NS Internet column

Written 19 January 2000 for the New Statesman

Almost everything that people are frightened of on the internet never happens. I have been buying stuff online since 1994 without worrying very much about the privacy of my credit card number en route. I know there is a small risk that the number might be read in transmission, but it is infinitely smaller than the risk run by millions of people every day when they compose on their computers at work email they would like to keep private; and if you make a fool of yourself in email there is no one who can void the transaction and give you  your lost reputaiton back.

No, the place to worry about credit card information is not in transit, but when it gets to the company you're paying. My wife has just had a letter that makes this alarmingly clear, from the chairman of a company called CD Universe. It is addressed to Caroline.Brown@whatever, but starts "Dear Andrew", which shows that their database uses information off the credit card rather than the mailing address. I had known that they were hacked over the new year but had not worried because I could not remember buying anything there.

The hack itself was quite spectacular: a Russian, calling himself Maxim, broke into their servers and stole the list of credit card numbers. He then demanded large sums of money not to publish them on the net; when the company refused, he put up a web page where you clicked a button and were rewarded with a set of valid credit card details chosen at random from among the lucky customers of CD Universe. By the time I got to the web page it wasn't working properly any more: the button to press was still there, but it did not disgorge anything interesting. However, it had been running smoothly, dispensing free money, for a couple of weeks before then. Maxim presumably paid for the site with one of his newly acquired credit cards.

There were two odd things about the letter. The first was that it was dated January 14; a long time after the news of the theft was published in the online press and presumably a very much longer time after the company found out what had happened. The second is the way it assures us that — although the horse bolted a month ago — the stable doors are at this very moment being fitted with the most modern locks: "We are taking every conceivable step to make sure the information you have provided to us in the past for ordering online is secure and remains so.

"For your safety, we suggest you monitor your credit cards closely over the next few weeks and report any suspicious activity to your credit card company and CD Universe as well." The letter concluded with the last four digits of a credit card number which did seem vaguely familiar. Though I was sure I had never bought anything from them, but I double checked: I thought the must have brought up some company from which I had once shopped. A quick scramble through the archives on my hard disk showed that I had in fact  bought a CD from CD Universe once, in 1997. The credit card I had then used has long since expired and been replaced by another, with a different bank, and I don't think there is any danger I will shop there again, but the episode does show clearly the real vulnerabilities of internet commerce.

Just as Dillinger robbed the banks "because that's where the money is" rather than mugging random strangers in the hope that they were carrying big bundles of cash, so the modern Mafia hacker will go for the credit card numbers which someone else has collected in one place. Protection against that sort of thing should have nothing to do with ecommerce. Harrods must have a stash of credit cards more worth stealing than Amazon's and neither company should store them on a computer that has  any connection to the Internet. But in fact online stores are more vulnerable, if only because the shop front computers have to be connected to the credit card database in some way for "one click" shopping to work. It's an enormous convenience not to have to re-enter all my credit card details every time I buy anything from a shop I have used before; but the price I pay is that they must be stored in five or six different computers round the world. But I'll go on doing it, since  most of the risks of waving a credit card number round the net are borne by Visa — that is to say, by all the other poor suckers who pay their 23.6% APR every month.