Egghead Customers Question Site Security

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/intweek/stories/news/0,4164,2669672,00.html

By Robert Lemos and Troy Wolverton, Special to ZDNet
January 2, 2001 2:49 PM PT

Nearly two weeks after an intruder cracked into Egghead.com's computer
systems, the online retailer is still mum on whether any credit card
numbers were stolen from its database of 3.7 million customers.

Representatives for Egghead and for the San Francisco office of the
FBI confirmed Tuesday that investigations were continuing, but they
would not provide details.

Customers, however, were talking.

"Any company that's going to do something as stupid as maintain a
credit card online on a vulnerable server that long after the
transaction, I have no reason to trust them at all," said John
Groseclose, of Scottsdale, Ariz. "That goes against every industry
best practice that's out there."

On Dec. 22, Egghead acknowledged that someone had cracked its systems
and may have accessed its customer database. Sources within the credit
card industry said that Egghead had handed over more than 3.7 million
credit card numbers to Visa, American Express, MasterCard and Discover
as potentially stolen.

Customers inconvenienced At the time, Egghead co-chairman Jerry Kaplan
said the company expected to know within the week if any credit card
data was compromised. The auditing team hired by Egghead, security
firm Kroll Worldwide, referred all questions back to Egghead.

For Groseclose, the breach has been a big inconvenience.

Last week, his credit union canceled his debit card--the only
credit-type card he holds--blaming the Egghead breach. He said he
still hasn't gotten a replacement, which means he's had to go to the
bank to get cash to pay for his gas and groceries and has had to forgo
several online transactions.

Groseclose said the last time he remembers shopping at Egghead was 18
months ago. He said won't ever shop at Egghead again.

Visa, MasterCard react The credit card companies, and their member
banks, have handled the situation in different ways.

MasterCard notified its member banks about the breach and left it up
to them to decide whether to cancel cardholders' accounts, spokeswoman
Sharon Gamsin said. Gamsin declined to say whether MasterCard has
taken any other action or how many MasterCard holders were affected.

Visa notified its member banks and has itself been monitoring the 1.8
million affected accounts, Visa spokeswoman Casey Watson said. As of
Thursday, Visa had not seen any indication that the affected cards had
been used fraudulently, she said.

As with MasterCard, Visa's member banks will determine whether or not
to cancel affected accounts and reissue cards, Watson said.

No fraud reported "What you need to keep in mind is that the banks
that own these card numbers will do whatever they can to protect those
numbers from fraudulent use," she said. "They will determine the best
approach."

Discover Financial Services is also monitoring the affected accounts,
but declined to say whether any fraudulent activity had been detected,
spokeswoman Cathy Edwards said.

The Egghead hack may push credit card clearinghouses, or the banks
that issue them, to embrace higher security standards, said Paul
Robertson, director of risk assessment with security specialist
TruSecure.

"There currently is a complete lack of standards for online commerce,"
Robertson said. "It is pretty easy to make a bar high enough so that
hacking is difficult, but make it easy enough (to set up security) to
be practical in the real world," he said.

MasterCard already requires merchants to encrypt cardholder
information. Visa launched an e-commerce security initiative last
June, which sets minimum security standards for its affiliated
merchants, Visa's Watson said. Discover and American Express have
security programs that include throwaway credit card numbers.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".