http://www.sfgate.com/cgi-bin/article.cgi?file=/examiner/archive/1998/12/13/BUSINESS1342.dtl Card games on the Web Matt Beer EXAMINER TECHNOLOGY WRITER Dec. 13, 1998 New study says 90 percent of on-line stores are vulnerable to hack attacks EARLY THIS fall, over fresh-squeezed orange juice and warm croissants at the posh Park Hyatt Hotel in down town San Francisco, VisaUSA officials conducted a series of meetings with technology reporters to get out their message that credit card transactions are as safe - even safer - on the Internet than in the real world. Those meetings were part of Visa's multi-million dollar TV and print advertising campaign urging card holders to do their holiday shopping over their home computers. Currently, on-line credit card purchases account for only one percent of the company's $585 billion in transactions. Visa, along with other credit card companies and countless merchants, have been pushing on-line commerce hard this holiday season. According to Visa spokesman Greg Jones, the credit card company wants to have two out of every three Visa card holders conducting on-line buying by 2002. Visa, and other credit companies, are eyeing the on-line world as a fertile credit card market. "You can't put a five dollar bill in the A drive of your computer," said Jones. "But you can use a credit card. It's the next logical extension of our existing business." The push seems to be working: Jupiter Communications, a New York-based Internet research firm, predicts that worldwide Internet credit card spending will reach $2.3 billion this holiday season, up from $1.1 billion last year. But not included in credit card company information packets is another number, revealed at a confidential Dec. 4 conference call meeting of Internet industry analysts, sponsored by IBM's Global Services division. At that meeting, IBM officials disclosed that their own band of "ethical hackers" - salaried computer break-in specialists - successfully broke into nine out of ten computers (known as servers) used by on-line stores to hold credit card data. Cal Slemp, IBM's Global Offering Executive for Security Services, confirmed that break-in rate. IBM declined to name which stores were the target of the faux break-ins. [IBM says 9 out of 10.. and IBM confirms 9 out of 10. Isn't that a no-no in journalism?] "We are successful over ninety percent of the time," Slemp said. "It was scary," said Erina Dubois, a analyst with Dataquest who listened in on the IBM conference. "It's the credit card companies' dirty little secret." [So the Credit Card companies are to blame for third party vendors not using security to protect THEIR client info?] "Yikes!" exclaimed Federal Trade Commission spokesperson, who asked not to be identified, when informed of the IBM statistics. "I don't think we know about that around here." The basis for Visa's assurances of airtight security rests on the near-invulnerability of "in flight" credit card transactions, said Visa Vice President of Electronic Commerce Joseph Vause. "In flight" is an industry label for credit card data in the act of being transmitted over the Internet between a computer user and a on-line store. "As far as we know, there has been no in-flight credit card data stolen," said Vause, who said this makes on-line credit card use safer than "in person" transactions. [And what they don't know won't hur them. The fact is, they have NO idea of what each and every vendor who takes Visa has done to protect those transactions. Any shop can setup to take Visa and use no encryption or other methods of protection. These claims are nothing more than unfounded marketing hype.] "In a restaurant, you hand your card to a waiter and they walk away with it for a while," said Vause. "On-line, no one's looking at your card when you're sending it to the merchant." [Even if this patently false statement was somehow true, it is completely irrelevant. Attackers can look at the credit card information after transmission, when it resides on the server.] Vause said the torrent of data moving across the Internet at any given moment, the practice of encrypting credit card data before transmission and the fact that data travels over the Internet in broken up "packets" - makes them nearly impossible to intercept. But once the credit card information congregates at an on-line store's computers, it becomes vulnerable to theft, say industry experts. On May 21, 1997, Carlos Elipe Salgado was arrested at San Francisco International Airport for attempting to sell 100,000 credit card numbers to undercover FBI agents for $260,000. Those numbers, say law enforcement officials, were hacked from various Internet commerce servers. Salgado has pleaded guilty to charges of hacking and fraud. He was sentenced in January to 30 months in prison (which was deferred on condition that he attend a federal boot-camp program), according to the U.S. Attorney General's office in San Francisco. The infamous hacker Kevin Mitnick is credited with stealing 20,000 credit card numbers in one pass at a company's server. Mitnick is awaiting trial in Los Angeles. And according to the on-line news service Newsbytes, a British Internet security firm reportedly keeps a list of some 75,000 known hackers, most of them credit card data thieves. [Some 'experts' claim there are only 20,000 hackers worldwide. Even if the number is that high, the database must be full of *anyone* who has put *anything* hacker related up on their site.] Overall, annual credit card fraud losses amount to a reported $1.5 billion dollars. No industry figures are available that show the on-line share of those losses. Though a credit card user's liability is generally limited to $50 in the case of proven fraud, the losses to credit card issuers and banks is eventually spread out over the entire consumer market. "Everyone looses because of credit card fraud," said David Medine, associate director of financial practices for the Federal Trade Commission. But monetary losses aren't necessarily the only toll on-line credit card fraud takes. While balancing his checking account earlier this month Dr. John Faughnan, a physician in St. Paul, Minn., discovered that his credit card had been billed for $19.95 over five months. "I have a pretty busy Visa account," Faughnan said. "I didn't catch it right away." The bills, as it turned out, were from an on-line pornography service. "I don't know if those were child pornography or what," said Dr. Faughnan. "It was pretty disturbing to find that. It was a total personal invasion and attack." Dr. Faughnan says he's still fighting with his bank, the card issuer, to have the charges removed. "They've said they'll take off two months, but I'm still fighting for the other three." According to IBM's Slemp, industry studies reveal that on-line stores' computers are three times more likely to be targeted by hackers than any other Internet system. Slemp said hackers know credit card data information exists on electronic commerce (or e-commerce) servers "without a whole lot of tough thinking." It's a fact that keeps Web sites big and small constantly working to tighten security. "We recognize that security is a big issue with on-line shoppers," said Felicia Lindau, founder of Sparks.com, a San Francisco-based on-line greeting card company that launched Wednesday. "That's just the reality of selling on-line." Lindau, who has worked in marketing for Amazon.com and other e-commerce Web sites, said Sparks uses double security measures to guard credit card transactions: an encryption program on the company's side of a computerized barrier (called a firewall), and taking orders utilizing the industry standard SSL (Secured Socket Layer) encrypted Web page order forms on the users side. SSL scrambles credit card data before it travels across the Net. "We believe we have a really tight site," said Lindau. At Seattle's Amazon.com, the pioneering Web-based book seller, security "is the key ingredient" said spokesman Bill Curry. "It's what lets our customers feel comfortable ordering through us." Curry said the company uses state-of-the-art encryption software throughout the site to protect credit card data. The bookseller also offers an "iron clad guarantee" that promises to reimburse a user for the $50 uncovered liability for any credit card abuse. Curry said that, to date, none of the 4.5 million Amazon customers have made a claim. Though security has been a rallying cry for the on-line commerce world, Slemp says he continues to see credit card-fueled Web sites going up with some fundamental flaws. Chief among them: using the out-of-the-box settings for Web security software. "(Hackers) know where system administrators normally make mistakes," said Slemp. "This is a big one." While concerned, federal regulators say consumer protection laws buffer the effects of credit card theft for on-line shoppers. "I don't think that (the IBM study) should deter consumers from shopping on the net," said David Medine, associate director of financial practices for the Federal Trade Commission. Medine says the federally-mandated $50 dollar user liability limit on fraudulent credit card transactions makes credit card usage "still the best method" for shopping, on-line or off. But, said Medine, the IBM statistics "should serve as a wake up call for sites to be much more careful."