"Have you ever heard of a guy named Boonchard?"
At first, Bruce Cassidy didn't know what the man on the phone was talking about. The call came out of the blue last month, from an online retailer Cassidy had never heard of.
What the voice said next was more unsettling: Did Cassidy really want to charge all those cordless phones and ship them to Mr. Boonchard in Thailand?
Cassidy, who works for the state of Kentucky in Frankfort, hadn't bought any phones and didn't know any Boonchards. So he called the credit union that issued his charge card. Sure enough, the bank turned up more than $3,500 worth of cordless phones, high-end stereos, and other electronic gadgets -- all charged to his account within the week and destined for overseas.
It was a hard way to learn one of the online world's dirty little secrets: The Internet is becoming the place for criminals to steal, swap and shop with stolen credit cards.
Hacked from unsecured computer systems, swiped by crooked waiters or plucked from the trash by Dumpster divers, pilfered account numbers are flowing across the Net every day, many of them traded at online bazaars where teen-agers swap them between homework assignments.
Cassidy's Visa account -- including his name, address, phone number, card number and expiration date -- had scrolled past the eyes of dozens of strangers in an underground, online chat room where card thieves gather. It was one of several stolen accounts The Sun observed while researching this article.
How his card got there, Cassidy doesn't know. "It all happened pretty fast," he says, a bit bewildered. "We were lucky: They caught it."
Unlike other cybercrimes, credit card fraud on the Internet rarely makes headlines. That's because few online merchants are willing to acknowledge that their computers are anything less than secure. Yet fraud experts say it's probably happening more than consumers realize -- or merchants let on.
26,000 numbers stolen
One glimpse came March 24, when U.S. and British law enforcement agents arrested two teens in a small Welsh village.
The teens -- who operated under the pseudonym "Curador" -- are accused of hacking into the computers of several online merchants and making off with more than 26,000 credit card numbers, including, they claim, the account number of Microsoft Chairman Bill Gates. The FBI says losses connected to the thefts could exceed $3 million.
Credit card companies and banks play down the significance of such cases.
Visa U.S.A., the nation's largest credit card association, argues that overall credit card fraud in the United States has dropped to an all-time low: Last year, Americans charged more than $721 billion to their credit card accounts but recorded $433 million in fraudulent charges -- about 6 cents for every $100.
Although the company doesn't break out online credit card fraud, "it's roughly equivalent with what we see in the physical world," says Visa spokesman Sean Healy.
Credit card companies also point out that cardholders are shielded. Under the Fair Credit Billing Act, consumers pay a maximum of $50 when a card is used fraudulently. Eager to dispel consumer fears over online shopping, Visa will waive the fee this month.
Despite this financial safety net, having a credit card stolen or account information pilfered isn't trivial.
The burden is on card owners to prove that bogus charges aren't theirs, a tedious and time-consuming process. If the issue is not resolved quickly, or if a criminal uses a stolen credit card to apply for others, a theft can devastate a customer's credit rating, says Dave Gilmore, executive vice president of the Internet Fraud Authority, a firm that helps online merchants beat credit card cheats.
And it's not just consumers who get hurt.
"What we've discovered is that it's really a problem for the merchants," says Audri Lanford, co-editor of the widely read Internet newsletter ScamBusters.
When credit card fraud occurs in a store, the bank that issued the card is typically liable for the transaction. But in so-called "card-not-present" transactions -- which include mail, telephone and Internet orders where no signature is required -- merchants are typically forced to cover loss.
'Merchant's going to eat it'
"If you claim fraud online, the merchant's going to eat it. Period," says Al Cameron, who heads a seven-member anti-fraud squad at Digital River, which manages the cyberstores for companies such as Sega, Symantec and Comp-USA.
Online travel service Expedia, for example, announced last month that it would set aside up to $6 million to cover the cost of tickets purchased with stolen cards during the previous quarter. Amazon.com recently took a Reno, Nev., man to court for allegedly charging more than $70,000 worth of merchandise to 63 fraudulent accounts.
"We block one out of 10 orders as attempted fraud," says Chris Keller of SalesGate.com, a small online merchant in Buffalo, N.Y. "I think it's a huge problem."
Some authorities believe online fraud rates are higher, especially at stores that sell hot items such as computer hardware, software and consumer electronics. Since online merchants typically operate on razor-thin profit margins, a significant number of fraud claims can ruin a mom-and-pop store.
"If you're a small business, you might go bankrupt," says Lanford. "It really has created severe financial problems for some people."
Where do the cards come from?
The Secret Service, which investigates credit card fraud, says the majority of stolen credit cards are ripped off in the physical world, usually through a scam called "skimming."
Using small electronic card readers known as "skimmers," corrupt sales clerks, gas station attendants or waiters surreptitiously swipe a customer's card as they ring up a sale. The devices, about the size of a clip-on pager, can store several hundred accounts and are widely available on the Internet, according to Greg Regan, who heads the Secret Service's financial crimes division.
A skimmer's digital file of stolen cards can be uploaded to a personal computer and dispatched across the globe as an e-mail attachment. "It's not unusual for us to see an account stolen in D.C. being used in Taiwan or Japan within 48 hours," Regan says.
But the Internet is starting to catch up as a source for credit card accounts, because an online merchant's computers can provide thieves with thousands of accounts in a single haul.
"I think hacking into databases is going to take the place of skimming in a short amount of time," Regan says.
In January, a Russian hacker broke into online music retailer CD Universe and stole 300,000 card numbers, posting thousands of accounts on a Web site when the retailer refused to pay a ransom. Last month, MSNBC television news channel outlined a larger theft: a cache of 485,000 stolen credit card numbers that thieves placed on a computer network at the National Aeronautic and Space Administration.
In both cases, authorities were able to reclaim the accounts before many fraudulent charges were made, but the thefts underscore the vulnerability of credit card information on the Internet.
Underground chat rooms
Accounts that aren't recovered often wind up in underground Internet chat rooms -- the online equivalent of a dark alley -- where thieves come to fence their accounts or trade intelligence on the best places to use them online.
These chat rooms aren't listed on any directory. Some of them are invitation-only, to keep out the prying eyes of law enforcement officers or unwanted strangers. Even if visitors were to stumble across one, it's unlikely they would understand the chatter scrolling down the screen:
"I'm trading virgin ccz. Msg me now."
"Looking for fresh amex's/visa's."
"Is Amazon.com cardable?"
Most of those who logged onto sites observed by The Sun were searching for "virgins" (freshly stolen accounts that hadn't been used fraudulently) or trying to trade card numbers they'd stolen for a "shell" (a high-level password to a computer system they can use as a base for hacking).
They debate the easiest online merchants to "card" (shop with a stolen credit card) and the best place to "drop" (deliver stolen merchandise).
Between the chatter, it's not uncommon to see a victim's credit card information scroll by. Those accounts are likely to be maxed out within hours of hitting the room, says Joel de la Garza of Securify Inc. in Palo Alto, Calif., who monitors underground credit card bazaars.
Danilo Mercado, a social worker in London, discovered his name and credit card number had appeared in one of these chat rooms after a call from a Sun reporter. It hadn't been a total surprise: An online store had awakened him at 1: 30 a.m. a few days before to ask whether he'd ordered 200 DVD movies shipped to Asia.
"It's mind-boggling," he says. "I'm pretty freaked out."
Many visitors to this online bazaar are small-time scammers, including teen-agers looking for a thrill or a chance to do some online shoplifting, de la Garza says. The clue: Sometimes conversations turn from stealing to schoolwork.
Law enforcement agencies are aware of these chat rooms but often ignore them. "Quite frankly, we don't have the manpower to keep an eye on something like that," says the Secret Service's Regan.
Companies fight back
In the wake of all this criminal activity, merchants and credit card companies are fighting back. Some are starting to snap up the hottest new offerings from casualty companies: hacker insurance. Others are turning to technology.
Busy online retailers such as Egghead.com have installed sophisticated fraud detection software to analyze orders and spot red flags, such as different shipping and billing addresses, strange e-mail addresses or unusual order patterns.
Credit card companies are developing technologies to make online transactions more secure, just as they've embedded holographic images, magnetic strips and hidden authentication codes into their plastic cards over the years.
Visa and MasterCard International are promoting a jointly developed technology called Secure Electronic Transaction (SET). American Express has launched a new Blue card, which comes with an embedded chip and $25 card reader that can be attached to a home PC.
Both initiatives make it possible for consumers and merchants to know whom they're dealing with online. But analysts say the technologies have been slow to catch on, especially among merchants who would need expensive equipment to make the systems work.
Databases need protection
Fraud experts say the best way to deal with the problem may be not technology but education.
Contrary to conventional wisdom, credit card information is most vulnerable after it has been handed over to an online store -- not during transmission. No cases of credit card numbers being "sniffed" by network hackers en route to a store have been documented. Once the account numbers are in a merchant's hands, the danger begins. Authorities say many retailers aren't doing enough to protect their databases.
Online retailer SalesGate.com learned that lesson the hard way when it lost thousands of credit card numbers allegedly to the teen-age suspects in Wales. The youths told authorities they had exploited holes in the Microsoft SQL Server software used by many online merchants. Although Microsoft has had software fixes available for months, many customers haven't installed them.
This month, Visa will launch a program to teach new online retailers how to secure their ordering systems and set up anti-hacker measures.
Says Visa's Healy: "It's exactly analogous to what we faced with establishment of mail order and telephone ordering back in the 1980s."