Security breach raises questions about Internet shopping

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: darek.milewski () us pwcglobal com

Security breach raises questions about Internet shopping
BEN FOX, Associated Press Writer
Thursday, January 20, 2000

http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2000/01/20/financial0142EST0158.DTL&type=tech_article


(01-20) 01:42 EST SAN DIEGO (AP) -- Internet retailers have worked hard to
squelch consumer fears of credit card number theft, using sophisticated
encryption and other high-tech strategies to make online shopping safe.

But the industry's security image took another blow with the disclosure
that the credit card database of a health products supplier was open to
hackers for a few hours this week.

Word of the security breach at Global Health Trax Inc. comes as credit
card companies are canceling thousands of cards because someone pilfered
their numbers from CD Universe, a Web music seller. The card companies say
the CD Universe case, uncovered Monday, has resulted in the largest
mass-cancellation of cards they can recall.

``When someone hacks a site, it raises a lot of questions to the
consumer,'' said Chris Merritt, of the Atlanta-based retail consulting
firm Kurt Salmon Associates. ``They are thinking, `You told me that you
have a secure site, but how do I really know if it is secure.''

Internet shopping doubled last year to $15.6 billion, said David Schatsky,
an Internet commerce analyst for Jupiter Communications in New York. But
security remains the top concern of consumers and could slow the
industry's growth.

It could also prompt consumers to gravitate toward the established
Internet retailers and away from lesser-known start-ups, Merritt said.

Global Health Trax, based in Poway, east of San Diego, is one of the
less-established retailers. The company sells dietary supplements to about
3,500 distributors nationwide and has annual sales of about $3.5 million,
executive vice president Lorin Dyrr said.

Distributors can go to the company's web site, www.ghtonline.com, and
enter their credit card number on an order form that is e-mailed to the
company.

On Monday, account information on several hundred distributors, including
home telephone numbers and bank account and credit card numbers, was open
to hackers on the company's old web site, www.globalhealthtrax.com, Dyrr
said. That site was abandoned a year ago.

The company said it believes the breach was a case of corporate sabotage
by former employees -- and few people accessed the numbers.

The customer files were exposed because the person who helped design the
Web site left the files on an unsecured part of the site, the company
said. Anyone with the correct Web address could have accessed it. It was
unclear how the address was publicized, if at all.

The customer information was available for a few hours and at least two
people accessed the site, including a reporter for the Internet/cable TV
news service MSNBC who contacted the company Monday about the glitch, Dyrr
said.

The reporter said he was alerted to it by a ``concerned technology
worker,'' who Dyrr believes is one of the culprits and the other person
who visited the site.

Dyrr said five distributors canceled their accounts after MSNBC reported
the breach Tuesday. Other customers said they had noticed odd account
transactions or credit card charges in recent months, some for as little
as $70.

``This kind of sabotage can happen in any type of company, Internet or
not. If we didn't have a computer system, they could take this information
and fax it all over the planet,'' Dyrr said.

This is a different scenario from Connecticut-based CD Universe. In that
case, an unidentified hacker, who described himself as a 19-year-old from
Russia, claimed to have stolen 300,000 card numbers by exploiting a flaw
in security software.

He said he sent a fax to the company last month offering to destroy his
credit card files in exchange for $100,000. When the company refused, he
used a Web site called Maxus Credit Card Pipeline to distribute up to
25,000 of the stolen numbers.

Since then, credit card companies and banks have worked with CD Universe
to locate their customers who used the online retailer.

Wachovia, the nation's 16th largest bank, offered to reissue 2,000 cards
to its customers who bought from CD Universe, but found no cases where the
cards had been fraudulently used, said Charlie Hegarty, a bank executive.

``You could say it was a bit of overkill at this stage of the game, but we
wanted to give our customers that extra bit of assurance,'' Hegarty said.

Credit card users are generally liable for only $50 of unauthorized
charges. The issuers pay the rest.

Discover Financial Services is reissuing cards for more than 10,000
customers, spokeswoman Cathy Edwards said. Visa and MasterCard are working
with banks, which issue their cards, to identify CD Universe customers.

American Express is also reissuing cards, but spokeswoman Judy Tenzer
declined to specify how many customers were affected.

ISN is sponsored by Security-Focus.COM