the name used is the right one or anything." Wiese says the system is designed to protect card users from unscrupulous merchants, but that it is also responsible for leaving merchants at the mercy of unscrupulous shoppers.
"The system only checks the registry to see if the number is acceptable and if it is on the list of stolen cards." If the number is taken from a receipt or printout, the card holder may not have reported it stolen.
"We can ask for bank verification, but that takes time and the shopper wants an instant response. They may also be upset to be questioned in such a manner and stop using that merchant's site." Wiese would like to see banks check card holder names as well as numbers - which would stop random number generators from being used so effectively.
The other end of the chain is also a problem for e-commerce merchants. "If we do detect a fraudulent transaction, we then have to contact the ISP to find out log-on times and details, IP addresses and that sort of thing." Wiese says the police have a unit dedicated to computer crime, the Electronic Crimes Unit, but they are woefully understaffed and underfunded and there is no infrastructure in place to see this sort of information passed on quickly enough to be of use.
Wiese was talking at a TUANZ-sponsored presentation on computer crime held last week at law firm Hesketh Henry's Auckland offices. Around 75 people attended, and the mood among merchants echoed Wiese's. "This kind of thing could drive e-commerce ventures to move to Australia where they have definite laws to deal with this kind of thing," says one merchant who did not wish to be named.
Gary Fissenden, general manager of IS at ASB Bank, says there are steps merchants can take to protect themselves online. "You can put a block on numbers from countries that aren't secure. You can make sure you don't deliver goods to post office boxes and that sort of thing." One thing to watch for, says Fissenden, is a credit card being used several times on the same site in rapid succession, or a variety of credit cards being used with the same mailing address.
Fissenden says banks constantly struggle to maintain a balance between customer security and merchant security.
"We discovered that e-commerce sites in the US were having their servers stolen because the criminals knew they would have credit card numbers on them." ASB Bank's system is just one that doesn't allow the merchant to see the card details at any time during the transaction. Some overseas banks will assume part of the liability for fraud if a merchant agrees to perform additional security checks - like ensuring the billing and shipping addresses are the same. This practice has yet to catch on in New Zealand.
There are a number of sites devoted to the issue of online card fraud. www.scambusters.org, is a US-based site dedicated to helping merchants and customers minimise their online risk.