The commercializaton of the web has failed.
January 2, 2001 1:07 PM   Subscribe

The commercializaton of the web has failed. Oh, dear. What a catastrophe. Heh-heh-heh...
posted by Steven Den Beste (32 comments total)
Love the weary, dry tone. The only holiday online shopping I did this year was to glom onto Amazon's no-shipping-charge-for-over-$100, which was easy to spend on books and CDs. Otherwise, duh, yes, I want to touch what I'm buying--how did this escape such cover-your-eyes ventures like eBags (still my hands-down favorite for stupid concept/horrendous name synergy)? Coming soon: iBalls, your online Ben-Wa source.
posted by Skot at 1:31 PM on January 2, 2001

Aww.. that's a shame. I think I only bought a dvd for a friend through amazon, and that was it. I really don't know what to buy through the net, because you have to think of something, and then type it in, and hope to find something. People do most of their shopping in malls, most of the time they don't actually go in for a specific thing, they browse, they go through, they find stuff, the place it in the cart, they find something else, they buy that and by the time they reach the register, they have 20 items in. On the net you don't have that.
posted by tiaka at 1:43 PM on January 2, 2001

Some things you want to touch before buying them, sure. I'd usually much rather go into an Eddie Bauer store than shop at But for electronics, books, music, software, hardware -- I buy almost all of that online. It's less expensive and more convenient.
posted by kindall at 1:58 PM on January 2, 2001

For having failed there sure are a lot of commercial pages on the internet. I hate doing a search for some sort of information and coming across 200 sites trying to sell me something.
posted by bytecode at 2:16 PM on January 2, 2001

shopping online is a lot of risk. You gotta find sites, trust the merchants will deliver, trust what you get is what you wanted, that your CC wont be stolen. IMO its more fun if you approach it like fishing .. occasionally youll find a "hot spot" with good clothes/food/etc.. I dont mean Amazon but the little independent type place. Build up a library of these hot-spots and eventually you have a lot more power to customize your shopping then the typical store shopper.

Whats needed is a source of reviews for online shopping experiences. Like I found this online place in SanFran that sells Nordic food.. home made stuff.. cheap.. ships quick.. would never find somthing like that anywhere else. And the kosher dried fish place in Boston.. cheap.. really wild food stuff.. good. Just gotta look around and break out of the McDonalds mold of chain-store shopping.

posted by stbalbach at 3:03 PM on January 2, 2001

Related story: Nasdaq closed down 7.2% today.
posted by waxpancake at 4:04 PM on January 2, 2001

Well, I certainly would buy stuff online. If I had a credit card and some money.
Am I the only person that thinks it's a bit of a strech calling Amazon an internet company. It really only uses the net as a distended catalogue.
posted by davidgentle at 4:09 PM on January 2, 2001

I think this is a bit of a register troll. Not entirely untrue but "Internet shopping a failure" after one report.

The results we report here about the number of people who purchased gifts online during the holiday season are based on the responses of those who answered questions in the survey’s final week: This represents the 521 Internet users who were interviewed from December 14 through December 21

Hmmm, 521 American Adult Internet users who bought online Dec 14th through 21.

Dec 21st of course cutting it fine for delivery 8)
posted by fullerine at 4:26 PM on January 2, 2001

I've actually spent quite a lot of money online, buying things like SDRAM from Crucial. But there's no risk in that because Crucial is the sales arm of Micron, and Micron RAM is about the best you can get. I wanted quality and was willing to pay to get it. (And I got exactly what I expected to get, both times.)

But I would never buy a monitor over the web because I want to see how images look on its screen first. Last monitor I bought I got from Fry's.
posted by Steven Den Beste at 8:24 PM on January 2, 2001

I dunno. I spent money at several places online this year. Amazon's $100/no-shipping promo was one I took advantage of, to grab several DVDs I'd wanted (Third Man, American Beauty, Fight Club, and Wild Bunch Director's Cut), and I also used to fill out the full oeuvre of several artists I like, after making sure that these titles were not available through normal revenue channels that would send them a royalty. That second, especially, worked beautifully -- and much simpler than continually browsing the Used CD store in town.

This was a lousy year for retail, too, though -- and this year they didn't have dot-coms to blame.
posted by dhartung at 9:14 PM on January 2, 2001

One thing I'd like to see is an article on how net sales comparw with mail-order catalogs. That's the real market e-tailers are competing with, not "brick-and-mortar" stores. They probably aren't doing too well in that regard, either. I still prefer flipping through a catalog to clicking on a bunch of web pages and waiting for them to load. I'll bet a lot of other people do, too.
posted by Potsy at 11:14 PM on January 2, 2001

Similar feelings, potsy... I have recently purchased via the web: stuff from Pottery Barn to shed some light on my newly remodelled home office, stuff from Crate & Barrel upon which to stack the reams of paper I seem to produce in my home office and some jeans from LL Bean to attempt to cover my big fat butt so I won't be nude while I'm creating that paper... In all three instances, the web was merely the mechanism for placing the actual order. To select the products I wished to purchase, I sat down and leafed through the admittedly low tech but still sensorally satisfactory paper catalog (and, best of all, no friggin' animated banner ads!). In two of those cases - C&B and LLB - I recall noting how slow and unweildy the process of looking up products is (PB has a layout and design palette that I like a lot, so I cut them a little more slack). Fortunately, I had the item numbers from my handy-dandy catalog and could order rather quickly.
posted by m.polo at 6:13 AM on January 3, 2001

One thing I'd like to see is an article on how net sales comparw with mail-order catalogs. That's the real market e-tailers are competing with, not "brick-and-mortar" stores

Actually, besides computer components, all of my internet purchasing is in the form of books, CDs, or DVDs. Barnes & Noble and Waldenbooks don't get my money any more. Neither does Best Buy or Camelot. So in that market, the ability of Internet stores to offer huge selections at low prices is ultimately going to devestate the retail market for new CDs and DVDs. Books are a different story, obviously. And used media is generally more attractive in a browsing situation (to ensure quality of merchandise). But CDs and DVDs? Online shopping is perfect!

Now computer components, that is a market where the Internet has really devestated mail-order outlets. Have you checked out the size of Computer Shopper lately? It's tiny compared to its thickness just a couple of years ago.
posted by daveadams at 8:31 AM on January 3, 2001

I did 86% (rough estimate) of my holiday shopping on-line. I hate malls, I *heart* catalogs, but I often don't have the right or most current catalog. So on-line I go.

It's easy, it's fun, and if you stick to retailers (or e-tailers, I guess) that you know or at least trust, safe. Or at least as far as I can tell it is.
posted by jennyb at 10:20 AM on January 3, 2001

As long as it's not Egghead, anyway.
posted by Steven Den Beste at 10:52 AM on January 3, 2001

I can't wait 'til every credit card company has one-off credit card numbers. I'm kind of suprised no one thought of it earlier, but then that's what makes it such a good idea. I hope it doesn't get patented to death.
posted by cCranium at 11:38 AM on January 3, 2001

The thing about online catalogs is that you can't browse them in the ... uh ... er ... lounge.
posted by dhartung at 1:12 PM on January 3, 2001

Depends on what kind of computer you own, don't it? Wireless net connection on a laptop, anyone?
posted by Steven Den Beste at 1:28 PM on January 3, 2001

I have seen one-off card numbers in use. A few weeks ago I got an emailed gift certificate that was essentially a one-off MasterCard number. And I saw an ad somewhere that was plugging one-off cards for kids in college.

Come to think of it, AmEx is starting some kind of one-off card number system for people who are privacy-conscious.
posted by aaron at 10:47 PM on January 3, 2001

I'd appreciate it if someone would explain what a "one-off card" is.
posted by Steven Den Beste at 11:15 PM on January 3, 2001

A "one-off card number" is an anti-fraud device. It's a credit card number that only works for one purchase. Therefore it doesn't matter if it's stolen. I believe AmEx is, or will soon be, offering them through their site.
posted by kindall at 11:25 PM on January 3, 2001

The way most descriptions of them I've seen is that your Card company provides you a little piece of software (I hadn't seen the gift certificate method, that's pretty cool) that generates a unique card number when you run it. When you make a purchase online, you use that card number.

It's transparent to everywhere in the process, so it works just like a credit card, but after it's used once the card company rejects any transactions using it. So you can make credit card purchases online without any fear of having the number stolen, because if it is, the people who try to use it will just get rejected anyway.

It basically makes encryption on credit card transactions unimportant.
posted by cCranium at 3:08 AM on January 4, 2001

I think that they'd run out of numbers if they tried that.

16 digits sounds like a lot, but several of them have predetermined values. The first digit is the credit card company (e.g. 5==Mastercard). The next four digits are the issuing authority (bank, credit card company, special interest group, etc.). The last 2 digits are a checksum created by hashing all the others together. That only leaves you 9 digits for actual user accounts, about a billion. When each such number was used over and over, this was immense. But if each is used one time then discarded, a big bank like CitiBank can run through a billion transactions faster than you might think. Take a medium sized bank which has 5 million cards issued (and CitiBank has a lot more than that) then you've only got 200 per card average before you've used them all.

And how do they make sure that different devices at different times don't generate the same number? Perhaps I don't ever get the same number twice, but someone else might get a number I previously got or vice versa. Which leads to the next question: how does the credit card company know that a given number is mine? How do they match up these generated numbers to the real paying accounts?

It sounds like the "name on the card" will begin to have far more significance than it does now. Currently, it's just used to confirm that the number was entered correctly. In the new system it would actually have to be the key info, separating number spaces so that each user gets his own billion-number space for one-time numbers. But that means it would have to be entered exactly. Now it can sometimes be a bit fuzzy.

I've already had problems with online credit card forms where my card has been rejected because of a mismatch with the bank. I can't buy anything from Sony because they won't accept my card and associated info (though they've never told me exactly what it is I'm doing wrong, so I don't know how to fix it).

posted by Steven Den Beste at 8:59 AM on January 4, 2001

I agree Steven. I know a disturbing amount about Track II data (the really meaningful bit of data stored in the magnetic strip on the back of credit and debit [and other kinds, it's a packet definition more than anything else] cards) from my last job, and I haven't quite figured out how they're going to get around the number limitation.

Note that everything that follows is sheer speculation.

Possible answers are, they aren't. There's a shitload (well, a few bytes but 'shitload' is a relative term :-) of space available in the Track II data block. Perhaps they'll be able to spoof that data somehow, though I don't quite know how, since the only fields. The Track II protocol allows for somewhere around 20 bytes in the card number portion, 16's a false limitation.

I would imagine unique number generation would be some function of GUID (Globally Unique IDentifier, for non-programmers) Generation.

Linking it to your card number is tricky. One method that sticks in my mind as being mentioned in some article or another would be having the client software connected to the bank via the Internet. Encryption in those regards would still be vitally important, but they can pump encryption to the legal limits that way. There isn't a maximum key length when transferring data inside the states, is there? I'm reasonably certain there isn't one in Canada. It's when encrypted data crosses borders that it's been an issue in the past from my understanding.

Anyway, through a secure encryption method they identify you as you in the client software, you request a one-time number, and they send you one. Your actual credit card number has to be transferred, just some other identifier.

It's still succeptible to nefarious types, but at least this way you're only trading your card number (or other personal information) with your bank, who already has it and already has some pretty darn stringent security measures in place. You don't have to worry about the security of the site you're sending the number to.

posted by cCranium at 10:03 AM on January 4, 2001

A little bit more info. It looks as though Phrack got their hands on Visa's card formatting specifications specifications.

I tried going to slightly more aboveground sites, but the underground's the only place to find this info, of course.

A quick read through indicates that with the exception of field-length specifications that tend to be bank-specific (ie, these 16 bytes are card number) these are almost identical to the specifications I've used to program debit card authorizing software.

Jump to section 4.18 (no anchors, unfortunately) for information on Track 2 data, and section 4.20 for information on card holder identification.

Track 2 data is a maximum of 37 characters, including start and end characters, delimiters and LRC data, but in my experience there was a good 5-10 bytes free which leaves lots of room for card number generation.
posted by cCranium at 10:16 AM on January 4, 2001

sigh. 2600, of course. Why do I remember a magazine called Phrack, and why did I think it was them?

Also, you might as well ignore the "specifications" that isn't a link, it's rather superfluous.

posted by cCranium at 10:17 AM on January 4, 2001

The only problem is that what you're talking about is cases where the card is used directly at a store. But part of the point of this is to protect people purchasing through the internet.

There's no card reader on my PC for the magstrip on the back of my card. All there is is the ability for me to read something off the front of it and type in what I see. Some device is going to let me push a button, and display a number for me to type, and it's going to have to be 16 digits, just like now, so that it can work with existing billing software at web sites.
posted by Steven Den Beste at 10:58 AM on January 4, 2001

From the processor's standpoint transactions coming in from a magstripe and those coming in from a manual entry look the same, it's up to the person/device accepting the cards to format them properly, and a web form that accepts card data is merely a different kind of device.

In fact, when your card info's manually entered into a card reader (say your stripe's worn down and the clerk's not a complete idiot) at a store it gets processed almost identically to a swipe transaction. The difference is just a flag.

The device you manually enter the card info into (be it a box in a store or form inputs on a website) has to format that data in a way the processor expects.

Card number lengths are not fixed at 16. If a merchant site restricts the size of the input field they're not only selling themselves short, they are probably going against the recomendations of the card company.

The track 2 data which is spoofed by the devices after a manual entry has a maximum length, but it's not fixed width. The data's delimited using something like ascii 254.

Remember the discussion about wireless networks, when you couldn't say any more because of honour and previous NDAs? I'm rapidly approaching that point myself. I've linked to what I could find in the public domain, but if I get much more technical, then I'm probably going to step over that line.

And the method of adding data to the Track 2 info is again mostly speculation on my part, but there's room there for the extra data they'd need, so I can't see why they wouldn't take advantage of that.
posted by cCranium at 12:49 PM on January 4, 2001

In fact, if you look at the back of your nearest Visa card you'll probably find a three-digit "confirmation code" printed after the card number itself on the signature block. Obviously that's one of the things that's on the magstripe that gets transmitted with a "swipe" transaction but not with a manual entry or mail-order (Web) transaction. (I have had exactly one Web vendor ask for it, ever.) MasterCards have a four-digit code on them called an "InterBank number" which serves more or less the same purpose. It's not printed on your statement, so a vendor who gets this number has reasonable assurance that the purchaser at least has the card in his possession.
posted by kindall at 2:43 PM on January 4, 2001 asked me for that just the other day--they called it a "security code." Seems like very weak security at best.
posted by rodii at 3:27 PM on January 4, 2001

I think PayPal wants it for their international registration process. Considering I aborted mine when I realized my card was expired I can't really say for certain, but I've encountered it online sometime in the past couple of months.
posted by cCranium at 3:57 PM on January 4, 2001

Well, having it is better than not having it. You can get an account number and billing address from someone's trash, but you generally have to have the card (or have had the card in the past) to get the extra digits. And if you didn't know you needed them, you might not have copied them down if you had the card in your hand. Of course I'm sure the scammers will get wise to that shortly.

The last place I saw it was at Kagi (the shareware registration service).
posted by kindall at 8:57 PM on January 4, 2001

« Older The overtime stigma has bit me in the ass.   |   DotComGuy leaves house; world fails to care. Newer »

This thread has been archived and is closed to new comments