Information Security News mailing list archives
Security breach raises questions about Internet shopping
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Sun, 23 Jan 2000 02:21:18 -0700
Forwarded From: darek.milewski () us pwcglobal com Security breach raises questions about Internet shopping BEN FOX, Associated Press Writer Thursday, January 20, 2000 http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2000/01/20/financial0142EST0158.DTL&type=tech_article (01-20) 01:42 EST SAN DIEGO (AP) -- Internet retailers have worked hard to squelch consumer fears of credit card number theft, using sophisticated encryption and other high-tech strategies to make online shopping safe. But the industry's security image took another blow with the disclosure that the credit card database of a health products supplier was open to hackers for a few hours this week. Word of the security breach at Global Health Trax Inc. comes as credit card companies are canceling thousands of cards because someone pilfered their numbers from CD Universe, a Web music seller. The card companies say the CD Universe case, uncovered Monday, has resulted in the largest mass-cancellation of cards they can recall. ``When someone hacks a site, it raises a lot of questions to the consumer,'' said Chris Merritt, of the Atlanta-based retail consulting firm Kurt Salmon Associates. ``They are thinking, `You told me that you have a secure site, but how do I really know if it is secure.'' Internet shopping doubled last year to $15.6 billion, said David Schatsky, an Internet commerce analyst for Jupiter Communications in New York. But security remains the top concern of consumers and could slow the industry's growth. It could also prompt consumers to gravitate toward the established Internet retailers and away from lesser-known start-ups, Merritt said. Global Health Trax, based in Poway, east of San Diego, is one of the less-established retailers. The company sells dietary supplements to about 3,500 distributors nationwide and has annual sales of about $3.5 million, executive vice president Lorin Dyrr said. Distributors can go to the company's web site, www.ghtonline.com, and enter their credit card number on an order form that is e-mailed to the company. On Monday, account information on several hundred distributors, including home telephone numbers and bank account and credit card numbers, was open to hackers on the company's old web site, www.globalhealthtrax.com, Dyrr said. That site was abandoned a year ago. The company said it believes the breach was a case of corporate sabotage by former employees -- and few people accessed the numbers. The customer files were exposed because the person who helped design the Web site left the files on an unsecured part of the site, the company said. Anyone with the correct Web address could have accessed it. It was unclear how the address was publicized, if at all. The customer information was available for a few hours and at least two people accessed the site, including a reporter for the Internet/cable TV news service MSNBC who contacted the company Monday about the glitch, Dyrr said. The reporter said he was alerted to it by a ``concerned technology worker,'' who Dyrr believes is one of the culprits and the other person who visited the site. Dyrr said five distributors canceled their accounts after MSNBC reported the breach Tuesday. Other customers said they had noticed odd account transactions or credit card charges in recent months, some for as little as $70. ``This kind of sabotage can happen in any type of company, Internet or not. If we didn't have a computer system, they could take this information and fax it all over the planet,'' Dyrr said. This is a different scenario from Connecticut-based CD Universe. In that case, an unidentified hacker, who described himself as a 19-year-old from Russia, claimed to have stolen 300,000 card numbers by exploiting a flaw in security software. He said he sent a fax to the company last month offering to destroy his credit card files in exchange for $100,000. When the company refused, he used a Web site called Maxus Credit Card Pipeline to distribute up to 25,000 of the stolen numbers. Since then, credit card companies and banks have worked with CD Universe to locate their customers who used the online retailer. Wachovia, the nation's 16th largest bank, offered to reissue 2,000 cards to its customers who bought from CD Universe, but found no cases where the cards had been fraudulently used, said Charlie Hegarty, a bank executive. ``You could say it was a bit of overkill at this stage of the game, but we wanted to give our customers that extra bit of assurance,'' Hegarty said. Credit card users are generally liable for only $50 of unauthorized charges. The issuers pay the rest. Discover Financial Services is reissuing cards for more than 10,000 customers, spokeswoman Cathy Edwards said. Visa and MasterCard are working with banks, which issue their cards, to identify CD Universe customers. American Express is also reissuing cards, but spokeswoman Judy Tenzer declined to specify how many customers were affected. ISN is sponsored by Security-Focus.COM
Current thread:
- Security breach raises questions about Internet shopping mea culpa (Jan 23)