A couple of years ago, my personal credit card account number was compromised. Did this stop me from continuing online transactions? No way.
In my case, while an unauthorized party gained my account details, no transactions were made. The bank's fraud department were understandably hesitant in releasing details of the compromise, but they were very quick in taking action. I'm not even sure that the offending party was an online merchant, hacker or traditional retailer.
The media in general have fed the paranoia levels of the online consumer community regarding online transactions. Yes, credit card numbers are stolen and yes, there are victims who suffer financial loss. But submitting your credit card details online is no different to handing your card to a shop assistant that you don't know or a waiter you have never met before. There is very little stopping merchants we carry out transactions with on a face to face basis from gathering detailed lists of account numbers to be sold off on the black market. In fact, according to the 2005 Identity Fraud Survey Report, under 12 percent of ID fraud incidents originate online.
The media have also fed the xenophobic cold war attitudes of years gone by by focusing on certain countries. Credit card number hackers are "Russian", true. They are also American, Australian and English. Every country in the world has a community of identity thieves, scammers and spammers.
If you own a credit card and don't carry out online transactions, it doesn't mean you are safe. We need to remember that most of the world's information systems are now connected somehow to the Internet. All your vital details are now available online; regardless of whether or not you are a Internet user.
If you have ever collected a welfare payment, taken out an insurance policy or registered a vehicle - congratulations! You are now part of the World Wide Web, like it or not. You can now emerge from your privacy fortress as resistance is futile. That's the reality of our modern lives.
So, now after having blown away your misconceptions of your privacy, and your false security of being safe from identity theft, let's deal with reality!
Identity theft and credit card fraud is not uncommon, such is the nature of an online world.
How do we as netizens and webmasters protect ourselves and our clients as best as possible? It boils down to a number of simple guidelines.
Passwords - Know that little window that pops up and politely asks you if you want your computer to remember certain user names and passwords? Don't tick it! Most passwords are stored in a special file on a Windows 95/98/ME system and every half-baked pimply would-be hacker knows what it is. If you are not using a firewall, it is pretty easy for these people to snatch your password file and then crack it at their leisure using freely available programs.
Password length can also add as extra protection. Those extra few numbers and letters make all the difference.
Web masters, if you are keeping user information on your web server, ensure it is stored in the proper directory with the proper permissions. Better still, wherever possible, store minimum client information on your server.
Even better, ensure that all sensitive details that your visitors may submit occur over an SSL connection. A web server is the equivalent of a 7/11 store - open all hours for valid and non-valid customers. There is NO 100% guaranteed safe system.
A personal firewall is now a necessity, not a luxury. The script kiddie problem is increasing. A script kiddie is someone who fancies themselves as a hacker and utilizes freely available programs to compromise your system via the Internet. Script Kiddies have caused major problems over recent years and have been known to post up credit card numbers for all to see. Why? Bragging rights, a great deal of the time. There are over 60 000 points of entry on your PC.
Phishing is a strategy used to fool people into revealing passwords and other sensitive information by posing as a legitimate source. A common example is email sent by a party claiming to be a bank stating that the addressee must take action immediately to prevent problems with their account. The email usually has a link an online form that is branded to like the organization web site. The form will usually ask for sensitive details such as passwords, tax numbers etc.
Phishing scammers are becoming increasingly skilled in mimicking style and language of communications. They use lists of millions of email addresses to send their notes out to, in the hope of snagging even a very small percentage of addressees.
As these scams can be hard to discern from legitimate communications, the rule of thumb is that if the email has a link that leads to an account login page; don't use that link. Go to the site via another means and login, or call the company to verify the authenticity of the email.
Who are you? - Before you click the submit button for that ezine that you really gotta have; how much information are you having to give away? A name and email address should be all that's needed in most cases. Even if you aren't having to submit credit card numbers, you are still giving away information that enables people to build profiles on you which then make it easier for identity theft to occur.
It's amazing how much information you can access just knowing somebody's date of birth. If a service provider is asking you for more than your name and email address; I strongly advise checking them out before submitting.
In the clear = danger - When you are asked to submit sensitive details such as credit card numbers, check your browser address bar. Does the address begin with https:? If it doesn't, you will be submitting details "in the clear" - unprotected. The https signifies a secure line of communications using inbuilt browser encryption, these days it is about as secure as you can hope for.
If you have the ability to bank online; it's probably wise to log in every couple of days to review transactions. The major banks, while quick to sniff out fraudulent activities these days, don't always pick up on fraudulent transactions.
If you do see something that looks suspicious in your transaction history, don't panic, but immediately contact your bank who may freeze your account while they investigate. In the majority of cases, you won't be liable for the invalid transactions. But I will say that having your account compromised is very frustrating as it can take a week or two to reissue cards. And if, like me, you utilize online services frequently you'll find it a time consuming ordeal while contacting your suppliers to tell them of the changes.
Why steal another persons credit card numbers when you can get your own under an assumed identity. I watched a disturbing report a couple of years ago concerning the head of a security firm; who incidentally refused to have an Internet connection at home, or carry out any personal transactions online. He challenged workers within the organization to see how much information they could collate regarding him; using only the Internet as a tool.
The pile of documentation that was gathered within a couple of weeks was frightening. The file he was presented with was over two inches thick and contained amongst other things a certified copy of his birth certificate. With that type of information, a person could obtain a credit card, a drivers license, etc. etc. and happily build up huge bills under his name. There are many documented cases of identity theft and it has ruined innocent people's lives.
There are many "spy" services out there, that for only a few bucks are quite willing to provide anyone with enough information to begin building a usable personal profile. It's legal to provide this sort of information which includes court records, bankruptcy details, marriage and birth certificates. Even more disturbing is that a number of these services are provided by our Governments.
If you should start receiving strange bills for items you didn't order from companies you have never heard of, don't disregard them as billing mistakes. You may be the victim of identity theft. Contact your bank manager and law enforcement authorities immediately; it's better to be safe than sorry.
Whether netizen or web master, we can't stop credit card fraud or identity theft, but we can minimize it by being aware and taking responsibility for the amount of information we give away or store.
Taming the Beast
Tutorials, web content, tools and software.
Web Marketing, Internet Development & Ecommerce Resources