Financial Transactions on the Internet, Part II

Berglund Authority Level 3

by Jeffrey Barlow <barlowj@pacificu.edu>

In our editorial for the May/June issue, "To E- Or Not To E-: Financial Transactions On the Internet" < http://bcis.pacificu.edu/journal/2003/04/edit.php > we discussed our discovery that our credit card number had been compromised in the context of an on-line electronic purchase. Here we report on subsequent events and upon our conclusions.

We discuss this not simply because Interface provides us with a bully soapbox from which to pursue our personal problems, but because this is an issue of potential importance to anyone who uses a credit card on the Internet. As we reported earlier, recently the Visa USA Corporation had reported that it processed one trillion dollars in transactions for the last twelve months. At present, of all consumer economic activity, 38 dollars of every hundred is spent with payment forms other than cash or checks, 12 dollars of which is transacted with a Visa card. [1]

Also as reported earlier, the theft of information in on-line transactions cannot be called a rare occurrence. Doubtless those who run the security systems intended to protect such transactions would argue that the event is rare relative to the enormous volume of such transactions. But credit card numbers have been taken by the millions [2], as well in isolated transactions such as my own. In going through the necessary steps to inform those who had accepted my compromised card and in setting up new accounts, I learned of several individuals who had experienced a similar problem. And they each, like me, reported that it was not only a major hassle to deal with, but that it produced a great feeling of insecurity.

I have had prior experience with the theft of a checkbook consequent to a break-in and having the miscreant attempt to write checks on my account. This was a concern, of course, but one on a much lower scale than having one's credit card number stolen. With the speed of communications on line, it is easy to imagine that this is a problem that may well haunt me for some months as the old credit card number is passed from criminal hand to criminal hand. Having once made the mistake of replying to a Nigerian e-mail scam in order to write about it for BCIS (See the May, 2002 edition of Interface, "Globalism, Crime, and the Internet", < http://bcis.pacificu.edu/journal/2002/05/editorial.php >) I am well aware now of how truly globally distributed electronic criminals have become. While it is true that electronic verification procedures will likely protect me in the United States against cloned cards, I know that there are many countries where such protections do not exist.

The electronic transactions industry asserts that the fact that I can contest any spurious charges is adequate protection. My repeated efforts to find out precisely what had happened in the recent case of my card being hijacked were met with some puzzlement at the relevant agencies; after all, I could refuse to pay. However, among other things, being involved with computers now means that I can, and do, work just about all the time. The specter of losing two or three hours (a minimal estimate) per criminal transaction is truly horrifying to me. After all, the credit agency holds the trump card in this game; if they choose not to honor my protests, then it becomes my attorney vs. their attorneys while they control my credit and bank accounts.

There are also additional concerns that appear to bother me much more than the industry. I want, for example, to know precisely where my card number was taken. Whose security broke down? I tend to use my card in a small number of such transactions per month, and often at the same site on repeated occasions. It is clearly important for me to know if I have a problem at a particular site.

I finally pushed my demands for this information to the point where one put-upon executive explained to me that the merchant's right to privacy outweighed my right to know. In short, the information, of course, exists (earlier individuals interviewed over the phone denied that the information could be known!) but I have no right to it.

There are several possible explanations for their refusal to give me this explanation. Possibly they are primarily concerned about protecting their merchant clients from lawsuits. If a given site advertises greater security than actually provided, are they liable for my losses and for my time? What if I order a critical piece of equipment that never arrives because the card has been compromised? Who is liable for my down time or lost sales?

Another possible concern is simply adverse publicity. If it proves that site A has been compromised, and I say so, and they lose business, then the transactions firm is hurt a good deal less if they protect their clients against such exposure.

I have to speculate on motives here, because I was ultimately unsuccessful in gathering specific information. My attempt to pressure the agencies involved by refusing to take out a new card until they clarified the abuses of the old one were initially successful. As they reviewed my incredibly foolish use of credit over the years and calculated the number of retirement accounts that would be disrupted were I to go cold turkey on using plastic, they were inclined to be helpful. Then, with a masterstroke, one such individual cut right through that strategy by simply sending me a new card unasked, which, of course, I soon used.

There is another important reason why I need to know where and how my card was compromised. I want to be both aware and wary. As a good inhabitant of urban environments I have learned not to leave my car door unlocked nor valuables exposed in it, not to carry large amounts of cash, not to go down dark streets, not to give my social security number out over the phone, etc., etc., and I want to know what sorts of electronic security measures have been compromised. When I see that little lock on the bottom of a web page telling me that the site is a secure one, should I believe it or is it the equivalent of being visually evaluated by a pickpocket on a Hong Kong subway?

The industry recognizes the rights of merchants to understand the nature of the protection given their transactions. Go to http://international.visa.com/fb/paytech/secure/main.jsp and scan the " 3-D Secure System Overview", a PDF file in 75 pages if you want to better understand one company's concern for security in electronic transactions.

We feel that citizens should have equivalent awareness. There are various levels of electronic security, and just as the modern citizen comes to understand the advantages of dead bolts versus brass chains on their doors, so do we need to understand the electronic equivalents. And when criminals find one class or type of electronic security easier and easier to penetrate, we need to be so informed.

The appropriate parallels here seem to me to be with "real" forms of theft. If money is illicitly withdrawn from my savings or checking accounts I have a rich variety of options. Throughout I am protected by statute and case law, and ultimately by FDIC insurance. I appear to have no equivalent rights in Internet transactions. If I am robbed on the street, I have a wide array of legal rights; if I am robbed on the Internet, I seem to have a great many fewer.

I recognize the necessity and the advantages of electronic transactions and certainly do not intend to forego their many conveniences. But for the electronic transactions industry to treat us as though we have no stake in the outcome of our transactions is simply foolish. Some people will probably choose not to go down such dark electronic alleys, and that would be too bad for all concerned.

[1] The Oregonian, June 3, 2003, p. c 4.
[2] Paul Roberts, "System break-in nets info on 5.6 million credit cards" Network World Fusion " http://www.nwfusion.com/news/2003/0218sysbreak.html