Javed Ikbal is in the IT security business. But it wasn’t until his credit card number was stolen in the Frankfurt, Germany, airport last summer that he realized how vigilant companies have to be about keeping online transactions safe.

Ikbal, who runs a Boston area IT security consulting firm, says whoever stole his credit card used it to buy $1,700 in merchandise online from Circuit City ^[1], the home electronics retailer. However, Circuit City flagged the transaction because the order didn’t include his phone number, came from a computer logged onto the Internet through a German IP address, and was supposed to be mailed to Illinois, even though Ikbal’s billing address is nowhere near there. Based on those warning signs Circuit City called Ikbal, who alerted the retailer it was a bogus order on a stolen card number.

Even though it involves a large business, Ikbal uses the example to show how stopping e-commerce fraud is feasible for even a very small online merchant or other company handling financial transactions online. Measures to stop e-commerce fraud are out there and many of them are cheap — or even free, such as checking the country of origin of an online order against the buyer’s credit card billing address, he says. That’s important because many small businesses can’t or won’t spend a lot on security, says Ikbal, a principal of zSquad ^[2], in Plainville, Mass., a firm that creates and audits corporate IT security plans. “They think they have a firewall or that their hosting service will provide security,” he says. “Even for companies that make $10 million a year or more, we find shocking lapses in security.”

Protecting the online store

According a December 2007 report on e-commerce fraud from The Aberdeen Group ^[3], a Boston technology researcher, companies that are most successful at reducing their risk of fraud and simultaneously make customers feel safe do the following to protect online transactions:

• Monitor and authenticate transactions in real- or near-real time
• Check that customers are who they say they are, either when they open an account or during a purchase transaction
• Use encryption, either SSL or EV SSL ^[4], a newer version of SSL that requires certification requests to go through a more rigorous identity check and authentication process before being approved
• Create and enforce security policies and educate customers about safe online behaviors
• Create marketing to explain how safe their website is for shopping, banking, etc.

Ikbal also suggests companies do the following:

Warn users to upgrade buggy Web browsers. Shoppers who use older Web browsers, such as Internet Explorer 4 or 5, put themselves and online merchants in danger of being hacked because of known security breaches in those programs, Ikbal says. Since Web servers automatically detect the browser someone uses to log on, a company can redirect anyone with an older browser to a special page on the website that notifies them they need to upgrade before they can continue, Ikbal says. “They could make viewing it a condition for establishing an account,” he says. “It costs nothing. You just have to program your website to respond according.”

Set strict credit card policies and stick to them. Require that the address a buyer inputs for an order matches the one the credit card processor has on file for that individual. Also require that anyone making a purchase enter three- or four-digit CCV security code found on the back of the credit card. When an order is placed, the merchant can send the data to the card processor to see if it’s a match. If it’s not “the order shouldn’t be denied, but the merchant should call the person and ask about it,” Ikbal says.

Check IP location of incoming orders. Companies that process orders in real time — if they’re selling software buyers pay for and download for example — can use an IP location service such as IP2Location ^[5] or Akimai ^[6] to instantly identify a visitor’s geographical location. The cost is usually 30 or 40 cents per transaction or less, Ikbal says. Online merchants who don’t process orders in real time can manually look up IP addresses. “If someone sells only in the US, they should be careful if they see a transaction coming from Eastern Europe or North Korea, which are hotbeds of fake credit card transactions,” Ikbal says.

SIDEBAR: Create a Security Policy

One of the cheapest things a small business can do is create a security policy and post it online, according to security experts. Security policies aren’t hard to come by. The Anti-Phishing Working Group ^[7], a five-year-old industry association, posts links to security policies at several large companies on its website including:

• eBay ^[8], whose consumer education section includes instructions for recognizing fake eBay websites and a spoof e-mail tutorial ^[9].
• Citibank ^[10], which maintains a series of pages explaining, among other things, how customers can avoid getting spoofed by hoax e-mail and steps to take if they do.
• US Bank ^[11], which maintains a section called “E-mail Fraud: Information and Help.”
• Companies can also point customers to the following Anti-Phishing Working Group documents: How to Avoid Phishing Scams ^[12] and What To Do If You’ve Given Out Your Personal Financial Information ^[13].