The woman walked into the Crystal City drugstore with a simple and innocent-sounding request: Could she have the used carbons from credit card transactions for a children's school project?

Of course, she was told.

The woman made three more trips to collect bundles of used carbons that the store began setting aside for her. But shortly after the final pickup, her true purpose began to emerge.

"Credit card holders began complaining about unauthorized charges on their bills," said Tom McClure, a U.S. postal inspector familiar with the case.

"And when the investigators began piecing everything together, they found that the information from the drugstore carbons had been used to place orders for merchandise.

The charges went on the bill of the real credit card holder, but the merchandise was sent to an address designated by the person who had placed the order."

Obtaining credit card numbers and expiration dates from used carbons is one example of how the banking industry loses somewhere between $100 million and $300 million a year from credit card fraud. While that is only a fraction of a percent of the total bank card sales of $80 billion -- which represent roughly half of the total sales of $154.4 billion for all kinds of credit cards--it could still mean a total loss of nearly $1 billion over the next five years as American consumers continue their move to a cashless society.

"That -- the $1 billion -- is absolutely a significant number . . . and bankers are concerned," said John G. Alexander, senior vice president of Bank One of Columbus, Ohio, and chairman of the American Bankers Association's special task force on credit card fraud.

The average person now carries five to six credit cards, according to The Nilson Report, an industry newsletter. An estimated 549.9 million cards -- including 150.7 million bank cards and 269.7 million retail store cards -- are in use. With credit cards such a part of everyday life, the possibilities for fraud have grown enormously.

Often the carbons aren't even necessary -- someone just waits nearby while a legitimate cardholder is making a purchase, leans over at an appropriate moment and memorizes the numbers and expiration date from the card.

Later the person may try to use the information to purchase goods by telephone or order money wired to another destination and charged as a cash advance on the credit card.

In other cases, the cards simply are stolen from the legitimate cardholder's purse, wallet or mail, and the names and numbers of the stolen cards are altered.

Sometimes criminals make their own counterfeit cards.

To reduce the opportunity for fraud, individual companies are beefing up their investigative forces. Visa, for example, has five times as many investigators today as it had two years ago. The company investigators work with local law enforcement officials to develop criminal fraud cases.

Many companies also have implemented safeguards against fraud that can be perpetrated by telephone. Catalog companies now check the address where the merchandise is to be delivered against the address of the cardholder to see if they match. "When they call us for authorization to charge the package to a particular account number, they (the catalog company) ask for the first digit of the cardholder's street address," said Charles T. Russell, president of Visa U.S.A. "If it doesn't match the first digit of the address of the destination, they call the cardholder to verify that he actually placed the order."

Both Visa and MasterCard are looking at ways to prevent easy duplication of credit cards. Visa has proposed a card with a smooth surface that doesn't have a raised account number -- and therefore would be more difficult to alter. Company officials also hope to reduce fraud losses by expanding the network of electronic authorization terminals, which can connect the store where the purchase is being made to a central computer containing information on cardholder accounts.

"When we can control the purchase at the point of sale, fraud will diminish dramatically, because a person won't be able to steal and alter a card," said Russell, who predicted that there will be enough electronic terminals in place within the next three to four years to reduce fraud losses by 70 to 80 percent.

Another way credit card companies try to prevent fraud is to question the cardholder making the purchase. One Washington resident who went to Bloomingdale's White Flint store to buy his wife a birthday present, for example, expected the clerk to call for approval of the American Express charge. But the customer was startled when the clerk handed him the telephone and said the American Express representative wanted to speak to him personally.

The customer took the phone and was asked several questions aboutprevious purchases -- an apparent attempt to establish that he was really the cardholder. American Express officials say the personal interview is a safeguard they have been observing for years and is nothing new.

What is new, according to Alexander, is the willingness of banks and credit card companies to go after credit card criminals. "There was a time in the banking industry when one didn't prosecute because the institution didn't want its name in the paper as being associated with that kind of activity," Alexander said. "But that time has passed."

Nonetheless, catching and proscuting credit card criminals is difficult, he said, partly because of the gap between the time the unauthorized purchases are made and the time the cardholder discovers them on his bill and notifies the bank.

The real cardholder is protected by law from liability when there are unauthorized charges on his credit card bills. When a card has been lost or stolen, for example, the cardholder isn't responsible for any unauthorized charges that occur after he reported the theft or loss. And the maximum liability when he doesn't notify the company of a loss or theft of the card is limited to $50.

When a consumer finds an unauthorized charge on his bill -- and still has the credit card in his possession -- it is up to him to make a written statement to the credit card company disputing the charge. Federal law requires the company to investigate the case. If the company concludes the charge wasn't authorized by the cardholder, the company must remove the charge from the bill. If the company concludes that the charge was authorized and insists that the customer pay, the customer can appeal to the Federal Trade Commission.

If the bank or the company that issued the card concludes that the charge wasn't authorized by the customer, the company as a general rule is stuck with the loss. One exception would be if the merchant making the sale failed to follow the required process for obtaining authorization for the sale. Ultimately, of course, the loss is added to the operating expenses of the store or of the bank and passed along to customers in the form of higher rates and fees.

Credit card issuers now routinely urge merchants to take precautions when disposing of credit card carbons, receipts and other account information. American Express sent out letters last Christmas to stores, hotels and restaurants recommending that they shred or destroy all carbon slips used in credit card transactions, as well as other unnecessary account information, so that the numbers couldn't be picked up and used fraudulently.

But tossing the carbons out with the rest of the trash isn't always enough, according to postal inspectors.

In Pulaski, Va., for example, unauthorized charges for mail order merchandise began showing up on the credit card bills of people who had stayed at the Red Carpet Inn. Investigators ultimately concluded that the credit card numbers used in the fraud had been obtained from lodging receipts discarded either by the inn or by the guests themselves.

Investigators believe the receipts were picked up with the rest of the trash put out by the inn. That trash was collected by prisoners from the Pulaski prison camp, which is located nearby. "Presumably, they went through the trash and picked out the slips that gave them the (account) name and number to place the orders," said Karen Peters, the assistant U. S. attorney handling the case.

The prisoners are believed to have obtained the credit card slips from the prison crew that makes trash pickups at the inn, Peters said. They then allegedly used the numbers to place orders for merchandise from several different mail order houses.

Most of the merchandise ordered was sent to relatives and friends, according to the indictment. At least one package was sent to Pulaski Prison.

In some other cases, it is impossible to know how the credit card numbers were obtained by the person or persons trying to use them to make unauthorized purchases.

Marina Gaffney, an administrative assistant who lives in Bethesda, was startled one evening recently by a telephone call from Western Union asking if she was trying to wire $500 to someone in Maryland. Gaffney was told that someone using her MasterCard number had asked that the money be sent to Frederick. The $500 was to be handled as a cash advance and charged to Gaffney's MasterCard account.

"What I want to know is -- would they have sent the money if they hadn't been able to reach me and find out that I hadn't authorized it?"

Western Union officials said they would not have wired the money without the verification from Mrs. Gaffney. They also said that the verification by the customer is only one of the security measures they take when accepting credit card charges.

What Gaffney doesn't know is where the person trying to place the order obtained her credit card number and expiration date. "I still had my card -- it wasn't lost or stolen," she said. "So I don't know where they could have gotten that information."