When Bill McKiernan opened his on-line shop, Software.net, in 1994, buyers showed up in droves, paid with a credit card right on the spot, and downloaded their new software. McKiernan knew practically nothing about retailing, but suddenly he had a thriving e-commerce company on his hands.

There was just one problem: More than half of the orders on his site were made with stolen card numbers. Once the rightful cardholders noticed fraudulent charges, cancellations poured in from Software.net's credit card payment processor. Not only was McKiernan out the cost of the stolen goods, he had to pay a penalty for the bogus charges.

We were about to shut our doors because we were getting hit so hard with fraud, says McKiernan. We were losing money. We didnt know what to do.

That was in 1994. Software.net grew up into Net retail star Beyond.com. Sensing huge demand, McKiernan moved on and developed a software system for sniffing out fraudsters, launching a second company, CyberSource.com, that helps merchants do the same.

Lured by the success of Net superstars like Amazon.com, mom-and-pop shops and real-world retailers are staking on-line claims that make the California gold rush look like an Easter egg hunt. Like McKiernan, many lack previous retail experience and dont know the risks of doing business online.

So the crooks are following right behind.

We have just a vast number of fraud orders coming into Yahoo Store, says Paul Graham, the producer of Yahoos online mall, Yahoo Store. The same thing thats a big advantage for Web sites -- the convenience of finding what you want to buy and punching in a credit card -- makes it much easier for fraudsters.

According to Barry Bahrami, owner of e-commerce software vendor Commercial Illusions, stolen credit card numbers are routinely posted and swapped on Net bulletin boards and channels on Internet Relay Chat, a real-time chat network.

Wired News logged onto an IRC channel that traffics credit card numbers and received two offers to trade within half an hour.

The card numbers can come from traditional off-line sources and from poorly secured Web servers that store credit card information.

There are also programs that generate valid credit card numbers out of thin air. All valid card numbers end with a check-sum digit thats generated from the credit cards other digits, by something called the Mod-10 algorithm. The Mod-10 algorithm is widely known, and programs like CreditMaster use it to gin up numbers that can fool a simple authorization check. Crooks can easily test thousands of numbers at on-line merchant sites.

The Web also solves another problem for would-be criminals. Banks can catch credit card crooks by tracing the shipping address for goods like CDs or books. But there's no such protection for downloads of software, music, or subscriptions.

Even authorizations that check addresses are no protection against fraud originating overseas.

Out of the US, there's no help. There's no way to validate any piece of the address, says Steven Klebe, VP of strategic alliances at CyberSource. That's a serious problem for a global e-commerce network.

The fraudsters know it. Fraud is rampant in places like Eastern Europe, where the technology infrastructure is fairly advanced, but the laws governing electronic transactions are not. Romania, in fact, is the center of Internet fraud, says Yahoos Graham.

There have been months at the Yahoo Store, he says, when the number of credit card orders originating in Romania has topped that of big e-commerce countries like Germany and Japan, ranking third behind the United States and Canada.

Vause says smaller retailers face more risk. There's a whole host of people that are merchants for the first time, he says. They need to become educated through their processor.

According to CyberSource, which deals directly with many new Web businesses, about 5 percent to 6 percent of a typical Net retailers transactions are fraudulent, compared to less than half of one percent for brick-and-mortar retailers. Fraudulent transactions account for about 10 percent of Net retailers total sales.

For sites that sell digital goods like software, fraud accounts for nearly 30 percent of total sales.

Says John Shirey, senior director of e-commerce at payment processor Paymentech: On-line transactions need [not] be any riskier than telephone or mail-order transactions.

[back to General Interest page]