<http://www.nytimes.com/2004/05/16/business/yourmoney/16cred.html?th=&pagewanted=print&position=> The New York Times May 16, 2004 SPENDING Card Seem at Risk? Try a Stunt Double By JENNIFER BAYOT FTER days of searching the Internet, Gen Tanabe of Palo Alto, Calif., found the rare 19th-century memoir he wanted to buy for his father for Christmas last year. But he had no intention of giving the Web site his credit card number. "The site looked like it might have been run by a teenager in a back room," said Mr. Tanabe, who writes books about college planning and financial aid. "I didn't know how secure it was, or what they would do" with the number. Online vendors typically encrypt credit card numbers at their Web sites, but the numbers must be decoded later to receive payment. And they are often stored in databases that may be vulnerable to hackers or dishonest employees long after the purchase. What if there was a way to fool those who would try to fool us, so that purchases could be made online without any danger of card numbers falling into the wrong hands? A few companies are trying such a plan: think of it as the stunt-double approach to online shopping. Anyone with a credit card from Citibank, MBNA or Discover can request a temporary account number for use when buying online, by telephone or mail order. The temporary numbers are linked to customers' real accounts, but they generally expire after one use, unless the cardholder requests otherwise - for example, by placing a spending limit on the number. Cardholders can get these numbers in one of two ways, depending on their issuer. They can download software that generates such numbers upon request or upon detecting that a cardholder is at the checkout page of an online retailer. Or, in the case of Citibank, which is owned by Citigroup, they can also register online, then revisit the company's site each time they want a new number. To avoid giving his real card number to that small online bookstore, Mr. Tanabe, 32, used a temporary number to buy the present for his father. "I probably wouldn't have bought it otherwise," he said. The temporary numbers can also prevent retailers from renewing purchases like magazine subscriptions or gym memberships without issuing reminders. Many customers forget that vendors may automatically charge their customers' credit cards for such recurring fees. Fraud remains a big concern for many online shoppers. In a survey of 12,000 consumers at the end of 2003, Forrester Research, based in Cambridge, Mass., found that about two-thirds were "very or extremely concerned" about the theft of their credit card numbers during online activity. Chris Hoofnagle, a lawyer for the Electronic Privacy Information Center in Washington, says such temporary numbers ease those worries. Mr. Hoofnagle says he has used them himself, to prevent online retailers from keeping his card number in their files. "If the company stores your credit card number, that database just becomes a honey pot" for hackers, he said. The temporary numbers, he said, also make him more comfortable buying from newer or unfamiliar vendors. The free service has been available for more than a year, but few people seem to know about it. "I think if you interview 100 consumers, you'll find 100 consumers who've never heard of it," said John Gould, director of consumer lending and bank cards for the TowerGroup, a research company based in Needham, Mass., that was acquired recently by MasterCard. Industry analysts say consumers tend to rely on other protections - including the card companies' promise not to charge them for fraudulent transactions. Last month, in fact, American Express stopped offering its temporary-numbers program, called Private Payments, saying that other safety features already offered plenty of fraud protection. Some consumers may think that their credit card accounts are safe because retailers encrypt their card data at the time of purchase. Though the numbers may then be safe in transit, retailers must still decode the numbers to collect payment. Mr. Gould says it is impossible to ensure that all retailers take the next step: encrypting the numbers again, according to rules set by the card networks. "This is too big a territory to patrol; in the U.S. alone, you've got over 400,000 merchants online," he said. "You've always got the issue of the merchant who is careless. But the real problem is, you've got the merchant who's a fraudster, whose intent is to steal your information." ANALYSTS also suggest that the card issuers have done little to promote the feature because customers pay nothing for it. But the companies say that the numbers are still relatively new and need time to catch on, especially because their use requires some effort. "And since it's not being offered by every issuer, you just don't have the repetition or frequency to get people talking about it," said Steve Furman, director of marketing e-commerce at Discover Card. Although many consumers say they worry about fraud risks, some may not want to bother with temporary account numbers. "Consumers will tell you one thing and do another," said James F. McCarthy, senior vice president for emerging products at Visa. "There is only so much they will do to protect themselves." Citibank refers to its temporary numbers as virtual account numbers; information is available at www.citibank.com/us/cards/tour/ cb/shp_van.htm. Discover, meanwhile, calls them single-use numbers and offers them on its Deskshop page (www2.discovercard.com /deskshop). MBNA customers can create the numbers through the company's online ShopSafe program (www.mbnashopsafe.com). The companies have tried to make the numbers easier to use. A cardholder can now charge monthly phone bills and other recurring payments to the same disposable number, rather than entering a new one each time. Similarly, a cardholder can register a number with a favorite merchant for continued use only with that merchant. "You'll never need to reveal your actual credit card number again," said Amy Radin, executive vice president for the e-business unit of Citi Cards, a division of Citigroup. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'