Return to
list of stories

Return to
Managing Your Money

Return to
Business Front

Give Us Some Credit: Your Card is Safe

There are many very good reasons not to shop on-line. Fear that your credit card number will be abused should not be one of them.

By Rob Pegoraro
Page R09
The Washington Post

Wednesday, April 24 1996

Using your credit card over the Web is a lot more secure than using your plastic in a restaurant or over the phone -- but you'd never know that by reading newspapers or magazines.

Much of the reportage about on-line shopping has focused on the risks of credit card numbers being stolen or compromised. A typical position paper on Visa's Web site gloomily intones: "There have been no real safeguards to ensure that the messages you send and receive haven't been intercepted, read, or even altered by some unknown interloper since no one really runs or controls the Internet." Visa and MasterCard expressly discourage the use of credit cards on the Net -- until the adoption of the two companies' proposed Secure Electronic Transaction (SET) standard, expected late this year or early next.

So exactly how much money has been lost to on-line credit card fraud?

"That would be none...through '95," says Nancy Elder, a spokesman for MasterCard International, citing reports from MasterCard's issuing banks and from cardholders themselves. "The two biggest cases of fraud are not high-tech. It's lost or stolen [cards]."

Mitch Montagna, a spokesman for AT&T's Universal Card division, concurs: "Internet fraud is barely a blip on the screen.... I'm not sure if there has been any."

The fundamental risk of transmitting a credit card number over the Internet hardly differs from the one you run every time you order something over the phone: Will a third party be able to snatch my account number? The novelty of the on-line world makes for unfamiliar terrain, but the same ground rules apply. "People could definitely eavesdrop -- and do -- on cordless phone conversations," said David Medine, associate director for credit practices at the Federal Trade Commission. "The Internet is not unique in terms of risk."

Most current Web browsers, however, scramble data sent to Web sites, provided the sites in question support such encryption -- and almost all shopping sites do. This makes Net transactions (paying for something by typing your credit card information into an on-screen form) signi5cantly more secure than, say, paying a restaurant bill. While there have been several well-publicized crackings of low-grade versions of these encryption standards, the people doing the cracking -- to protest the use of those government-mandated, weaker "export-grade" encryption techniques in Netscape and other companies' Web browsers -- don't see a danger for current users.

"Our demonstration was political more than economic," e-mailed Hal Finney, a programmer and computer security expert in Santa Barbara, Calif. who recently challenged other programmers on-line to defeat Netscape's export-grade encryption (they did). "Due to the small volume of transactions and the relatively high cost to break even the weaker international encryption, I would not worry about sending a credit card number with that encryption."

Finney pointed to the future as grounds for concern, though. "Imagine in 5ve or ten years that almost all shopping other than at the local mall is done via the Net," he wrote. "That starts to become a target-rich environment."

The last point is worth remembering: Crooks go where the money is -- and right, now, it isn't on-line. And so, while the risk of getting your credit card ripped off may be the same as with an off-line transaction (if you use a browser without any encryption) and better (if you use easily available encryption), the odds that a criminal will 5nd it worthwhile to look for credit card numbers on the Net are lower -- in practice, zero.

"Contrary to popular belief, it is not particularly easy or safe to use a stolen credit card number," e-mailed Charlie Kaufman, who heads the Web security committee of the Internet Engineering Task Force, the Net's standards-setting body. He says even unencrypted transactions are safe, although he has trouble convincing others of that.

"Someone in our of5ce was recently considering ordering cookies over the Internet and asked everyone around whether they thought it was safe (it would mean providing a credit card number over the net without encryption)," Kaufman wrote. "He was surprised that I -- the security guy -- was the only person who would do it."

Rob Pegoraro covers the Internet for FFWD.

(c) Copyright 1996 The Washington Post Company

Back to top