'Virtual Card' Offers Online Security Blanket

By Caroline E. Mayer
Washington Post Staff Writer
Saturday, October 1, 2005

John Roos used to be afraid to shop online. "I hate to give out my real credit card number," said the retired manager of a computer center.

But Roos, of New Rochelle, N.Y., recently bought a $500 TV online after he discovered a little-known credit card service that allows him to give Internet retailers a substitute credit card number for his account.

Offered to holders of Citi, Discover and MBNA cards, these "virtual credit cards," or single-use card numbers, are designed to give some peace of mind to consumers concerned about credit card fraud. Although the system slightly differs on each card, the principle is the same: For no extra charge, consumers sign up at the credit card's Web site, often downloading software on their computers. Then, when they're ready to shop, they receive a randomly generated substitute 16-digit number that they can use at the online store. The number can be used once or, in some cases, repeatedly at the same store.

"The only people who know the real number are you and us," said Jim Donahue, spokesman for MBNA.

Although initially designed for Internet shopping, the card number can also be used to buy goods and services over the phone and through the mail, but it cannot be used for in-store purchases that require a traditional plastic card. (Nor can it be used for purchases that require a credit card to be produced at the time of pickup, such as movie tickets.)

MBNA has been offering its ShopSafe program for three years. "It's very popular with the people who use it," Donahue said.

In fact, consumers who use the number tend to use it more often and spend more, according to Orbiscom Ltd., the Irish company that provides the technology to the three credit card issuers. Orbiscom declined to provide exact usage numbers, saying only that transactions are doubling every year.

Even so, credit card industry officials say it's not widely popular. American Express, for example, discontinued its virtual card last year because "only a very small number of card members signed up," said spokeswoman Kim Forde.

"This technology has been around for six years and has never caught on, despite all that we hear about compromising data centers and stealing key consumer information," said David Robertson, president of the Nilson Report, a newsletter that monitors the credit card industry. "Americans, by and large, are trustful of buying online."

Yet some credit card issuers say use is increasing with each report of identity theft, including the June disclosure that more than 40 million credit card numbers may have been compromised after a computer hacker broke into a card processing center.

Overall, 3.9 million Americans were victims of credit card fraud in the year that ended in May, according to a study by the research firm Gartner Inc. That's down from 5.5 million the previous year. The study found that 46 percent of victims had no idea how the fraud occurred, but 21 percent said they thought their credit card number was stolen off the Internet. The previous year, 18 percent blamed the theft on the Internet.

Steve Furman, Discover's marketing director for e-commerce, said its program, Deskshop, has "grown at a fairly strong pace over the last six to eight months." Discover plans to aggressively promote its virtual card this fall to appeal to consumers concerned about computer security.

Many Internet security and privacy experts, however, question its necessity. "It's a good idea and clever, but I've never seen the need to use it," said Bruce Schneier, chief technology officer of Counterpane Internet Security Inc. Noting that consumers have, at most, only a $50 liability if a credit card is fraudulently used, Schneier said, "I don't have a lot a risk here." It would be more troublesome if someone stole his Social Security number and created a new account in his name, Schneier said; that kind of identity theft is much harder to correct.

But overall, Schneier added, most people distribute their credit card number widely. "I give it all the time to 7-Eleven store clerks every week."

Dan Clements, head of the Internet security firm CardCops.com, however, calls the limited credit card liability "an illusion." Clements said credit card numbers are sold and bartered all over the Internet and can be combined with other personal information easily available on the Web to create full-blown identity theft. Even so, Clements said, he doesn't use a virtual credit card number because "it's a hassle." Yet his solution, he admitted, is equally time-consuming: He asks for a new credit card number every three months.

"For the consumer, it doesn't really buy that much except for peace of mind," said Richard M. Smith, an Internet security and privacy consultant based in Boston.

That was precisely why Roos signed up -- and also how Discover plans to promote its Deskshop this fall.

Furman said: "Is it necessary? It's akin to any other security thing you're willing to do. You put on your seat belt; you install an alarm system in your home. It's one extra layer to protect yourself."

© 2005 The Washington Post Company