Other people's money

Andrew Brown resolves to keep his Visa card flying

Almost everything that people are frightened of on the Internet never happens. I have been buying stuff online since 1994 without worrying very much about the privacy of my credit card number en route. I know there is a small risk that the number might be read in transmission, but it is infinitely smaller than the risk run by millions of people every day when they compose private e-mail on their computers at work; and if you make a fool of yourself in e-mail, there is no one who can void the transaction and give you your lost reputation back.

No, the place to worry about credit card information is not in transit, but when it gets to the company you're paying. My wife has just had a letter that makes this alarmingly clear, from the chairman of a company called CD Universe. It is addressed to Caroline.Brown@whatever, but starts "Dear Andrew", which shows that their database uses information off the credit card rather than the mailing address. I had known that they were hacked over the new year but had not worried because I could not remember buying anything there.

The hack itself was quite spectacular: a Russian, calling himself Maxim, broke into CD Universe's servers and stole the list of credit card numbers. He then demanded large sums of money not to publish them on the net; when the company refused, he put up a web page where you clicked a button and were rewarded with a set of valid credit card details chosen at random from among the lucky customers of CD Universe. By the time I got to the web page, it wasn't working properly any more: the button to press was still there, but it did not disgorge anything interesting. However, it had been running smoothly, dispensing free money, for a couple of weeks before then. Maxim presumably paid for the site with one of his newly acquired credit cards.

There were two odd things about the letter. The first was that it was dated 14 January - a long time after the news of the theft was published in the online press and presumably a very much longer time after the company found out what had happened. The second was the way it assured us that - although the horse bolted a month ago - the stable doors were at that very moment being fitted with the most modern locks: "We are taking every conceivable step to make sure the information you have provided to us in the past for ordering online is secure and remains so. For your safety, we suggest you monitor your credit cards closely over the next few weeks and report any suspicious activity to your credit card company and CD Universe as well."

The letter concluded with the last four digits of a credit card number which did seem vaguely familiar. Though I was sure I had never bought anything from them, I decided to double-check. A quick scramble through the archives on my hard disk showed that, in 1997, I had in fact bought a CD from CD Universe. The credit card I had used has long since expired and been replaced by another, with a different bank, and I don't think there is any danger that I will shop there again, but the episode does show clearly the real vulnerabilities of Internet commerce.

Just as John Dillinger robbed the banks "because that's where the money is", rather than mugging random strangers in the hope that they were carrying big bundles of cash, so the modern mafia hacker will go for the credit card numbers which someone else has collected in one place. Protection against that sort of thing should have nothing to do with e-commerce. But online stores are more vulnerable, if only because shopfront computers have to be connected to the credit card database in some way for "one-click" shopping to work. It's an enormous convenience not to have to re-enter all my credit card details every time I buy anything from a shop I have used before; but the price I pay is that they must be stored in five or six different computers round the world. But I'll go on doing it, since most of the risks of waving a credit card number round the net are borne by Visa - that is to say, by all the other poor suckers who pay their 23.6 per cent APR every month.