The following text is copyright 2000 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Stick needed

By Scott Bradner

The information is only just coming out but it seems like there has been another massive theft of credit card information from an e-commerce site. There are a number of troubling parts to this story and if other e-commerce companies do not learn something from this incident things will continue to get more dangerous for anyone who uses e-commerce.

Seems like some hacker or hackers broke into an unnamed e-commerce site back in January 1999 and made off with records of 485,000 credit cards. The theft was discovered only because the perpetrators dumped a copy of the records on a US government web site and they were discovered during an audit.

I see a number of red flags here. First, why did it take more than a year for story to break - keeping this sort of thing secret only protects the people who did it and puts at risk everyone else, particularly other e-commerce sites that may have a similar vulnerability. Tell people so that the security holes can get fixed.

Second, the name of the e-commerce site is being kept secret. This puts me at an unknown risk if I was a customer of that site and it lets the site maintain a false image of competence and safety. At a time where many surveys show that customers are still very nervous about trusting on-line sites with credit card information it seems very counter productive to hide the event and then, a year later, leak the story. I think that a vendor that lets this type of theft happen should be responsible for all false charges on the stolen cards and the cost of everyone changing their cards. This might just give them another reason for secrecy but in the long run the secrecy will hurt them badly.

Third, the credit card holders have never been notified that they are at risk. Apparently there is no evidence that there has been fraudulent use of the stolen information. But if you don’t tell credit card holders that they should look closely at the bills such use may slip through unnoticed if it is small relative to the card bill, and with information 485,000 credit card one could do quite well adding small random charges to them.

But a basic thing I do not understand is why all that information was lying around on a machine that hackers could get to. Why aren't these e-commerce sites architected such that this type of information is on a secure server, protected behind an individual firewall with individual records retrieved when needed using secure database queries. This may present a slight performance penalty but that would be better than giving away the store when the next security bug is found in the server software.

The only way this will get fixed is if there is a significant financial threat for poor design and operation. Lets make it so.

disclaimer: A financial threat for poor design and operation, now there is an idea for Harvard! But the above is my own annoyance.