(In)secure Transactions
by Gareth Branwyn


Whenever the media do a piece on online consumerism, they usually drag out several netizens who either tell horror stories about ordering stuff online (from phony companies), or say they're too afraid to order anything because they're scared that wily hackers might intercept their credit info. The conclusion usually reached in these reports is that Internet commerce is not secure and should be undertaken with a great degree of caution. But how founded is this fear in relation to other concerns over security?

Let's see a show of hands: How many of us tear up our carbons before leaving a restaurant, only keep small amounts of cash in our purse or wallet, and don't give out our number unless required by law? How many of us bother to change our passwords on a regular basis, and when we do, choose robust ones (non-words, upper and lower case, alphanumerics)? There are dozens of security precautions we could take to make our financial lives more secure, but most of us don't bother. So why should online be any different? Online commerce will never be totally secure. As long as there are us humans involved, we've got human error, malfeasance, and laziness to worry about, and as long as computers are involved, well, we all know that computers like to crap out when we need them most. Sure, things like strong encryption and digital signatures will help, but should we wait before starting to buy stuff over the Net? In a word: No.

Horror stories to the contrary, an insecure Net hasn't really stopped people from ordering online anyway—even over regular email. Scott Huffines, who runs Atomic Books, a large fringe culture catalog on- and offline, says that he gets several dozen credit card orders a week and has had no complaints or theft attempts. Years ago, when I sold a computer program over the Net (on cyberpunk and hacking, no less!), I got hundreds of credit card orders in my mailbox and through my fax machine. Only one person mentioned having any apprehension about sending his credit vitals to "a bunch o' low life slacker d00dz." (By the way, we didn't actually qualify for a merchant card, so we laundered our orders through a friend's card, resending the credit info we received back over the Net).

According to a spokesperson for the National Consumers League, so far there have been no reported cases of credit card rip-offs via Internet transfers. In a recent case, several teenagers sent a phony AOL customer service message to a clueless user and convinced him to send his credit information. They blew $100 hanging out in chat rooms before they were caught. The Federal Trade Commission also says that they have not brought any cases against anyone stealing credit information through email or Web order forms. The National Fraud Information Center's Internet Fraud Report doesn't list a single case of actual Internet fraud. It's all about telemarketing scams and general education regarding high-tech fraud.

And, even if you do get ripped off online, it's actually not you, the consumer, who's at risk—it's the bank and the merchant who are liable. Your liability is limited, by law, to $50. And if you take appropriate measures, like immediately reporting a lost or stolen card (or stolen credit info), you won't be charged anything.

Talk!

Allan Schiffman, one of the creators of CommerceNet and Secure HTTP (S-HTTP), has said: "If security is important, then you can't trust others to supply it to you; if they do, they'll just waste time and money to provide you assurances that you can't rely on anyway." While you swallow that little existential pill, why not whip out the ol' plastic and do something dangerous: go to your favorite online merchant and buy yourself something nice!

Wait, what am I saying? I can't believe that I've spent this entire article trying to convince you to waste your hard-earned shekels on frivolous Net purchases. I take it all back. Gawd, I feel so dirty.    </end>

Gareth Branwyn is a contributing editor at STIM and co-author of the Internet Power Toolkit (Ventana).


Up