FRAUD: The bad guys want your customers' credit card information. But there are things you can do to tighten security on your site.

It was an e-retailer's nightmare. When Bibliofind, an Amazon.com-owned online shop that hooks up buyers with used-book sellers, was hacked this past February, the proprietors thought only their homepage had been defaced. Then the company looked at its server logs. It found that a rogue had been accessing customer data files since the previous October, exposing the credit card numbers of 98,000 Bibliofind buyers.

While e-commerce sites publicly pooh-pooh the threat of credit card theft, it's a real and far-reaching problem. A recent report by the San Francisco-based Computer Security Institute found that 85 percent of e-commerce and government sites polled experienced a security breach in the past year. Thirteen percent reported that customers' credit card numbers were rendered accessible.

The reality is that "no system is 100 percent secure," says Chris Wysopal, director of research and development for online-security firm @stake. But you can minimize the threat of theft by taking a few precautions.

Hackers usually break into sites through holes in Web server software. Hundreds of these holes are discovered every year. To keep track of them, many sites use e-mail lists like Bugtraq. That's where, for example, you would have learned about the 32nd hole discovered in Microsoft's Windows 2000 Internet Information Server. Technically known as a "critical buffer overflow problem," the Windows design flaw could let a malicious hacker take control of an entire Web server.

Once hackers break into your Web server, they can satisfy themselves simply by fiddling with your homepage. To do real damage -- to steal credit card numbers, for instance -- they have to get beyond the Web server and into the box that houses your customer database. Assuming your IT department is on the ball, that means breaking through a firewall. There are a raft of hardware and software tools -- Check Point Firewall-1, Cisco Pi, PGP Gauntlet and Symantec Raptor are a few examples -- that protect your network by admitting only approved users and applications.

But there's a chink in this armor: Firewalls on e-commerce sites must be configured to admit data traffic from your Web server. If they weren't, none of the transactions from that server could get through to your site's back end. So if a hacker finds a hole that lets him control your Web server, he could also get through your firewall.

That's why your site should encrypt sensitive data. The simplest way is by configuring your Web server to use the secure sockets layer, or SSL. (If your IT people don't know how to do this, get some new IT people.) SSL encrypts incoming and outgoing data streams, hiding them from hackers who've penetrated your Web server or who are simply sniffing at data traffic from your ISP or Web hosting service.

You might also consider encrypting your customer database using specialized hardware or software. But that, says Ric Steinberger, technical director at Security Portal, a security news site, is "like putting an extra fence around Fort Knox." If your OS is patched, you've got a good firewall and you're using SSL, that should be enough to stop most hacks.

Unfortunately, few sites bother to implement all these precautions. That's why hackers are usually caught after the fact, when system operators have had a chance to notice unusual activity in network logs. Companies like Cisco, ISS and NFR all make intrusion detection software - priced anywhere from $2,000 to $25,000 - to alert you if anything odd happens.

If your customer data is compromised, you have little choice but to admit it as quickly as possible. That's what Bibliofind did. The company took the site down and sent e-mail to customers whose cards had been exposed. Sure, it was a public relations nightmare. But at that point, there's not much else you can do.

The Bank of the Philippine Islands (BPI), the nation's second largest bank, recently unveiled the country's first virtual credit card system called the BPI E-Credit targeted to security-conscious customers making frequent purchases on the Internet.

Josephine Ocampo, BPI's president for card banking division said that E-Credit is an extended virtual account for holders of BPI MasterCard. It would allow its customers to make Internet purchases without using physical cards.

The E-Credit system, which is exclusive to BPI MasterCard users, creates an account for card owners and would automatically grant a 50 percent credit limit for purchases made on the Web, based on customers' existing credit line. A separate account number and card verification code (CVC) for the E-Credit card would be issued to the holder of the physical MasterCard.

The account number and CVC of the E-Credit card then would be entered into the order field of a merchant Web site, instead of the information on the customer's physical MasterCard

An applicant for the E-Credit can choose to place any desired amount into the E-Credit account, which could range between 5,000 pesos ($94) to a maximum of 50,000 pesos ($936) at present. Ocampo said this particular option would help manage the buying behavior of cardholders. He said though the maximum amount would eventually be raised depending on the future needs of clients.

"The customer is given all the freedom and convenience needed for buying items online, but it could also discourage compulsive buying," she quipped.

The same self-restraining method also secures accounts of cardholders against credit card hackers since the use of the E-Credit card numbers are only exclusive to Internet purchases. "There is no way the numbers could be used for traditional purchases that are coursed through regular stores," Ocampo said.

Whenever a purchase has been made using E-Credit, the amount will be deducted from its physical MasterCard's online counterpart. The deduction would then be reflected on the MasterCard holder's monthly statement of account.

Nevertheless, customers could also check their accounts for both MasterCard and E-Credit through BPI Express Online (www.bpiexpressonline.com), BPI's Web site launched early this year to help customers check their savings accounts and keep track of their credit line in real time.

Ocampo added that the whole system would be fully operational by the end of the month, though applications can already be made through all of their branches or via the Web. Initially, BPI is aiming to convince around half of its 150,000 BPI MasterCard users to also get E-Credit card accounts by the end of the year.

"We also hope to get the same number for our Expressnet ATM users until the early part of next year," she said.

Ocampo predicted that Filipinos' use of the Internet for online purchasing would gradually increase within the next two years, despite the low usage of the Internet in the Philippines, which reportedly counts only about 2 million users.

"We're helping to promote the future of online purchasing by providing the service now," Ocampo said.

William Reyes, BPI MasterCard product manager added that the launching of E-Credit also coincides with the bank's upcoming promotions for the next four months, the first two months of which are often considered as early preparation for the Yuletide season.

In these tough economic times, many of us are looking for work. But don't let your quest for employment suck you into the innumerable "work at home" scams riddling the Internet. In particular, watch out for a new trick that targets PayPal users. We've had several reports lately that describe a similar scenario: An online ad seeks to hire people to use their own PayPal accounts to facilitate sales for customers who allegedly have no other way to transfer funds.

Here's a typical, but real, example reported to us in March. The victim answered a Monster.com job ad like the one in Figure 1, posted by a company called Insync Soft that claimed to be based in Prague, in the Czech Republic. Looking for people with experience using PayPal, the company promised to pay 10% and up on any transactions the person facilitated. (Monster.com has since removed the ad.)

In a follow up e-mail, Insync Soft representative William Lesoe claimed PayPal wasn't allowed in his country (it's not), so the company needed someone from the outside to act as a middleman to receive funds from customers buying software. But—and here's the catch—the job seeker (that is, the victim) had to set up and use his own PayPal account and to send Insync Soft payment and log-on information. And he had to use his own credit card and bank account to guarantee the PayPal account.

You can probably guess the rest of the story. The victim receives credit card payments from "customers" to the PayPal account, then sends the money out of the country by an untraceable Western Union cash transaction. As with the infamous Nigerian scams, the victim is supposed to keep a percentage of the money.

But there's no happy ending. Once the money has been withdrawn and sent, there are charge-backs from the credit card companies because the credit cards were stolen. PayPal returns the money to the credit card company and goes after the account holder for the money. The victim is left to cover the charge-backs out of his own pocket. The customers, of course, are bogus.

We spoke with a woman named Gloria in the account resolution department at PayPal to see what a victim can do. Not much, it turns out, because the victim agreed to be the primary company or person on the PayPal account. And PayPal doesn't allow its account holders to act as intermediaries for others.

Charge-backs usually occur when the credit card company contests a charge because of nonshipment, misrepresentation, or occasionally fraud. The credit card company asks PayPal for the money, who in turn asks the account owner. PayPal will go to the boards to defend its members against charge-backs, but only if there's a paper trail showing that products were shipped or services rendered. In this scam, since the victim is acting as a straw man and not actually shipping anything, PayPal won't fight the charge-backs. These are empty transactions, so the victim has no recourse.

Be wary of variations on this theme. We also received reports of companies called Ross Soft (owned by a Kevin Lesoe) and Eastern Exchange advertising on job boards. Both promised great rewards for PayPal work.