Hot on the Web
Lost in Cyberspace
Online San Diego
Feature Articles
Book Reviews and Reading Diary
Music Reviews
Favorite quotates
Contact Me

Hot on the Web

Adding security online

This column originally ran in ComputorEdge on September 29, 2006
(Issue 2439, Why Fi?)

At first, I thought it was a phishing expedition – an e-mail to trick me out of my login information so my credit card account could be stolen.

But the subject matter was curious for a phishing attempt: CitiCards was offering virtual account numbers for more secure online shopping.

Still, the fact that I was being steered to a server other than made me hesitant.

So I balanced my curiosity with my prudence and went to, my regular portal for logging into my account, logged in as normal, and found the virtual account number offer.

Clicking on it took me to the other server – – but having gotten there from what I knew to be a secure, trustworth site, I was far more comfortable.

How it works

Virtual account numbers aren't a new idea – rather than virtual, think of it is as a temporary credit card number.

As set up by Citi, each number can only be used at a single online merchant, and will expire at the end of the next month. (So at most it will be good for eight weeks.)

This means that even if the merchant is somewhat shady, or if their database gets hacked, the credit card number can't be used elsewhere.

So while a dishonest merchant could double- or triple-dip, running your one legitimate purchase through Citi multiple times while only shipping you the one product, or even billing Citi once but for two or three times the actual purchase price, a dishonest employee couldn't swipe your number and then use it on another site.

And none of this affects your actual, physical credit card with your permanent account number.

Is it necessary?

Given that legally you are not liable for fraudulent purchases made on your account anyway, are the virtual account numbers necessary?

Well, proving that unauthorized charges to your account were really unauthorized can be a pain.

But having said that, in 25 years of having credit and debit cards of various forms, I've only had one fraudulent charge – and that was a gas station some years ago that tried to double bill for one purchase.

If you're sticking to established, recognized merchants online –, PayPal, Sears, Barnes & Noble – you're probably safe.

But if you've found something online you can't find elsewhere, and you're not familiar with that merchant, you might consider the virtual account number just for peace of mind.

Especially as, at least from Citi, it's a free service.

Google Checkout

The first real competition to eBay's PayPal service has appeared on the horizon: Google Checkout.

With Microsoft having dropped development of and now even support for its supposedly universal "online wallet" of Passport, PayPal has pretty much had the online shopping portal market to itself. Other than setting up your own merchant account through a credit card company or a bank, PayPal has been the only widely available and trusted by the public option.

Google Checkout should provide some competition, though.

While there are undoubtedly small companies out there offering PayPal alternatives, the public remains a bit hinky about making online purchases with their credit card numbers. They/we want to know that a business is reputable before trusting them with our credit card number.

Simply through years of safe, secure transactions, PayPal has built up a level of trust that has allowed it to become the de facto standard.

But I'd wager a pretty penny that even more people are familiar with the Google brand than the PayPal brand.

And so if Google is wading into the arena of online transactions, they're going to get serious consideration from the marketplace.

Google Checkout is a service that merchants sign up for. It's designed to work in conjunction with Google AdWords – so that if you're buying advertising through Google, when folks find your site via clicking on a Google ad, you get free credit toward Google Checkout purchases. If you're not enrolled in Google AdWords, then you're billed at a percentage – just like credit card companies (and PayPal) do.


Google Checkout has one glaring drawback, though: Google dictates what you can and can't sell with its service. No alcohol. No "adult" materials.

Most disturbingly, nothing deemed to "Promote intolerance or hatred" can be sold.

That's awfully broad – and who gets to decide? Does this mean churches that are opposed to homsexuality can't use Google Checkout to sell their pamphlets defending their beliefs? What about political groups?

Truth is, we live in a time when nearly everyone screams that any criticism of them or their beliefs is "offensive" – why Google wants to wade into this minefield is a bit beyond me. Seems maybe Google ought to just stick to banning its subscribers from selling illegal items and leave it at that.

Still, monopolies are rarely good – so having Google Merchant as an alternative to PayPal is a good thing. Google Merchant seems easy to sign up for and use on your site; tracking orders and payments seems to be well-organized.

Should be interesting to see how big an impact Google Merchant has on the online economy.