Since my last post, my credit card fraud adventures have matured.
I happen to have a subscription to an identity theft monitoring service. If anything funky goes on (e.g. credit checks, precursors to loans, etc) I am notified via email. If a fraudulent activity is performed, they take care of it on my behalf. After talking with them, I believe this recent credit card fraud event is pretty minimal in terms of damage and future harm. I think it's just about over, aside from me having to return a few vitamin samples I get in the mail.
Yesterday, I received numerous phone calls confirming my orders for vitamin supplements, government grant guides, and stuff like that. I tried to cancel everything I could, and it's been very time consuming.
With each of these phone calls, the customer representative confirmed my address and phone number. It just so happens the address and phone number combination they used is fairly unique - I've only used it with a few websites.
I suspect somebody's database was compromised. It's funny that people feel safe when they see the little lock icon (ssl) when making an online purchase. As a developer, I'll tell you that's the least of your worries. Since everyone uses SSL to encrypt credit card submissions, it's effectively taken that method of fraud out. Kind of like why we get immunizations for very rare diseases - if nobody got them, the diseases would be a problem again. But since we're all covered, they remain at bay.
My main security concern when developing commerce websites is storing customer credit card numbers. It freaks me out. If a merchant doesn't store credit card numbers (which many sites don't), they can't be stolen. If they do, well that makes the security of their back end -- their database of customer information -- really important. That is where a lot of harm can be done, because a single person's credit card info isn't being stolen, but rather the entire list of customers. Yikes.
Having said all this, I still firmly believe ordering something online is safer than doing it at a physical location. Everything is (usually) automated, and in most cases, the only person who sees your credit card number is you, the customer. Once a credit card transaction is completed, there is usually no need to see the card information again, ever. As a result, most online stores don't even store it...which is good!