Consumer acceptance of on-line transactions received another setback last winter. Reportedly, a hacker suspected to be from Russia, was holding ransom some 300,000 credit card numbers that he hacked from an American on-line music store.
To prove that he really had the numbers, he disclosed some 25,000 of them ( Toronto Star, Jan. 11, 2000). A similar situation was reported in the Toronto Star on July 25, 1999. In that incident, a Canadian student came across unprotected credit card numbers and other personal information that was stored on a Colorado Web site.
The cause of security breaches is often a human failing – for example, a site being run without adequate security resources. Irrespective of how good security tools are, there will always be problems on some Web sites because a system administrator has overlooked a security feature or update. Perhaps low-tech security solutions can minimize the impact of the problem.
Credit card companies could develop a new product, a variation of the secured credit card that would have a $0.00 credit limit. (A secured credit card is one in which the cardholder has to provide a security deposit that is equal to a portion of the credit limit.) In other words, a purchase could only be made if the credit card has a credit balance to cover the value of the purchase. At all other times, the card number would be worthless.
The card would work like this. When the consumer decides to purchase an item at an e-tailer, he logs onto his Internet banking site and deposits the required funds to the credit card account and then visits the e-tailer the next day (to allow time for the payment to be processed) to make the purchase. When the funds are spent, no one, not even the cardholder, would be able to make another purchase.
If card security is compromised, the consumer could cancel the card without impact to their regular credit cards. (Actually, in the absence of such a card, it makes a lot of sense to have a separate credit card with a low to moderate credit limit for on-line shopping.) To address consumer concern about data warehousing and data profiling, credit grantors could develop anonymous cards that would provide the anonymity of cash. The bank would not need the cardholder’s identity since credit, in the context that we normally refer to it, is not being granted. An anonymous version would not be linked to a bank account and could be “recharged” by depositing cash at a bank machine in order to preserve anonymity.
I recently noticed a Canadian company that offers an anonymous prepaid internet purchasing system that would behave similar to the above. Although their Web site claims to offer anonymous transactions, there are at least two areas where anonymity could be compromized.
One is through your e-mail address and other information that you provide when you register for the card. Another way that anonymity could be compromized is when you load funds onto your card using your bank account. So, while I see this product as a move in the right direction, some concerns remain with respect to the stated anonymity.
Another variation the product might be a cyber money order. Issued by a bank, post office, or credit card company and complying with the electronic payments system, this number would be valid for the exact amount of the purchase and not be capable of being replenished.
Currently banks are prohibited from issuing anonymous credit cards. Perhaps it’s time to review the legislation in order to provide the anonymity of cash in our electronic transactions.
Boufford, I.S.P., is president of e-Privacy Management Systems Inc., a consulting firm specializing in privacy and IT in Lakefield, Ont. He is also a national board member of the Canadian Information Processing Society. He can be reached at boufford@cips.ca or www3.sympatico.ca/john.boufford.