E-tailers face hefty charges if they fall victim to persistent online fraud. But credit cards were not designed for use online, so is anyone developing a cyber-age alternative? Helen Smith reports Barclays, Safeway and Woolworths are among the hundreds of businesses where security has been called into question because of lapses in their online systems. Barclays' customers discovered that their account details could still be viewed on the computer screen even after they had logged out of the secure network; a hacker accessed Safeway's customer files and sent a highly damaging e-mail to the multiples' entire customer base; and Woolworths had to shut down its online store after a user came across a customer's credit card details. Despite such high profile examples, the National Consumers Council says that most internet shoppers try to minimise the risk by shopping at sites run by well-known brands and retailers. Its survey last year found that 28% looked for a recognised brand name and 22% would feel safer shopping on the site of a high street retailer, which helps explain why "bricks and clicks" companies are outstripping the pure dot.coms when it comes to sales. In another study, the internet market research group Media Metrix found that eight of the 10 fastest-growing US retail sites in December were bricks and clicks companies - among them Wal-Mart, Kmart and Nordstrom. The biggest curb on the growth of online shopping is customer anxiety about security, yet the customer has little to fear. Unless they are especially careless, they are unlikely to foot more than £50 of the bill if their credit details are misused. Retailers face the greatest risk. Credit card issuers are passing on a big share of the cost of online fraud in chargebacks to e-tailers and in the hefty fines they have begun imposing on online retailers which have been the regular targets of hackers. And at present the law offers little protection. The Electronic Communications Act which came into force last year put digital signatures on the same legal footing as paper ones, but the courts have yet to decide where the liability lies when credit details are intercepted. If your up-to-the-minute software has been invaded by hackers or if an employee has been careless with their password, chances are that in either case the responsibility is yours. "The difficulty is, what is negligence and what is sophisticated fraud?" asks Andy Mulholland, chief technology officer at Cap Gemini Ernst & Young. "There hasn't been a queue of people lining up to test it in court." The core of the problem is that internet retailing is reliant on the use of credit cards and credit cards were never designed for use online. "The credit card has been piggy in the middle in this. We have taken something that was supposed to be a solution in a different world and we are now complaining that it isn't the answer in an electronic one. It doesn't offer a secure transaction method because it didn't before," says Mulholland. While there is a plethora of software and new systems in development to cut those risks, an overall solution still appears out of reach. No organisation has stepped in to make the enormous investment required to develop a cyber-age replacement for the credit card. And there appears little incentive to do so. The banks and credit card companies have yet to be badly hit by internet fraud and customers are protected by their credit card agreements. The banks and credit card issuers, eager to encourage cardholders to go internet shopping, insist the scale of online fraud is negligible anyway. "Online fraud has been hyped enormously. In fact, losses related to the internet are only 2%-3% of total fraud losses," says Richard Tyson-Davies of the Association for Payment Clearing Services (APACS). APACS says that of the total UK fraud losses of £190m in 1999, only around £4m-£5m were linked to internet fraud. But the National Criminal Intelligence Service (NCIS) says it is impossible to measure the amount of fraud carried out online and warns that as internet shopping grows, fraud is certain to grow with it. "We just don't know the true scale of internet fraud. We can extrapolate figures based on what people tell us, but the answer is nobody does know because not all of it is reported," says Mark Steels of NCIS. "But it is going to be a major growth area. It's the same with any new development, it is always going to get exploited by criminals." An NOP survey for Barclays confirms NCIS' prediction that online shopping is heading for rapid growth. It found that 51% of internet users already shopped online, while 39% of non-internet users saw online shopping as a reason to start and 42% of non-internet users planned to go online in the future. What is needed is a more secure replacement for credit cards and although smart cards, which use digital signatures to identify their holders, are already available, the cost of manufacturing, distributing and operating them remains a barrier to their widespread use. Since one of the greatest attractions of internet shopping is its convenience and immediacy, few shoppers are likely to take the trouble to queue up to buy one of the Viacode smart cards being developed by the Post Office, says Cap Gemini's Mulholland. Nevertheless, he believes smart cards are likely to be central to the future of internet security, centring around what is known as a Public Key Infrastucture (PKI). The idea is that shoppers will be issued with a digital signature, stored on a piece of hardware such as a smart card, which is paired with a central public key held in a high security environment. When the shopper wants to buy something online, they sign documents using their digital signature, which is then checked against the public key with all the online exchanges being carried out in highly encrypted files. The system provides added security by keeping a record of the transaction times. There are a number of companies vying to set up PKIs. One is Swiss-based Wisekey, which through an alliance with the International Telecommunications Union wants to create a global standard for public keys, based on its own facility which is in the Swiss Alps for maximum security. But the main barrier to widespread use of this new system is that it requires a whole new, and very costly, infrastructure. Banks and retailers need new processing equipment and shoppers will need to install a smart card reader into their computer. The smart cards themselves, containing a microchip, are expensive to produce. While there are smart cards in circulation, their use remains limited. For example, eCharge's smart cards in the US can only be used with merchants who have signed up with eCharge and have its system in place. "The question is, who is going to take the Visa route?" Mulholland says. "Somebody had to make an enormous investment to get credit cards going. "This is the same feeling as waiting for the first credit card." Mulholland says that in the end it is almost certain to be one of the big banks, or a consortium of them, that finally takes the plunge and foots the bill for online security, since it is in their interests to keep money circulating around the world. Until that happens, approaches to online security will continue to use a mish-mash of software and external systems and services. The credit card companies are making moves to improve internet security, but their interim solutions are remarkably low tech. From April, online retailers will be required to ask for addresses as additional verification and for a three-digit number, which is shown on the back of the card, but is not included in the information on the magnetic strip. "In the future, people will be giving their PIN down the line and this will be encrypted. But that is several years ahead," says Tyson-Davies. Visa says that all of its 150 million cardholders should be able to apply for its Virtual Visa quasi smart card by as early as October this year. Transactions will be carried out via the Virtual Visa secure server, which customers access using a password. It will not be as secure as a pure smart card, but it gets round the need for new infrastructure. Banks, retailers and possibly cardholders will have to pay to sign up. Meanwhile, most responsible e-tailers currently rely on trying to outwit the hackers by constantly updating their security systems. Tesco, one of the market leaders in online grocery retailing, says it always has the latest version of security software, always uses secure servers and keeps all of its sensitive information encrypted. Credit information is disposed of as soon as it has been used and where customers do want their card details kept on file for repeated use, the information is stored behind an electronic "firewall", well away from the Tesco website. "Technology is a bottomless pit, as soon as something new comes out, the hackers will be seeking ways to get round it. What we aim to do with our security is always to have the latest version," says a Tesco spokesman. There are a multitude of security systems in place and in development, but none provides an overall answer to the problem of internet security. The message for retailers must be: never relax, always stay one step in front of the hacker. {{FEATURES GENERAL }}