Andrea Orr
PALO ALTO: Are the hackers getting better, or is it just that the people in
charge of security at big Web companies are nodding off on the job?
Online shoppers have reason to wonder, after another in a series of
intrusions into e-commerce sites that were supposed to have the best security
money could buy. The latest: the online rare book store Bibliofind.com, a
subsidiary of Amazon.com Inc., which this week revealed that hackers broke into
its site, obtained credit card numbers for some 98,000 customers, and - the
kicker - remained undetected for four months.
Internet security has always been recognized as a big challenge, with
countless hackers ever on the lookout for ways into secure databases. But
weren't companies supposed to have their best and brightest at work on the
problem, in exchange for all those credit card numbers that trusting consumers
handed over to them?
The Bibliofind incident, following similar hacks at companies like
Egghead.com Inc. and in-house breaches at Travelocity.com Inc. and Sony Corp.'s
Columbia House, raises new questions about whether Web companies are doing all
they can to make their sites safe places to shop.
John Vranesevich, who heads the computer security company AntiOnline, is one
of a growing number of critics who say companies could do more. While a Web site
may not be reasonably expected to anticipate every breach before a hacker
discovers it, they should at least keep current on known breaches and have all
the available patches installed.
Egghead, whose site was broken into right before Christmas, admits it had not
had all the latest security fixes installed at the time. "Do we have all
the available patches in place today? Absolutely," says Egghead's chief
executive a contrite Jeff Sheahan,.
Security experts worry that like Egghead and Bibliofind, too many companies
will wait until they learn the hard way that their sites are vulnerable.
"It is a cat and mouse game with hackers finding new vulnerabilities and
companies coming up with patches," said Vranesevich. "But to not have
all the available patches installed. That is absolutely inexcusable."
If lax security policies have been a problem, the lack of money to invest in
hacker protection is compounding the issue as cash-strapped dot-coms cut
corners.
In a confession of sorts over how difficult it was to gain the upper hand
over hackers, Bibliofind said it has changed its policy so that consumer credit
card numbers will not be exchanged online. Instead, once a buyer and seller
agree to a deal, they will contact each other offline, or at least off the site,
to arrange payment.
Amazon.com, moving to distance itself from Bibliofind, said it was distressed
to learn of the hacking incident but stressed that its own security is separate
and that it is always working to strengthen its systems and review their
integrity. Still, security experts who once believed major sites such as Amazon
to be the most secure now wonder if there is any meaningful difference between
the large sites and the small ones.
"I used to be under the impression that the big sites were just more
secure because they have larger budgets to commit to security, but this kind of
thing happens all the time at all kinds of sites and just doesn't always get
reported," said a Palo Alto-based network security consultant, Joel de la
Garza.
Richard Power, editorial director of the Computer Security Institute, says
his group's research estimates that 90 per cent of Fortune 500 companies
suffered some kind of cyber attack over the past 12 months, and about 20 or 30
per cent were successfully hacked by intruders who obtained some kind of
protected data.
Power said even the companies that had invested large amounts in security
were too often just throwing money at the problem, and not taking the time to
educate themselves and their customers about the risks. "I tell consumers
that shopping online is like going to a very bad neighborhood to shop,"
said Power. "It doesn't mean you shouldn't shop there, but you should act
differently than you act in some mall."
The good news for customers is that credit cards are increasingly offering
zero liability, meaning that aside from a headache and a lot of inconvenience,
shoppers will not have to pay when their cards are stolen.
But they still have to be vigilant, Power warns. Because credit card thieves
often obtain many different account numbers, they will often scatter small
purchases across multiple accounts so that they are not detected for a long
time.
"I tell consumers to never use a debit card online," says Power,
"and to pay very close attention to your credit card statements."
(C) Reuters Limited 2001.