Credit card dangers may lurk on smaller Web sites

By Jeremy M. Simon and Emily Starbuck Gerson

Despite many recent security breaches that have exposed millions of credit cardholders to potential fraud and identity theft, online shopping continues to prosper, especially during the holidays.  Financial fraud experts are now warning consumers about where some of the greatest dangers lurk: small, commercial Web sites.

In certain instances, fraudsters are able to gain real-time access to these small Web sites' transaction information, enabling them to steal valid credit card information in an instant and hastily ring up numerous fraudulent charges.

Identity thieves may have fewer potential victims at smaller sites, but they are often able to operate with greater ease due to defects in the software the sites use for online order processing, or due to a dependence on outsourced or outdated Web site security.  Fraud prevention professionals note that many smaller Web sites rely on generic shopping card software that they neglect to update with the latest software security patches. 

Software can help
Scott Mitic, CEO of TrustedID, an identity theft protection company, says that many small Web sites are not complying with merchant standards, especially those set by Visa and MasterCard. "Very few small sites are compliant today, but it's hard for a consumer to tell which ones," he says. "During the holiday season, I'd advise consumers to stay away from very small sites -- it's better to be safe than sorry. I'd stick with Amazon and other trusted names this time of year."

Mitic also suggests downloading a service such as SiteAdvisor, which is a free way to know you might be in trouble. "It installs in the browser and keeps track of nefarious sites, and lets you know when you're at a risky one," he says.

For victims of identity theft, a stolen credit card number is often just the first step a thief will take.  The criminals who steal credit card information generally do not use it themselves, but sell it to scammers via underground chat rooms.  The theft of credit card data combined with other personal information allows identity thieves to wreak havoc on the lives of their victims.

Identity theft victims may find charges on their statements made at Web sites that sell online background checks.  These consumer background checks help fraudsters create a more complete file on a victim to aid further in identity theft or to establish a more appealing record for re-sale in the identity theft underworld.  Thieves who start with a credit card number may also obtain a victim's phone number, physical address, e-mail address and other data that can be used to gain further information on the target or open up new lines of credit in the victim's name.

Card theft triggers bigger woes
"When someone gets more than your credit card information, that's when it gets dangerous, because they can also do things such as tax and employment fraud," Mitic says. "Be less concerned about losing your credit card information because those problems can usually be solved with a few phone calls. Be more careful about safeguarding your personal information."

Mitic advises consumers to look for a barrage of charges on their card statement that would indicate that someone has been shopping with their money. Other small, unexplained charges on your statement should raise a red flag as well.  Some identity thieves will make a $1 donation to a charity's Web site in order to determine whether a credit card is still valid. If you see a background check or charity charge on your credit card bill that you did not make, call your credit card issuer immediately. The danger to credit card data from small Web merchants has become serious enough that Visa and MasterCard have threatened to fine online businesses that fail to work toward meeting stricter security guidelines.

Visa released a report in September 2006 showing that four of the top five causes of credit card-related breaches were digital security limitations at merchants of all sizes.  These weaknesses included misconfigured Web servers, missing or outdated software security patches and the use of vendor-provided default passwords and settings -- all of which represent violations of new credit card industry standards.

Online merchants need to be aware of threats from hackers, and consumers need to be aware of which sites are taking the necessary precautions to guard their credit card information.  Some of the victims who fell prey to hackers had found the cheapest vendor possible through a bargain shopping Web site.  Cardholders should make sure that any site they decide to shop on takes all the necessary steps to ensure the security of credit card transactions. After all, what is the value of saving a few dollars if it comes at the cost of potentially being an identity theft victim?

Updated: October 14, 2009

	Three most recent Shopping stories: CreditCards.com's guide to online holiday shopping 2009 – The sour economy will push more people online to do their shopping this year; these steps will help keep your experience free of cybergrinches ... As Americans tighten belts, they adjust attitudes toward credit – If buying on credit today were a card game, it would be Texas Hold 'Em. Consumers keep their credit cards close to their vests, leaving merchants to wonder if the newfound frugality is a fad or a bluff ... Shopping and credit cards – For some, a mall and a credit card are a financially toxic mix. It need not be so. These tips will help you become a savvier shopper -- and maybe even save some money ...

	CreditCards.com's newsletter Did you like this story? Then sign up for CreditCards.com’s weekly e-newsletter for the latest news, advice, articles and tips. It's FREE. Once a week you will receive the top credit card industry news in your inbox. Sign up now!