Online thieves are getting away with their crimes, a survey published today has claimed. Almost half of e-retailers are not taking precautions like verifying customer's names and addresses before clearing transactions, and only 9% of fraud reports lead to a prosecution.
That will surprise some internet consumers, who might have assumed that the very fact you are ordering via computer over a secure system would mean that it would be simple to cross-refer your details in some way. Not so, it seems.
Like many surveys of this kind, of course, there is a hidden agenda. In this case the report was commissioned by Experian UK, a company which likes to describe itself as a "global information solutions company", but which will be most familiar to many of us as credit reference agency. It's one of the companies most likely to benefit if we all start demanding better "back office" checks on online transactions.
But we should be thankful to the survey for highlighting, again, the potential to commit crime on the internet. It is easy for an internet user with only moderate experience, a little imagination and no conscience to defraud an online retailer. And, yes, the lack of verification that the number belongs to a valid card, in the hands of its rightful owner, makes things even easier.
But is it the retailers' fault? Experian UK might be suggesting so, but really we should be looking to the source of the problem: credit-card companies themselves.
Consider our flexible friends for just a second: they have barely evolved in decades, maybe a holographic anti-fraud sticker there, a fancy new bit of graphic design there, but otherwise not much has changed. The principal means of card checking are physical - one, that you actually have the card in your hand; two, that you can match the signature on the back; three, that the magnetic strip on the card is valid.
Using mail, telephone or internet shopping, those physical checks are replaced by just two weaker substitutes: the card number (which can be made up by one of those number generators) and the expiry date (the simple month/year format of which can be easily guessed).
As Anthony Abraham, of Canadian-based watchdog Fraud Watch, has been pointing out for years, credit cards just weren't designed to be used over the net - only between people in the same room. He still acknowledges that credit cards are still the best way to shop online, but only because because the consumer is at least only hit for the first £50 of any fraud. It's the retailers who take the financial brunt of any misuse.
So what is the way ahead? Should we demand retailers take greater precautions, as Experian UK suggests? We could - but, in fact, such checks could be a pain. It's often useful, for instance, to order books on Amazon to be delivered to a friend's address for their birthday, or to buy computer parts which can then be delivered and signed for at your place of work, rather than home. Such checks could mean everything has to go direct to the cardholder.
No - what we need is the credit card companies to come up with a way to modernise their old-fashioned bits of plastic. Some are trying - American Express last week announced it was creating a way to use "disposable" credit-card numbers which are valid for only one purchase. So if a retailer's security is breached, hackers will not be able to use any credit numbers they find.
It is a great idea, but with retailers picking up most of the fraud bill, other card issuers are not in a rush to come up with similarly smart schemes. More simple advances could take years to arrive in our wallets.
