Sometimes computer security can hurt you

Security is a big concern for all of us, but mostly we worry about keeping intruders out — out of our computers, our phones and our internet connections.

What if the problem were reversed, and someone was trying to keep us out? As it turns out, they are.

In December, I was the victim of a "false positive" — the name for what happens when someone's computer security software blocks something innocent instead of something harmful.

My "false positive" occurred when I used my credit card to buy a $7.45 children's book ("Mister Dog" by Margaret Wise Brown) from Fishpond.com. The firm, a New Zealand-based seller of books, electronics and more, ships to U.S. customers from a California distribution center.

When the book hadn't arrived by February, I e-mailed the company's customer-service team and was told, "We can confirm that your order was flagged by our fraud team and subsequently canceled in error."

I was surprised because my credit card history is good. Then I began thinking about how e-commerce security software might view me. If it could tap into databases of recent security breaches, it might see that I had been peripherally involved in one. A few months ago, my bank replaced my debit card following a data breach at a coffee-shop company whose stores I frequent. Maybe the Fishpond.com security software had flagged the coffee-shop incident as a risk — for all it knew, a thief might have stolen all my charge cards, including the one I was using to buy "Mister Dog."

So maybe Fishpond.com was just being careful, and I should be impressed. Besides, Fishpond seemed willing to correct their mistake. They asked that I place a new book order, then e-mail customer service a copy of the new order number and "a scanned copy of a current utility bill with your name and address as proof of delivery address."

I heard nothing more, so in early March I e-mailed Fishpond again. I was told that my information had been passed on for review, and that I should allow one to two working days for further updates. Further, I shouldn't place a new order until I received confirmation from them.

That was two weeks ago. I still don't know if my credit card will be accepted. If it isn't, will that information go into someone's financial database and affect me in the future?

Who's at fault here? E-commerce security software everywhere that isn't up to the task. Experts say that, when in doubt, such software cancels a transaction. A 2017 study by the Merchant Risk Council, a trade association, says this happens in 2.6 percent of all online orders because retailers have made their fraud detection software more restrictive (see tinyurl.com/yy9c9yc5).

Another expert estimates false positives cause more than $8 billion in lost sales annually for U.S. retailers (see tinyurl.com/ycso4ecl).

It's unclear whether consumers can do anything about the problem of false positives. But something needs to change before that security software does real financial harm.