IP: Some selections from RISKS

[Dave Farber <farber () cis upenn edu>]

Date: Sun, 07 Feb 1999 10:28:30 -0500 
From: Edupage Editors <edupage () franklin oit unc edu> 
Subject: E-Trade computers crash again -- and again
The computer system of online security firm E-Trade crashed on Friday for 
the third consecutive day. "It was just a software glitch. I think we were 
all frustrated by it," says an E-Trade executive. Industry analyst James 
Mark of Deutsche Bank is essentially sympathetic: "It's sort of a black eye 
for them. They've been claiming that their architecture is superior. But 
it's the application on a large scale. As soon as E-Trade's volumes started 
spiking up, they had the same problems as others." Marks adds: "If you call 
a broker, he may be on the phone or away from his desk or on vacation. 
There are all sorts of times you can't get through and once you put an order 
through there's no guarantee on terms. Here you have a customer base that 
is paying 5 percent to 10 percent of what it was paying for service in the 
full-commission environment and it's demanding service above what was 
available in the full-service environment. And they feel it's their right." 
(*The Washington Post*, 6 Feb 1999; Edupage, 7 February 1999)

Date: Tue, 09 Feb 1999 10:15:12 +0000 
From: Ross Anderson <Ross.Anderson () cl cam ac uk> 
Subject: The risks of shopping at Amazon
Today I tried to order a book from Amazon. Their server asked for a 
credit-card number and I duly filled out the form. At the bottom it demanded 
a password. According to Amazon, this means that `you won't need to give us 
your credit-card number again unless you enter a new shipping address'. I 
tried to enter the order without a password but it was refused.
What is the risk? Well, merchant retention of credit card numbers is a well 
known vulnerability; card numbers are much more likely to be stolen from 
merchant servers than while in transit on the net. Forcing customers to 
choose a password adds four extra risks. Firstly, the customer may choose a 
bad password; secondly, if he doesn't, he will probably write it down 
somewhere; thirdly, it will be kept on Amazon's system somewhere; and 
fourthly, it is likely to cause problems for people who have a dispute with 
their bank. I have acted as an expert witness in a number of court cases of 
disputed cash machine transactions, and the bank usually says `you must have 
written the PIN down somewhere'. If everyone who shops at Amazon must choose 
a password which discloses their credit card details, then banks might turn 
away all complaints from people who've ever shopped there.
There's another problem, which neatly highlights the tension between the USA 
and Europe over data protection law. The Amazon server also refused my 
order when I refused to give them a telephone number. This isn't necessary 
for the transaction, so compelling disclosure is dubious under European law.
So I tried ordering from amazon.co.uk, which ought to abide by our local 
laws. This server also insisted on a password and a phone number, and even 
on a town in the address form (despite the fact that I live in the 
countryside). It also didn't turn on SSL for the credit card capture form, 
so the card number was sent in clear. This is bad news, as we Brits don't 
have the benefit of US consumer protections: if my credit card number is 
stolen and abused, my bank will likely charge me the whole lot, and it's not 
clear what evidence I will have that it was Amazon's fault.
So amazon.co.uk appears to be in breach of the Data Protection Act of 
1984. I therefore went to the Data Protection Registrar's Website at 
<http://www.dpr.gov.uk/> and did a register search:
> Search terms: name=amazon and other=amazon.com 
>
> No documents have been found that contain the above search terms. 
> Please return to the form to begin a new search.
This looks highly illegal: under the Act, part 2, sections 5(1) and 
5(5) compel everyone in the UK who holds personal data to 
register. (See <http://www.hmso.gov.uk/acts/acts1984/1984035.htm>.)
I have e-mailed the Registrar, and will be interested to see what happens.
For several years now, the media have been hailing Amazon as the miracle of 
the age, the model that all net based businesses - indeed all businesses 
everywhere - should follow. I find that rather worrying,
Ross Anderson, Cambridge University 
ross dot anderson at cl dot cam dot ac dot uk