Card games on the Web
Matt Beer

New study says 90 percent of on-line stores are vulnerable to hack attacks

EARLY THIS fall, over fresh-squeezed orange juice and warm croissants at
the posh Park Hyatt Hotel in down town San Francisco, VisaUSA officials
conducted a series of meetings with technology reporters to get out their
message that credit card transactions are as safe - even safer - on the
Internet than in the real world. 

Those meetings were part of Visa's multi-million dollar TV and print
advertising campaign urging card holders to do their holiday shopping over
their home computers. Currently, on-line credit card purchases account for
only one percent of the company's $585 billion in transactions. Visa,
along with other credit card companies and countless merchants, have been
pushing on-line commerce hard this holiday season. According to Visa
spokesman Greg Jones, the credit card company wants to have two out of
every three Visa card holders conducting on-line buying by 2002. 

Visa, and other credit companies, are eyeing the on-line world as a
fertile credit card market. 

"You can't put a five dollar bill in the A drive of your computer," said
Jones. "But you can use a credit card. It's the next logical extension of
our existing business." 

The push seems to be working: Jupiter Communications, a New York-based
Internet research firm, predicts that worldwide Internet credit card
spending will reach $2.3 billion this holiday season, up from $1.1 billion
last year. 

But not included in credit card company information packets is another
number, revealed at a confidential Dec. 4 conference call meeting of
Internet industry analysts, sponsored by IBM's Global Services division. 

At that meeting, IBM officials disclosed that their own band of "ethical
hackers" - salaried computer break-in specialists - successfully broke
into nine out of ten computers (known as servers) used by on-line stores
to hold credit card data. Cal Slemp, IBM's Global Offering Executive for
Security Services, confirmed that break-in rate. IBM declined to name
which stores were the target of the faux break-ins. 

[IBM says 9 out of 10.. and IBM confirms 9 out of 10. Isn't
that a no-no in journalism?]

"We are successful over ninety percent of the time," Slemp said. 

"It was scary," said Erina Dubois, a analyst with Dataquest who listened
in on the IBM conference. "It's the credit card companies' dirty little

[So the Credit Card companies are to blame for third party
vendors not using security to protect THEIR client info?]

"Yikes!" exclaimed Federal Trade Commission spokesperson, who asked not to
be identified, when informed of the IBM statistics. "I don't think we know
about that around here." 

The basis for Visa's assurances of airtight security rests on the
near-invulnerability of "in flight" credit card transactions, said Visa
Vice President of Electronic Commerce Joseph Vause. "In flight" is an
industry label for credit card data in the act of being transmitted over
the Internet between a computer user and a on-line store. 

"As far as we know, there has been no in-flight credit card data stolen,"
said Vause, who said this makes on-line credit card use safer than "in
person"  transactions. 

[And what they don't know won't hur them. The fact is, they have
NO idea of what each and every vendor who takes Visa has done to
protect those transactions. Any shop can setup to take Visa and use
no encryption or other methods of protection. These claims are nothing
more than unfounded marketing hype.]

"In a restaurant, you hand your card to a waiter and they walk away with
it for a while," said Vause. "On-line, no one's looking at your card when
you're sending it to the merchant." 

[Even if this patently false statement was somehow true, it
is completely irrelevant. Attackers can look at the credit card
information after transmission, when it resides on the server.]

Vause said the torrent of data moving across the Internet at any given
moment, the practice of encrypting credit card data before transmission
and the fact that data travels over the Internet in broken up "packets" -
makes them nearly impossible to intercept. 

But once the credit card information congregates at an on-line store's
computers, it becomes vulnerable to theft, say industry experts. 

On May 21, 1997, Carlos Elipe Salgado was arrested at San Francisco
International Airport for attempting to sell 100,000 credit card numbers
to undercover FBI agents for $260,000. Those numbers, say law enforcement
officials, were hacked from various Internet commerce servers. Salgado has
pleaded guilty to charges of hacking and fraud. He was sentenced in
January to 30 months in prison (which was deferred on condition that he
attend a federal boot-camp program), according to the U.S. Attorney
General's office in San Francisco. 

The infamous hacker Kevin Mitnick is credited with stealing 20,000 credit
card numbers in one pass at a company's server. Mitnick is awaiting trial
in Los Angeles. 

And according to the on-line news service Newsbytes, a British Internet
security firm reportedly keeps a list of some 75,000 known hackers, most
of them credit card data thieves. 

[Some 'experts' claim there are only 20,000 hackers worldwide.
Even if the number is that high, the database must be full of 
*anyone* who has put *anything* hacker related up on their site.]

Overall, annual credit card fraud losses amount to a reported $1.5 billion
dollars. No industry figures are available that show the on-line share of
those losses. Though a credit card user's liability is generally limited
to $50 in the case of proven fraud, the losses to credit card issuers and
banks is eventually spread out over the entire consumer market. 

"Everyone looses because of credit card fraud," said David Medine,
associate director of financial practices for the Federal Trade

But monetary losses aren't necessarily the only toll on-line credit card
fraud takes. 

While balancing his checking account earlier this month Dr. John Faughnan,
a physician in St. Paul, Minn., discovered that his credit card had been
billed for $19.95 over five months. 

"I have a pretty busy Visa account," Faughnan said. "I didn't catch it
right away." 

The bills, as it turned out, were from an on-line pornography service. "I
don't know if those were child pornography or what," said Dr. Faughnan.
"It was pretty disturbing to find that. It was a total personal invasion
and attack." 

Dr. Faughnan says he's still fighting with his bank, the card issuer, to
have the charges removed. "They've said they'll take off two months, but
I'm still fighting for the other three." 

According to IBM's Slemp, industry studies reveal that on-line stores'
computers are three times more likely to be targeted by hackers than any
other Internet system. Slemp said hackers know credit card data
information exists on electronic commerce (or e-commerce) servers "without
a whole lot of tough thinking." 

It's a fact that keeps Web sites big and small constantly working to
tighten security. 

"We recognize that security is a big issue with on-line shoppers," said
Felicia Lindau, founder of, a San Francisco-based on-line
greeting card company that launched Wednesday. "That's just the reality of
selling on-line." 

Lindau, who has worked in marketing for and other e-commerce
Web sites, said Sparks uses double security measures to guard credit card
transactions: an encryption program on the company's side of a
computerized barrier (called a firewall), and taking orders utilizing the
industry standard SSL (Secured Socket Layer) encrypted Web page order
forms on the users side.  SSL scrambles credit card data before it travels
across the Net. "We believe we have a really tight site," said Lindau. 

At Seattle's, the pioneering Web-based book seller, security
"is the key ingredient" said spokesman Bill Curry. "It's what lets our
customers feel comfortable ordering through us." 

Curry said the company uses state-of-the-art encryption software
throughout the site to protect credit card data. The bookseller also
offers an "iron clad guarantee" that promises to reimburse a user for the
$50 uncovered liability for any credit card abuse. 

Curry said that, to date, none of the 4.5 million Amazon customers have
made a claim. 

Though security has been a rallying cry for the on-line commerce world,
Slemp says he continues to see credit card-fueled Web sites going up with
some fundamental flaws. Chief among them: using the out-of-the-box
settings for Web security software. 

"(Hackers) know where system administrators normally make mistakes," said
Slemp. "This is a big one." 

While concerned, federal regulators say consumer protection laws buffer
the effects of credit card theft for on-line shoppers. 

"I don't think that (the IBM study) should deter consumers from shopping
on the net," said David Medine, associate director of financial practices
for the Federal Trade Commission. Medine says the federally-mandated $50
dollar user liability limit on fraudulent credit card transactions makes
credit card usage "still the best method" for shopping, on-line or off. 

But, said Medine, the IBM statistics "should serve as a wake up call for
sites to be much more careful."