Credit card dangers may lurk on smaller websites
By Jeremy M. Simon and Emily Starbuck Gerson
Despite many recent security breaches that have exposed millions of credit cardholders to potential fraud and identity theft, online shopping continues to prosper, especially during the holidays. Financial fraud experts are now warning consumers about where some of the greatest dangers lurk: small, commercial websites.
In certain instances, fraudsters are able to gain real-time access to these small websites' transaction information, enabling them to steal valid credit card information in an instant and hastily ring up numerous fraudulent charges.
Identity thieves may have fewer potential victims at smaller sites, but they are often able to operate with greater ease due to defects in the software the sites use for online order processing, or due to a dependence on outsourced or outdated website security. Fraud prevention professionals note that many smaller websites rely on generic shopping card software that they neglect to update with the latest software security patches.
Software can help
Scott Mitic, CEO of TrustedID, an identity theft protection company, says that many small websites are not complying with merchant standards, especially those set by Visa and MasterCard. "Very few small sites are compliant today, but it's hard for a consumer to tell which ones," he says. "During the holiday season, I'd advise consumers to stay away from very small sites -- it's better to be safe than sorry. I'd stick with Amazon and other trusted names this time of year."
Mitic also suggests downloading a service such as SiteAdvisor, which is a free way to know you might be in trouble. "It installs in the browser and keeps track of nefarious sites, and lets you know when you're at a risky one," he says.
For victims of identity theft, a stolen credit card number is often just the first step a thief will take. The criminals who steal credit card information generally do not use it themselves, but sell it to scammers via underground chat rooms. The theft of credit card data combined with other personal information allows identity thieves to wreak havoc on the lives of their victims.
Identity theft victims may find charges on their statements made at websites that sell online background checks. These consumer background checks help fraudsters create a more complete file on a victim to aid further in identity theft or to establish a more appealing record for re-sale in the identity theft underworld. Thieves who start with a credit card number may also obtain a victim's phone number, physical address, e-mail address and other data that can be used to gain further information on the target or open up new lines of credit in the victim's name.
Card theft triggers bigger woes
"When someone gets more than your credit card information, that's when it gets dangerous, because they can also do things such as tax and employment fraud," Mitic says. "Be less concerned about losing your credit card information because those problems can usually be solved with a few phone calls. Be more careful about safeguarding your personal information."
Mitic advises consumers to look for a barrage of charges on their card statement that would indicate that someone has been shopping with their money. Other small, unexplained charges on your statement should raise a red flag as well. Some identity thieves will make a $1 donation to a charity's website in order to determine whether a credit card is still valid. If you see a background check or charity charge on your credit card bill that you did not make, call your credit card issuer immediately. The danger to credit card data from small Web merchants has become serious enough that Visa and MasterCard have threatened to fine online businesses that fail to work toward meeting stricter security guidelines.
Visa released a report in September 2006 showing that four of the top five causes of credit card-related breaches were digital security limitations at merchants of all sizes. These weaknesses included misconfigured Web servers, missing or outdated software security patches and the use of vendor-provided default passwords and settings -- all of which represent violations of new credit card industry standards.
Online merchants need to be aware of threats from hackers, and consumers need to be aware of which sites are taking the necessary precautions to guard their credit card information. Some of the victims who fell prey to hackers had found the cheapest vendor possible through a bargain shopping website. Cardholders should make sure that any site they decide to shop on takes all the necessary steps to ensure the security of credit card transactions. After all, what is the value of saving a few dollars if it comes at the cost of potentially being an identity theft victim?
Updated: October 14, 2009
- Shopping beacons with targeted marketing messages expand – Tracking devices that let you opt in to receive location-relevant information on your smartphone are becoming more widespread ...
- FAQs on new Costco Citi Visa card – We answer the most-common reader questions prompted by the warehouse club’s credit card switch from American Express to Citi ...
- Split payments: Using two cards for one transaction – Retail stores often allow you to use two different cards to pay for purchases. But it's a different story when online shopping ...