BY SIMSON L. GARFINKEL
Special to the Mercury News
ONLY A FOOL would build a shopping center that couldn't take cash.
Yet that's the state of affairs for many businesses trying to sell goods on the Internet. Cyberspace lacks a standard form of digital money -- some kind of fast, easy and secure way to let consumers buy things they see on the global communications network.
Merchants will have to deal with a variety of ad hoc systems being deployed until a coin of the realm is developed for cyberspace.
Many merchants are accepting credit card numbers as a payment system. The success of Netscape Communications, for example, has been linked, in part, to the company's browser, which uses cryptography to give consumers a secure way for sending credit-card numbers over the World Wide Web. (Cryptography scrambles messages using mathematical formulas that can then be ''decoded'' by the intended recipient.)
But a rash of high-profile security incidents over the past year has caused some people to lose faith with Netscape's encryption -- at least for now. And some companies aren't using the cryptographic software because it simply takes too long to set up.
One company that has been trying to find a middle ground between the success of credit cards and the convenience of cash is First Virtual Holdings, which has designed a credit card for cyberspace.
Called the VirtualPIN, First Virtual's system is presented as a simple and secure way to use credit cards over the Internet, without the need for encryption or special software. First Virtual bases its security on the difficulty of intercepting electronic mail and the fact that credit-card transactions can be reversed, or charged-back, up to 90 days after a purchase.
Today, a little more than a year since its launch, First Virtual is one of the most widely used payment systems on the Internet.
Although First Virtual is planning to allow its products to be used to buy physical goods, VirtualPIN currently is supposed to be used only for soft goods, like programs and pictures. Miracle Boost Jeans is an exception because it will ship a pair of jeans to people who wish to pay with their First Virtual account.
The company claims more than 84,000 consumers, with more than 4,000 signing up each week. More than 1,100 merchants accept the VirtualPIN. And First Virtual says that it is moving more than $60,000 each day.
First Virtual is certainly in wide use. The San Diego-based company's Web site lists merchants that accept the VirtualPIN for books, software, newsletters, and photographs, all delivered electronically. When Apple Computer Inc. released QuickTime for Windows, it allowed people to pay for the program using First Virtual. National Public Radio plans to sell transcripts of its radio shows using the system. And Phil Zimmermann, author of the cryptography program Pretty Good Privacy, used First Virtual to allow people to contribute money to his legal defense fund.
For merchants and consumers, First Virtual's costs are low -- in some cases, dramatically lower than traditional credit cards. First Virtual charges consumers a one-time fee of $2 to set up their account. Sellers get charged $10 to set up their account, plus a transaction fee of 29 cents plus 2 percent of the transaction price. For comparison, banks can charge merchants as much as $1,000 to set up a merchant account, and transaction premiums from 2 percent to 5 percent.
A bigger difference between First Virtual and banks is that First Virtual does not require a background check on its merchants before they can receive money. That's because First Virtual does not give merchants their money until 90 days after the transaction is made -- the legal time limit for reversing credit card charges.
''(We) didn't want to draw a line between those who were credit-scored and those who were not,'' Stein said. ''At this point in history, most of the people who were in the Internet would not be able to walk into a bank and get a merchant account to sell things.''
''I created a store on the First Virtual InfoHaus in order to find out whether Internet users of First Virtual might purchase relatively low-cost information at low prices,'' said James W. O'Toole Jr., a First Virtual user who signed up last year as a merchant and customer. ''I scanned some photographs of a few of my paintings and put the files on sale at the InfoHaus for cheap. People do purchase them, more than I expected, really.''
O'Toole said he receives detailed statements that include the virtual ''name'' of each person who has purchased one of his paintings, the date, and the amount of the transaction. The money is deposited automatically into his checking account. He's made less than $100. And he's not worried about people downloading his paintings and then refusing to pay for them.
''It doesn't really cost me anything to deliver a scanned image of one of my paintings, so I don't care much if a customer retrieves a scanned image and then refuses to pay for it.'' he said. ''That is exactly the kind of situation that First Virtual's security was intended for.''
''We may be subject to a one-off attack,'' Stein says. In such an attack, a person would have to eavesdrop on a consumer's electronic mail to intercept his or her VirtualPIN. But since the VirtualPIN can be used only with the First Virtual system, the attacker would have to be able to intercept the user's electronic mail, read the confirmation message from First Virtual's computers, and send out a fraudulent reply. A single user can be targeted, Stein said, but ''it is very difficult. ... There are too many packets moving ... to too many different machines.''
Furthermore, Stein said, if somebody's account is compromised, the worst thing that happens is that the consumer notices the fraudulent transaction on his or her credit card bill and declines the charge.
''Put it this way: Our charge-back ratio, (which is) usually tied to fraud, is 0.02 percent for the year,'' said Stein, who adds that his VirtualPIN is ''Much-Virtual,'' and that people are invited to try to hack it. ''You really can't do any damage with it.''
''The bottom line is that we could steal money from people given this security system,'' said Eric Brewer, a professor at the University of California, Berkeley who is familiar with First Virtual. Brewer said that merchants could intercept the authorization electronic mail destined for the consumer and send back their own responses to First Virtual's computers. There are limits to such an attack, however: ''If there were repeated disputes between users and a particular merchant, First Virtual would presumably remove that merchant,'' he said.
Another potential attack is that a rogue merchant could collect VirtualPINs and then submit very small charges for ''reasonable sounding expenses like a transaction fee,'' Brewer said. ''First Virtual would catch this eventually, but few users would complain, so it would take awhile.''
Of course, both of these attacks would constitute wire fraud, and First Virtual could press charges against a merchant if such a scheme were hatched. But it turns out that the fraud that First Virtual has detected has been remarkably low-tech.
''Somebody at a college campus lost his wallet, and he had his First Virtual PIN in his wallet, and somebody [else] used it,'' Stein said. The thief didn't get very far: When the person who owned the wallet got the First Virtual authorization notice, he sent back the word ''Fraud.''
''We were able to track down the guy who used it,'' Stein said.
As for First Virtual's customers, most are apparently unconcerned with the risks.
''Their electronic mail protocol is a pretty low-tech solution to doing Internet commerce, but it has the advantage that it's pretty easy to understand exactly what the likely risks are -- unlike some crypto-gizmo protocols,'' said Alan Bawden, a computer researcher in Cambridge who is also a First Virtual customer. ''There are risks, the biggest probably being that you have to trust them (First Virtual) with your credit card number. I probably take a bigger risk when I hand my credit card to the teen-age clerk at the local hardware store.''
''I was never worried about the security,'' said Wesley Hildebrandt, another First Virtual user. ''From my point of view, I feel that if anything did happen, the credit card company would end up having to pay for nearly all of it, so I think they should be much more worried than individuals.''
''There has been so much noise out there about this coming software encryption stuff,'' said Stein disdainfully. But the truth is that many users can't even figure out how to use Web browsers, let alone turn on sophisticated features like encryption, he said.
''What do you do when you are running your company and an AOL customer sends human mail, 'I went into your home page, and I found it very confusing and I couldn't figure out how to get out, so I reboot my computer'? '' he said. ''The kind of the people who are out there now poking around the Web are new. Some of the questions that are coming are rather remarkable.''