Online Credit Card Theft Reported

At least two online shoppers have reported having their credit card numbers stolen and used illegally, apparently as the result of a security gap at online shopping sites revealed in a Los Angeles Times story Thursday.

Meanwhile, dozens of shopping sites with the security flaw, which allows any Web surfer to view customers’ orders, phone numbers, addresses, credit card numbers and other personal information, are moving quickly to repair it, according to Joe Harris, the Seattle-area computer technician who first identified the problem.

Privacy advocates say the flaw, which results from the incorrect installation of “shopping cart” software used by online stores to collect customer orders, is representative of a broader security problem that could require new legislation to address.

“As our lives get transferred to cyberspace, the damage that can be done by faulty information practitioners becomes very large,” said Jason Catlett, president of Junkbusters of Green Brook, N.J., an online privacy group. “The typical standard of Web security today is appallingly bad,” said Catlett, who pointed out that even large car and toy companies have mistakenly put customer information such as e-mail addresses in files that were accessible to Web surfers.

Connie Christensen, a Waukesha, Wis., resident who used Cancun Internet Marketing’s Web site to book a tour in December, said her credit card was used to pay three separate $24.99 charges for pornographic Web sites before she canceled the card.

“I don’t know if I’ll ever use my credit card on the Web again,” said Christensen, who is convinced the thief got her card number through the Cancun site.

Joseph Pronack of Woodlands, Texas, who also used the Cancun site last fall to make tour arrangements, said he recently canceled his credit card after somebody used it to pay for $373 worth of prescription drugs in North Carolina. Pronack said he doesn’t know how his card number was stolen but that he is battling with the credit card company over the charge.

Saias Gelrud, the owner of the Cancun site, said he hadn’t heard about the security problems until contacted by The Times on Thursday.

“So what should I do?” Gelrud asked. He said his Web site was developed and managed by a company in Daytona Beach, Fla.

While consumers typically are liable for only up to $50 of unauthorized charges made on a stolen credit card, security experts said the problems represented by unsecured Web commerce sites are potentially far more serious.

“With the kind of personal information you gather from order forms, you could steal someone’s identity,” said Joe Poff, a partner at Shannon & Associates, a Seattle-area firm that audits Web sites to check for security problems. If people know the exact dates you are planning to be away on a cruise, he points out, your home could also be vulnerable to thieves.

Poff said the security problems have been exacerbated by easy-to-use software and cheap computers. “Almost anybody can set up a shop out of their apartment with a couple thousand dollars,” Poff said.