Online stores try to bar the doors

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1007-200-4305336.html?tag=st.ne.ron.lthd.ni

By Greg Sandoval
Staff Writer, CNET News.com
December 29, 2000, 4:00 a.m. PT

Two high-profile hacking incidents this month have put pressure on
e-tailers to do a better job of securing their sites from intruders.

Hackers recently broke into electronics e-tailer Egghead.com and
credit card transaction company Creditcards.com. More than 55,000
credit card numbers were stolen from Creditcards.com, and the hacker
left them exposed on the Web for at least a day after a failed
extortion attempt, the company said.

At Egghead, as many as 2.7 million customer accounts may have been
exposed. An investigation is underway.

And in a case that the FBI said may be related to the Creditcards.com
case, hundreds of U.S. online shoppers over the past two weeks have
received unauthorized charges on their credit cards from a
Russia-based company called Global Telecom.

And although credit-card companies protect customers from fraud and
reimburse them for any unauthorized charges, surveys show that many
consumers still refuse to shop online for fear criminals will pilfer
their credit card information.

But security experts say that best security measures may also be
inconvenient for shoppers: Online shops can refuse to store the credit
card information, forcing customers to type in their credit card
numbers every time they use their card.

"It's less of a security headache not to store any numbers," said
David Kennedy, director of research services for security company
TruSecure. "But that's a business decision. If you require your
customers to fill out their card information every time they make a
purchase, it's safer but much more of a nuisance."

Some experts say that short of making customers punch in their credit
card numbers and personal information every time they shop, there is
no full-proof way of locking out the bad guys.

"You can't make any site completely secure," said Chris Painter,
deputy chief of computer crime at the U.S. Department of Justice. "But
there is plenty to do to lower the risks of break-ins and that's what
e-tailers should be focusing on."

If companies do store credit card information, it should be encrypted.
MasterCard requires all merchant to encrypt cardholder information.
Creditcards.com, which stores credit card information for e-commerce
companies, said it did not encrypt any of the customer information.

Additionally, companies storing credit card information should
diligently test their sites for weaknesses in firewalls and
procedures.

Howard Schmidt, Microsoft's chief of corporate security, said that
companies must hire security teams to patch any holes in security
defenses. The team must be aware of break-ins at companies that use
the same types of firewall software and then patch up the same
weaknesses in its own software.

Kennedy acknowledges, however, that there is only so much a company
can do to wall out intruders. The suspect in the Creditcards.com case
boasted in emails to Creditcards.com customers that it took him three
months to sneak past the company's security.

"A determined hacker willing to spend thousands of hours hacking past
defenses will eventually get in," Kennedy said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".