Internet Merchants Fight Software Theft
By SAUL HANSELL
When it comes to the security risks of using a credit card to buy something online, consumers often fear that a thief may intercept the card number for a cybershopping spree. But Internet merchants, especially those selling software for immediate download, know the bigger financial risk is their own.
That is why such companies are taking steps to thwart the use of stolen or counterfeit credit card numbers, a type of crime that, unchecked, could stifle the growth of Internet commerce.
So far, software has been a favorite target of Internet thieves because the same characteristic that makes it so easy to sell online o instant electronic delivery o also makes it easy to steal.
"We had a week in which we had more fraud than legitimate sales," said William McKiernan, the chief executive of CyberSource, which runs the online retail store Software.Net. "We were literally going out of business."
There are no hard industry figures on the extent of online software theft, but other industry leaders acknowledge the problem. At Buynow.Com, a similar site offered by Cnet, the fraud rate hit 20 percent of sales earlier this year. And software companies that have started selling their own products online, like Symantec, also report far higher losses than with traditional mail and telephone orders.
"If you have to mail something to someone, you can catch the fraud before you send the product," said Suzanne Bray, manager of electronic commerce business development at Symantec. "With electronic software distribution, they get the product immediately."
While consumers are generally limited to a liability of $50 for someone else's fraudulent use of their card number, credit card companies usually hold merchants fully responsible for any fraudulent purchases made when the signature on the card cannot be verified.
This includes transactions by mail or telephone o or now, on the Internet. And so the online merchants have every incentive to address software theft, often through software solutions. A number of companies have developed their own computer programs to flag potentially fraudulent transactions.
CyberSource, in fact, has turned its trauma into a second business line, a fraud clearinghouse for online merchants, where services include comparing a credit card sales request against a list of about 75,000 known online crooks.
As the software vendors have investigated the crime wave, they have detected two basic types of thieves online: a small group that, like the sticky-fingered everywhere, steal for profit; and many more, typically young men, who steal for the thrill of the hunt.
Programmers Paradise, which sells expensive tool-kit programs used by software developers, suspects that people who try to fraudulently download its products are the ones in it for the money. "We see people trying to get a $2,000 software package, figuring they can resell it for $500," said Joseph Popolo, the executive vice president.
Others may be trying to steal programs they cannot afford. When Cnet traced back the origin of its fraudulent purchases, it found that many emanated from computers in Eastern Europe, South America and Israel, according to William Headapohl, Cnet's executive vice president.
But in many cases, based on investigations where culprits have actually been tracked down, thefts are simply the adolescent hacker equivalent of stealing hubcaps.
"The people perpetrating the fraud tend to be teen-age boys," said McKiernan. "There is a whole subculture out there around software. The ethic is it's cool to have software your friends don't have o like the old baseball cards."
And these digital delinquents do not settle for games or popular utility programs, the software vendors say. Instead, they go after the most expensive or unusual programs around, even if they have no conceivable use for them. Software.Net found teen-agers lured by a program used by leasing firms to monitor construction-equipment inventory.
Since online software sales became common a few years ago, the sophistication of the thievery, and of the detection and deterrence, has continually evolved.
In the early going, crooks were often able to get fraudulent cards by using software programs, widely distributed on the Internet, that generate phony credit card numbers. These programs employ many of the industry codes and mathematical formulas that banks use when setting up card accounts.
But the software companies quickly cracked down on this tactic by using a service, long provided to mail-order merchants, in which the credit card companies verify not only a card's number but the associated expiration date and billing address. "That filtered out the primitive fraudulent transactions, but these guys are smarter than that," McKiernan said.
An improved scam was to use electronic mail to trick people o especially new users of America Online and similar services o into revealing their credit card numbers. Con men, pretending to be from the customer service department, would send messages asking users to verify their card numbers and addresses. While the online services have repeatedly warned users not to fall for such schemes, some nonetheless did o and still do.
To fight back, the online software vendors started developing computer models that identified suspicious transactions.
"We started by flipping through our orders, and we realized that we could identify many fraudulent ones simply by looking at them," McKiernan said. For example, since the company's first sales system did not analyze the name that buyers entered, many thieves simply typed in random keystrokes.
Other clues were almost as easy. Orders for business software late at night were likely to be frauds, as were orders in which the e-mail name (Bsmith, say) seemed to contradict the name given for the credit card (John Doe, for example).
Orders from cities or countries with high fraud rates o Israel is a hotbed of online credit card fraud, as it turns out o are also given more scrutiny.
CyberSource has a computer model that looks at 150 factors to calculate the risk of fraud in a purchase. For 50 cents a transaction, other cyber merchants can pay CyberSource to run a pending credit card request through this online model. Or for the same fee, CyberSource will compare the request against its 75,000-name fraud data base.
Thanks to such measures, CyberSource says that compared with that horror week in 1995 in which bogus transactions outnumbered the legitimate, its own fraud losses have fallen to less than one percent of sales. And Cnet, citing similar vigilance, says fraud now crops up in only one in 20 sales, down from one in five, although the company is still aiming toward a target of one in every 50.
The credit card companies themselves are now at work on an elaborate protocol, called Secure Electronic Transactions, that could reduce these fraud losses more.
Under this arrangement, instead of using credit card numbers, customers would have special "electronic certificates" loaded on their computers to verify their identify for online sales. But experts say it could be years before these certificates are in wide use, which is why the online merchants plan to continue refining their own anti-fraud method, to keep from being victimized by what many on the outside consider a victimless crime.
"In many cases, the local DA's shrug and say, 'There was no one hurt and no weapon involved,'" McKiernan said.
NYTIMES |
