It's that time of year when Americans are exercising their God-given right to shop. Vigorously exercising. And with newspapers abuzz about "Cyber Monday" - the first big workday after Thanksgiving and one of the busiest days of the year for online retailers - it seems like an appropriate time to introduce to you all a man named Danny Lim.
Lim lives in Singapore with his wife and a son who happens to have very wide feet. Wide shoes are hard to find in Singapore, so Lim's wife decided to shop for them on US Web sites. There was just one problem: No one would sell her the shoes. American retailers don't like to take credit cards from other countries; they don't like to ship things overseas; and they especially don't like to do business with customers whose IP addresses place them in parts of the world with a high incidence of fraud - like Singapore.
"Whenever there's a problem, there's an opportunity," Lim says pragmatically. He founded a company called ComGateway, which aims to bring the contents of online shopping carts in the United States to customers in Asia. Some 3000 Singaporeans have already signed up for the service, which gives them a mailing address in Portland, Oregon, from which ComGateway forwards their packages.
The startup has taken two steps to address security concerns. One, the company partnered with both Mastercard and DBS, Singapore's largest bank, to integrate the address verification service (AVS) widely used by online retailers, which typically works only for US credit cards. (AVS is the reason online retailers always want to know your billing address. If the billing address you provide doesn't match the one the credit card company has on file, the retailer may flag the transaction as a potential fraud.)
Second, when subscribers make a purchase online, they have to fill out a form on ComGateway's Web site stating what they've purchased, where and for how much. ComGateway's system then calls the customer's registered cell phone and asks for a PIN to confirm the transaction. Authentication wonks call this "out-of-band verification."
Merchants don't have to sign up for the program. They just have to clear the purchase despite what may seem on the surface to be suspicious activity - a lot of purchases going to that address in Portland, for instance, and a customer IP address that doesn't match the shipping location.
If an order is rejected, usually the hardest part of the verification process for ComGateway is getting the correct person on the phone at the merchant's headquarters. "Most of the time you can only get customer service, and they're not trained or don't have the authority to address security issues," Lim says. But many retailers are clearing the shipments, and Lim claims a 100 percent fraud-free track record. The company has ambitious plans to roll out the service to other countries, starting with Hong Kong and two major cities in China sometime in the next year.
Now I'm not about to get all maudlin about anyone being denied his or her right to shop. But the fact that the Danny Lims of the world see a problem (and opportunity) in the way American businesses distinguish US-based Web traffic from non-US based Web traffic speaks volumes about the direction the Internet could be headed.
With increasing frequency, I see studies pinpointing "bad" neighbourhoods on the Internet, supposed hotbeds of hacking and fraud, viruses and spam. South Korea, Romania, Lithuania, Nigeria - they all get fingered. It's not racial profiling, exactly. Malicious Web traffic and fraud can be traced, at least to some degree, and numerically ranked. (Serious hackers, of course, will cover their tracks pretty well.) Businesses need to protect themselves from fraud, and retailers certainly have the right to choose not to ship to certain countries - or even to any countries except their own.
But it might not take long to get from here (no shoes to Singapore) to there (no Web traffic from Singapore). This is already happening to a small degree. Snoop around on the right message boards and you'll find some techies talking about blocking all incoming traffic from IP addresses in a country that makes the naughty list. I've heard about ISPs blocking all the traffic from certain small countries that were inundating the rest of the planet with phishing e-mails and other spam. It's common for retailers to block shipments to all countries outside of the United States and Canada, or to flag all orders shipped to certain countries for extra review. But some retailers are also blocking all shipments to specific countries. No exceptions.
Mikko Hypponen, chief research officer at the threat management company F-Secure in Helsinki, told me, "I spoke to one security officer who hadn't been shipping any orders at all to [country] for a year and a half because 99 percent of the purchases going to that country were done with stolen credit card numbers," (He asked me not to name the country. "I don't want to get quoted as saying [country] is bad," he explained. "There are lots of good people there, too.")
"It's a sad development because the Internet really is one of the few things we have that really, truly is global," continues Hypponen, who pays close attention to international cybercrime trends. "Developments like this could lead to the Internet becoming an isolated series of islands that are not connected to each other. If we don't play our cards right, that's exactly where we might end up because of the sheer practical problems of trying to [tackle crime] without any global legislation or authority."
The solution? I wish I knew. But it will start by thinking carefully about just how to use the lists of countries that have been naughty and nice. And in the process, we might just make the world a little safer for shoe shoppers like Lim everywhere.