By Jane Black On Aug. 5, Jerad Rose, from Louisville, Ky., bought computer equipment at online merchant Beatprice.com. Three days later, while checking his bank statement online, he discovered an unauthorized purchase for $825. Rose immediately paid a visit to his bank and canceled his card. But it was too late. By Aug. 9, 14 purchases, totaling more than $1,600, had been charged to his account. Worse, Rose broke one of online security's most basic rules by using a debit card, which allowed thieves to withdraw cash, leaving his checking account overdrawn.
The situation is everybody's worst nightmare. At best, it requires hours on the phone with your credit-card company. At worst, it could mean a protracted legal battle to reclaim your financial identity. In all cases, consumers feel frustrated, angry, and powerless. In a 2000 report entitled "Nowhere to Turn," the Privacy Rights Clearinghouse found that 55% of the fraud and identity-theft cases reported remained unsolved after an average of 44 months, or almost four years. Victims said they spent between $30 and $2,000 on costs related to identity theft, not including lawyers' fees. The average loss was $808.
HIS OWN GUMSHOE. Rose, however, is determined not to be left holding the bag. Rather than let his bank handle the matter, he called each of the online merchants where illegal purchases were made and explained his problem. Together, Rose and the vendors were able to trace the computer from which the order came, confirming that it wasn't from his computer. So far, he has prevented more than $1,100 in sophisticated camera equipment from being shipped to an unknown person in Indonesia.
Rose isn't alone -- and let his vigilence be a lesson. Fed up with complex procedures and surly customer service, savvy consumers are taking matters into their own hands. Sure, people want their money back, but it's also important and useful to get an explanation as to when, where, and how the fraud occurred. Plus, people defrauded on the Internet can now use the same technology to help track down the thieves who used it against them.
"A year ago, this wouldn't have worked," says Dan Clements, CEO of Card Cops, a Malibu (Calif.) nonprofit that helps consumers track and uncover credit-card fraud. "But today, there's a growing percentage of Net surfers that are savvy. They understand secure servers. They recognize a spoofed [Web] page. They're starting to understand the game."
NAMING NAMES. Clements would know. One of Card Cops' newest services is a program called Neighborhood Net Watch, which allows consumers to alert each other about online merchants that may not be adequately protecting financial data. Upon receiving an alert, Card Cops notifies the merchant about the allegation and asks the outfit to look into possible hacks or security holes. Card Cops attempts to reach merchants three times. If it gets no response, Card Cops will post the merchant to a list of possibly compromised sites in the Neighborhood Net Watch forum.
Card Cops receives five or six alerts each day. In July and August, 11 online stores were posted to the Net Watch forum, including fineteas.com, computer supplier aberdeeninc.com, and beatprice.com -- the site from which Jerad Rose believes his information was stolen. Beatprice.com and fineteas.com did not return calls for comment. Aberdeeninc.com Sales Vice-President Jack Tateel says he's unaware of Card Cops' attempt to contact the corporation. He adds that Aberdeen has served 142,000 customers over seven years and goes to great lengths to make sure that the site is secure: "We have proxy servers and firewalls and all the appropriate security," he says. "We've even hired a security company to try to hack us. And they couldn't."
It's important to note that, so far, there's no evidence that the credit-card fraud reported to Card Cops was a direct result of a sale at Aberdeen's or any of the other sites on Card Cops' list. That said, the Neighborhood Net Watch program, which has been up and running for about six months, has seen a reasonable amount of success. High-profile brands including Egghead.com, Guess.com, and Silicon Valley Bank turned up on the Net Watch list after disgruntled consumers got no response from company representatives. According to Clements, all have since patched or updated security software to deliver better protection.
NOT-SO-AMUSING TALE. Such community efforts are increasingly necessary as criminals become more sophisticated. Though figures are hard to pin down, analysts estimate that credit-card issuers lose $1 billion to $3 billion each year to fraud. Merchants lose even more. That's partly because of the scale and sophistication of the crimes. Witness what happened last month at a small e-commerce site called talkingtp.com. The site sells toilet-paper holders that can record a message to shock or amuse unsuspecting bathroom visitors.
On average, talkingtp.com processes fewer than 20 transactions per day. But on Sept. 12, a crook used its account number with card authorizer Verisign to verify some 140,000 credit cards for a charge of $5.07. Law-enforcement officials and fraud experts believe that this was a criminal's attempt to validate a list of stolen credit cards before acquiring them, the same way a drug dealer will taste a sample of cocaine before buying dozens of kilos for distribution.
"I always thought of identity theft and credit-card fraudsters as a couple of crackpots going through the trash. But it's a very sophisticated operation," says Paul Hynek, CEO of talkingtp.com's parent company, Spitfire Ventures, himself a victim of credit-card fraud (see BW, 9/2/02, "The Underground Web".
"GET SMART." Consumer advocates insist that while progress has been made, much more needs to be done. "Banks don't want to admit to the problem. Law enforcement is busy with the war on terror," says Linda Foley, executive director of the San Diego-based Identity Theft Resource Center. "Unfortunately, that means it's still up to consumers to get smart and protect themselves."
That's a message that even the government is now embracing. In a Sept. 18 speech, the National Security Council's Special Adviser for Cyberspace Security, Richard Clarke, told an audience in Palo Alto, Calif., that securing the Internet must be a cooperative effort between government, business, and citizens. "The government cannot dictate. The government cannot mandate. The government cannot alone secure cyberspace," he said.
Citizens, like Jerad Rose, are taking that warning seriously and taking action. "Consumer vigilantism is rising," says Card Cops' Clements. "The banks just want to brush it under the rug. But consumers are saying, 'Wait a minute. I want answers.'" It's the first -- and vitally important -- step to stamping out fraud. Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column