I participated in an Irish Internet Association debate this evening as part of the team that was cautioning against the use of credit cards online.
The debate was light-hearted and just a bit of fun. I probably wouldn't have chosen this argument but, when I researched it and thought about it, there are some pretty good reasons against using credit cards on the internet. What follows is, in essence, my speech:
First of all, I must confess that I have often used my credit card online. The first time I used it -- to buy a book from Amazon, about ten years ago -- I was worried about security. But, the transaction went smoothly, there were no negative repercussions, and so I continued to use my credit card online for several years after that ... up until last year.
Last year, I attended a seminar in London on internet security, hosted by representatives of each of the major online security companies - Symantec, Kaspersky and others.
They experts explained that we are currently experience a "Cambrian Explosion" period in computer viruses, specifically in spyware and keystroke logging viruses -- or "keyloggers". These are designed to stay hidden on your computer and record any personal information you type into websites -- such as credit card, banking or name and address details.
Modern viruses take advantage of your always-on broadband connection by downloading updates that ensure they stay one step ahead of anti-virus programmes, and by secretly "phoning home", passing your personal information onto their makers.
So who are their makers? We tend to think of hackers as spotty teenager nerds, working out of their bedrooms, creating viruses just for kicks. That stereotype may have been accurate ten years ago, but not anymore.
A lot has changed since I first made my Amazon purchase online. The internet has gone from a few million users back then to over a billion users today. Inevitably this growth has attracted organised crime. Today, spware is funded by crime rings in developing countries, or former Eastern Bloc countries, who are counting on your false sense of security, relying on you to sit in front of your PC thinking, "I've done this a hundred times in the past -- it's bound to be secure."
But it's not only viruses that put you at risk. Many of my clients offer online shopping and credit card processing. Analysing their e-commerce solutions, we usually find that they have little understanding of security or best practices. And why should they? After all, they are small businesses with many other concerns.
Their online booking processes had many glaring holes that were putting both the businesses and their customers at risk. For example, one client was passing credit card details through the URLs of his website, which effectively allows them to be seen by other users. Others were taking the addresses securely, but then storing them in online databases that weren't secure.
When I discovered this I decided to try something out: I entered my own credit card details into Google. No results. Phew. Then I entered the first 12 digits, leaving out the last four. This time I found some credit card details, along with the name and address of a man in Dublin. In fact, I found hundreds of other names, address and credit card details. I was looking at a hotel booking database that was so insecure you could find it through Google. The hotel owner was putting all his customers at risk.
I found that many others were taking credit card details online but processing them manually with hand-held machines -- sometimes they were emailing them to another person for processing. Sending credit card details via email is not secure. When you send an email to someone it passes through a lot of other computers on its way to its destination, more or less randomly - that's how the internet works. Cyber-criminals monitor the traffic that passes through certain servers, looking in particular for credit card details.
So, my advice is to avoid sending your credit card details via the internet, because you don't know who is lurking behind the ones and zeros, waiting to steal your money or, worse, waiting to steal your identity!
p.s. Our team won the debate!