Egghead.com Guilty as Charged Says Tripeze.com CEO

[InfoSec News <isn () C4I ORG>]

http://www.internetnews.com/intl-news/article/0,,6_546751,00.html

By Carolyn Heinze
December 28, 2000

[Calgary, ALBERTA] According to Paul Verhoeff, the key to escaping
credit card-related security breaches online is simply for e-commerce
Web sites to avoid storing credit card numbers.

The chief executive officer of Alberta's Tripeze.com, an online
travel-booking firm, offered this advice in the wake of e-tailer
Egghead.com's security disaster. Just three days before Christmas, the
California-based dealer of electronics products for small to mid-sized
businesses announced that a hacker had broken into its system,
potentially stealing information from approximately 3.6 million
credits cards belonging to Egghead.com customers. The hacker could
have gained access to this sensitive financial info because Egghead
allows its customers to store their credit card numbers on its site in
order to alleviate the inconvenience of re-typing credit card
information each time they wish to make a purchase.

Egghead has enlisted the services of Internet security consultants to
investigate the breach.

"If more e-commerce companies followed Tripeze.com's lead and did not
keep their customers' credit card numbers on file, they could avoid
the turmoil that last week's hacker attack on Egghead.com has created
for millions of its clients," Verhoeff said. "We believe Tripeze.com
has some of the most sophisticated security systems in the world, but
because no system can be guaranteed foolproof, we consider it
essential to take the further step of not retaining customers' credit
card numbers. We urge other e-tailers - including our travel industry
competitors - to adopt a similar policy for maximum protection of the
traveling consumer."

This holiday season, most major credit card companies introduced a
'zero liability' program that eliminates all liability for cardholders
who experience credit card fraud as a result of Internet purchases.
The programs were launched as a way to boost consumer confidence in
shopping online - - something conservative Canadian shoppers are very
much in need of. According to statistics, almost 75 percent of
Canadian consumers are wary of shopping online because they are afraid
to divulge their credit card information.

These fears were bolstered earlier this month when it was discovered
that a 20 year-old man in Moncton, NB, was operating a Web site that
fraudulently advertised the sale of almost impossible-to-acquire Sony
Playstation 2 units. Before authorities were able to shut the site
down, Scott Frederick Byers had conned over $400,000 (CDN) out of
2,500 unwitting holiday shoppers.

As fast as hackers are cracking security codes, however, credit card
companies and banks are endeavoring to make online shopping safer. The
Canadian Imperial Bank of Commerce (CIBC) recently released one-use
Visa credit cards specifically designed for making Internet purchases,
mimicking American Express' one-use card that was rolled out in the
U.S. earlier this season. Both companies maintain that consumer
response to the initiative has been positive.

Still, Verhoeff emphasizes the need for e-commerce Web sites to
forsake convenience in some areas in the name of higher security.
"Having to type in their credit card numbers each time they buy
something online is a minor inconvenience for consumers, but one that
is well worth it to guard against hackers," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".