[ISN] Card games on the Web (Web insecurity)

From: mea culpa (jerichoat_private)
Date: Tue Jan 12 1999 - 19:26:59 PST

  • Next message: mea culpa: "[ISN] Guidelines for would-be corporate vigilantes"

    http://www.sfgate.com/cgi-bin/article.cgi?file=/examiner/archive/1998/12/13/BUSINESS1342.dtl  
    
    Card games on the Web
    Matt Beer
    EXAMINER TECHNOLOGY WRITER   Dec. 13, 1998
    
    New study says 90 percent of on-line stores are vulnerable to hack attacks
    
    EARLY THIS fall, over fresh-squeezed orange juice and warm croissants at
    the posh Park Hyatt Hotel in down town San Francisco, VisaUSA officials
    conducted a series of meetings with technology reporters to get out their
    message that credit card transactions are as safe - even safer - on the
    Internet than in the real world. 
    
    Those meetings were part of Visa's multi-million dollar TV and print
    advertising campaign urging card holders to do their holiday shopping over
    their home computers. Currently, on-line credit card purchases account for
    only one percent of the company's $585 billion in transactions. Visa,
    along with other credit card companies and countless merchants, have been
    pushing on-line commerce hard this holiday season. According to Visa
    spokesman Greg Jones, the credit card company wants to have two out of
    every three Visa card holders conducting on-line buying by 2002. 
    
    Visa, and other credit companies, are eyeing the on-line world as a
    fertile credit card market. 
    
    "You can't put a five dollar bill in the A drive of your computer," said
    Jones. "But you can use a credit card. It's the next logical extension of
    our existing business." 
    
    The push seems to be working: Jupiter Communications, a New York-based
    Internet research firm, predicts that worldwide Internet credit card
    spending will reach $2.3 billion this holiday season, up from $1.1 billion
    last year. 
    
    But not included in credit card company information packets is another
    number, revealed at a confidential Dec. 4 conference call meeting of
    Internet industry analysts, sponsored by IBM's Global Services division. 
    
    At that meeting, IBM officials disclosed that their own band of "ethical
    hackers" - salaried computer break-in specialists - successfully broke
    into nine out of ten computers (known as servers) used by on-line stores
    to hold credit card data. Cal Slemp, IBM's Global Offering Executive for
    Security Services, confirmed that break-in rate. IBM declined to name
    which stores were the target of the faux break-ins. 
    
    "We are successful over ninety percent of the time," Slemp said. 
    
    "It was scary," said Erina Dubois, a analyst with Dataquest who listened
    in on the IBM conference. "It's the credit card companies' dirty little
    secret." 
    
    "Yikes!" exclaimed Federal Trade Commission spokesperson, who asked not to
    be identified, when informed of the IBM statistics. "I don't think we know
    about that around here." 
    
    The basis for Visa's assurances of airtight security rests on the
    near-invulnerability of "in flight" credit card transactions, said Visa
    Vice President of Electronic Commerce Joseph Vause. "In flight" is an
    industry label for credit card data in the act of being transmitted over
    the Internet between a computer user and a on-line store. 
    
    "As far as we know, there has been no in-flight credit card data stolen,"
    said Vause, who said this makes on-line credit card use safer than "in
    person"  transactions. 
    
    "In a restaurant, you hand your card to a waiter and they walk away with
    it for a while," said Vause. "On-line, no one's looking at your card when
    you're sending it to the merchant." 
    
    Vause said the torrent of data moving across the Internet at any given
    moment, the practice of encrypting credit card data before transmission
    and the fact that data travels over the Internet in broken up "packets" -
    makes them nearly impossible to intercept. 
    
    But once the credit card information congregates at an on-line store's
    computers, it becomes vulnerable to theft, say industry experts. 
    
    On May 21, 1997, Carlos Elipe Salgado was arrested at San Francisco
    International Airport for attempting to sell 100,000 credit card numbers
    to undercover FBI agents for $260,000. Those numbers, say law enforcement
    officials, were hacked from various Internet commerce servers. Salgado has
    pleaded guilty to charges of hacking and fraud. He was sentenced in
    January to 30 months in prison (which was deferred on condition that he
    attend a federal boot-camp program), according to the U.S. Attorney
    General's office in San Francisco. 
    
    The infamous hacker Kevin Mitnick is credited with stealing 20,000 credit
    card numbers in one pass at a company's server. Mitnick is awaiting trial
    in Los Angeles. 
    
    And according to the on-line news service Newsbytes, a British Internet
    security firm reportedly keeps a list of some 75,000 known hackers, most
    of them credit card data thieves. 
    
    Overall, annual credit card fraud losses amount to a reported $1.5 billion
    dollars. No industry figures are available that show the on-line share of
    those losses. Though a credit card user's liability is generally limited
    to $50 in the case of proven fraud, the losses to credit card issuers and
    banks is eventually spread out over the entire consumer market. 
    
    "Everyone looses because of credit card fraud," said David Medine,
    associate director of financial practices for the Federal Trade
    Commission. 
    
    But monetary losses aren't necessarily the only toll on-line credit card
    fraud takes. 
    
    While balancing his checking account earlier this month Dr. John Faughnan,
    a physician in St. Paul, Minn., discovered that his credit card had been
    billed for $19.95 over five months. 
    
    "I have a pretty busy Visa account," Faughnan said. "I didn't catch it
    right away." 
    
    The bills, as it turned out, were from an on-line pornography service. "I
    don't know if those were child pornography or what," said Dr. Faughnan.
    "It was pretty disturbing to find that. It was a total personal invasion
    and attack." 
    
    Dr. Faughnan says he's still fighting with his bank, the card issuer, to
    have the charges removed. "They've said they'll take off two months, but
    I'm still fighting for the other three." 
    
    According to IBM's Slemp, industry studies reveal that on-line stores'
    computers are three times more likely to be targeted by hackers than any
    other Internet system. Slemp said hackers know credit card data
    information exists on electronic commerce (or e-commerce) servers "without
    a whole lot of tough thinking." 
    
    It's a fact that keeps Web sites big and small constantly working to
    tighten security. 
    
    "We recognize that security is a big issue with on-line shoppers," said
    Felicia Lindau, founder of Sparks.com, a San Francisco-based on-line
    greeting card company that launched Wednesday. "That's just the reality of
    selling on-line." 
    
    Lindau, who has worked in marketing for Amazon.com and other e-commerce
    Web sites, said Sparks uses double security measures to guard credit card
    transactions: an encryption program on the company's side of a
    computerized barrier (called a firewall), and taking orders utilizing the
    industry standard SSL (Secured Socket Layer) encrypted Web page order
    forms on the users side.  SSL scrambles credit card data before it travels
    across the Net. "We believe we have a really tight site," said Lindau. 
    
    At Seattle's Amazon.com, the pioneering Web-based book seller, security
    "is the key ingredient" said spokesman Bill Curry. "It's what lets our
    customers feel comfortable ordering through us." 
    
    Curry said the company uses state-of-the-art encryption software
    throughout the site to protect credit card data. The bookseller also
    offers an "iron clad guarantee" that promises to reimburse a user for the
    $50 uncovered liability for any credit card abuse. 
    
    Curry said that, to date, none of the 4.5 million Amazon customers have
    made a claim. 
    
    Though security has been a rallying cry for the on-line commerce world,
    Slemp says he continues to see credit card-fueled Web sites going up with
    some fundamental flaws. Chief among them: using the out-of-the-box
    settings for Web security software. 
    
    "(Hackers) know where system administrators normally make mistakes," said
    Slemp. "This is a big one." 
    
    While concerned, federal regulators say consumer protection laws buffer
    the effects of credit card theft for on-line shoppers. 
    
    "I don't think that (the IBM study) should deter consumers from shopping
    on the net," said David Medine, associate director of financial practices
    for the Federal Trade Commission. Medine says the federally-mandated $50
    dollar user liability limit on fraudulent credit card transactions makes
    credit card usage "still the best method" for shopping, on-line or off. 
    
    But, said Medine, the IBM statistics "should serve as a wake up call for
    sites to be much more careful." 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:36 PDT