Credit Card Adventures, continued

Since my last post, my credit card fraud adventures have matured.

I happen to have a subscription to an identity theft monitoring service.  If anything funky goes on (e.g. credit checks,  precursors to loans, etc) I am notified via email.  If a fraudulent activity is performed, they take care of it on my behalf.  After talking with them, I believe this recent credit card fraud event is pretty minimal in terms of damage and future harm.  I think it's just about over, aside from me having to return a few vitamin samples I get in the mail.

Yesterday, I received numerous phone calls confirming my orders for vitamin supplements, government grant guides, and stuff like that.  I tried to cancel everything I could, and it's been very time consuming.

With each of these phone calls, the customer representative confirmed my address and phone number.  It just so happens the address and phone number combination they used is fairly unique - I've only used it with a few websites.

I suspect somebody's database was compromised.  It's funny that people feel safe when they see the little lock icon (ssl) when making an online purchase.  As a developer, I'll tell you that's the least of your worries.  Since everyone uses SSL to encrypt credit card submissions, it's effectively taken that method of fraud out.  Kind of like why we get immunizations for very rare diseases - if nobody got them, the diseases would be a problem again.  But since we're all covered, they remain at bay.

My main security concern when developing commerce websites is storing customer credit card numbers. It freaks me out. If a merchant doesn't store credit card numbers (which many sites don't), they can't be stolen. If they do, well that makes the security of their back end -- their database of customer information -- really important. That is where a lot of harm can be done, because a single person's credit card info isn't being stolen, but rather the entire list of customers. Yikes.

Having said all this, I still firmly believe ordering something online is safer than doing it at a physical location.  Everything is (usually) automated, and in most cases, the only person who sees your credit card number is you, the customer.   Once a credit card transaction is completed, there is usually no need to see the card information again, ever.  As a result, most online stores don't even store it...which is good!

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
Dude the same thing JUST happened to me!
# Posted By Steven | 3/3/09 1:09 PM
Happened to another bike dude here in OBRA-land, too. Hmmm.
# Posted By erikv | 3/3/09 1:22 PM
The same thing just happened to me...got my OBRA membership 3 weeks ago and the charges started happening 2 weeks ago. I sent you an email Erik it seems like maybe we are onto something here? Worth a post to the OBRA bard?
# Posted By Ryan Van Dusen | 3/3/09 2:12 PM
Erik, could you let me know what service you decided on and why?
Thanks
D
# Posted By DavidS | 3/4/09 8:41 AM
# Posted By hugh | 3/4/09 1:57 PM
# Posted By Sara Murawski | 3/4/09 9:00 PM
Most credit card companies offer a means to shop more securely online. With Discover, you create a new number that can only be used at one merchant, so even if the number is stolen, it can't be used elsewhere. With Visa, you create a new number and set a monetary limit on it as well as an expiration date (as little as two months). While these may not be absolutely foolproof, there is some peace of mind.

Good luck getting through this!
# Posted By linda Bitner | 3/9/09 4:33 PM