Can hackers kill credit cards? Spate of e-commerce intrusions might mean a new form of payment system will come sooner than expected By Bob Sullivan MSNBC March 15  He calls himself The Saint of E-commerce. Two months ago, Curador started posting his catalog of stolen credit card numbers on his Web page. Hes stolen database after database from a variety of e-commerce sites, each time updating his site, then gleefully mailing notification to reporters. Hes up to 25,000 records now from 13 Web sites, and still going. Despite all that the financial risk and all that violation of personal privacy, no one can stop him. Perhaps instead, well have to stop using credit cards. OF COURSE, AUTHORITIES have removed Curadors Web site  at least a dozen times. No matter; he uses the many free, anonymous Web hosting services available on the Internet. And as fast as his Web page is taken down, Curador puts up another one.

The 18-year-old computer intruder, who also goes by the nickname mind gimp, is located somewhere in Europe; thats all he would tell MSNBC during a telephone interview.

Hes not using the credit cards for financial gain. The self-proclaimed Saint of E-commerce says he simply wants to embarrass the victim Web sites into employing better security. He promised to continue breaking into e-commerce sites and posting stolen numbers until I dont need to do it anymore or until I get arrested.

His arrest, however, is unlikely. As MSNBCs Mike Brunker reported last week, there hasnt been a single reported arrest of a foreign credit card thief by U.S. authorities. Anyone whos serious about this is getting a lesson. The wake-up call is here.

 STEPHEN ORFEI SETCo Curadors thefts are simple, and his sharing of the personal information is currently unstoppable. But its just another story in this years litany of tales surrounding online theft of personal and financial information. E-merchants are furiously fighting the battle to keep down fraud costs, and consumer confidence in Internet safety is continually shaken, with no apparent end in sight. So some experts think Curador may just be another nail in the coffin of a credit card system that was hardly designed for Internet purchasing.

Anyone whos serious about this is getting a lesson. The wake-up call is here. The time is now, said Stephen Orfei, vice president of electronic commerce and emerging technology for MasterCard International. Orfei is also the spokesperson for SETCo, the Visa- and MasterCard-backed organization pushing SET, a new payments protocol designed to limit electronic fraud. HOW CAN WE DO MORE? The raging success of online thieves, some say, will force the hand of banks, merchants, credit card companies and consumers to change the way we spend money much sooner than we intended.

The high-profile hacks have at least gotten the attention of merchants, said Alyxia Do, electronic payment and smart card analyst with Frost & Sullivan.

It seems that there have been a greater number of queries coming in, she said. It began with the CD Universe break-in and just it has just continued to be in the news. I have heard more and more merchants are going back to Visa and MasterCard and asking, How can we do more? 

The stakes are higher for merchants than consumers. While consumers face a limited liability of $50 and a paperwork hassle, online merchants must write off credit card theft as acceptable loss. Hard data on how bad losses are is impossible to find, but anecdotally some industries relate fraud rates as high as 40 percent. Merchants use inexact software to filter out potential fraudulent purchases, but that means they turn away legitimate sales, too.

The mathematics are alarming. In fact, according to Joe Barrett, chairman of the Internet Fraud prevention Advisory Council, in some industries, merchants are turning away 20 percent of proposed sales. Youre killing your business. Youd be better off taking every sale and self-insuring, he said. SMART CARDS, FINALLY? "A number and a date and you can buy anything you want with it. Thats how a teen-aged Internet credit card thief described to MSNBC the fundamental problem of using credit cards online. I try to encourage people to think about fraud detection as a public good. Merchants on the Internet have tendency to want to wall off and control and not share their kownledge or incidents of fraud.

 JOE BARRETT Internet Fraud Prevention Advisory Council The familiar plastic currency was designed to be physically handed to merchants, who could at least make a cursory check to see if signatures on the card and the sales slip matched. Online, commerce is anonymous. There is no way to see whos entering the credit card numbers into the Web page, an anonymity that heavily favors the fraud artists.

Several technologies hope to tip the scales against thieves by implementing systems that require some real-world physical component when shopping online. Smart cards, the generic term for any plastic which includes an embedded microchip, are one promising solution.

Smart cards, which identify the user through encrypted information embedded on the chip, must be inserted into a card reader attached to the computer. That means the card cant be used for e-commerce unless the purchaser is currently holding it. A PIN number is also required, so a thief needs to physically have the card and a security code in order to use it. Thats not an insurmountable hurdle, but a far more difficult one than using a number and a date. Still, smart cards are 20 years old, and while there have been smatterings of adoption in Europe, trials of the technology in the U.S. have failed repeatedly. Consumers perceived them as inconvenient, and in the past they have been unmoved by the improvement in security.

http://www.msnbc.com/news/382141.asp?cp1=1#BODY

-- Martin Thompson (mthom1927@aol.com), March 16, 2000