• United States



sarah d_scalet
Senior Editor

Digital (Shopping) Divide

Nov 30, 20055 mins
Data and Information SecurityFraudRetail Industry

American retailers dont like to do business with customers whose IP addresses place them in parts of the world with a high incidence of fraud

Nov. 30, 2005Its that time of year when Americans are exercising their God-given right to shop. Vigorously exercising. And with newspapers abuzz about Cyber Mondaythe first big workday after Thanksgiving and one of the busiest days of the year for online retailersit seems like an appropriate time to introduce to you all a man named Danny Lim.

Lim lives in Singapore with his wife and a son who happens to have very wide feet. Wide shoes are hard to find in Singapore, so Lims wife decided to shop for them on U.S. websites. There was just one problem: No one would sell her the shoes. American retailers dont like to take credit cards from other countries; they dont like to ship things overseas; and they especially dont like to do business with customers whose IP addresses place them in parts of the world with a high incidence of fraudlike Singapore.

Whenever theres a problem, theres an opportunity, Lim says pragmatically. He founded a company called ComGateway, which aims to bring the contents of online shopping carts in the United States to customers in Asia. Some 3,000 Singaporeans have already signed up for the service, which gives them a mailing address in Portland, Ore., from which ComGateway forwards their packages.

The startup has taken two steps to address security concerns. One, the company partnered with both Mastercard and DBS, Sinagpores largest bank, to integrate the address verification service (AVS) widely used by online retailers, which typically works only for U.S. credit cards. (AVS is the reason online retailers always want to know your billing address. If the billing address you provide doesnt match the one the credit card company has on file, the retailer may flag the transaction as a potential fraud.)

Second, when subscribers make a purchase online, they have to fill out a form on ComGateways website stating what theyve purchased, where and for how much. ComGateways system then calls the customers registered cell phone and asks for a PIN to confirm the transaction. Authentication wonks call this out-of-band verification.

Merchants dont have to sign up for the program. They just have to clear the purchase despite what may seem on the surface to be suspicious activitya lot of purchases going to that address in Portland, for instance, and a customer IP address that doesnt match the shipping location.

If an order is rejected, usually the hardest part of the verification process for ComGateway is getting the correct person on the phone at the merchants headquarters. Most of the time you can only get customer service, and theyre not trained or dont have the authority to address security issues, Lim says. But many retailers are clearing the shipments, and Lim claims a 100 percent fraud-free track record. The company has ambitious plans to roll out the service to other countries, starting with Hong Kong and two major cities in China sometime in the next year.

Now Im not about to get all maudlin about anyone being denied his or her right to shop. But the fact that the Danny Lims of the world see a problem (and opportunity) in the way American businesses distinguish U.S.-based Web traffic from non-U.S. based Web traffic speaks volumes about the direction the Internet could be headed.

With increasing frequency, I see studies pinpointing bad neighborhoods on the Internet, supposed hotbeds of hacking and fraud, viruses and spam. South Korea, Romania, Lithuania, Nigeriathey all get fingered. Its not racial profiling, exactly. Malicious Web traffic and fraud can be traced, at least to some degree, and numerically ranked. (Serious hackers, of course, will cover their tracks pretty well.) Businesses need to protect themselves from fraud, and retailers certainly have the right to choose not to ship to certain countriesor even to any countries except their own.

But it might not take long to get from here (no shoes to Singapore) to there (no Web traffic from Singapore). This is already happening to a small degree. Snoop around on the right message boards and youll find some techies talking about blocking all incoming traffic from IP addresses in a country that makes the naughty list. Ive heard about ISPs blocking all the traffic from certain small countries that were inundating the rest of the planet with phishing e-mails and other spam. Its common for retailers to block shipments to all countries outside of the United States and Canada, or to flag all orders shipped to certain countries for extra review. But some retailers are also blocking all shipments to specific countries. No exceptions.

Mikko Hypponen, chief research officer at the threat management company F-Secure in Helsinki, told me, I spoke to one security officer who hadnt been shipping any orders at all to [country] for a year and a half because 99 percent of the purchases going to that country were done with stolen credit card numbers, (He asked me not to name the country. I dont want to get quoted as saying [country] is bad, he explained. There are lots of good people there, too.)

Its a sad development because the Internet really is one of the few things we have that really, truly is global, continues Hypponen, who pays close attention to international cybercrime trends. Developments like this could lead to the Internet becoming an isolated series of islands that are not connected to each other. If we dont play our cards right, thats exactly where we might end up because of the sheer practical problems of trying to [tackle crime] without any global legislation or authority.

The solution? I wish I knew. But it will start by thinking carefully about just how to use the lists of countries that have been naughty and nice. And in the process, we might just make the world a little safer for shoe shoppers like Lim everywhere.