Placing the Blame
As I type this article, there is a significant effort under way to track
down two individuals. Both "Maxus" and "Curador" are wanted by several
law enforcement agencies, most notably the Federal Bureau of Investigation
(FBI). Each person has committed a crime involving unauthorized
computer access. Unlike many 'hacker' cases, the media has grabbed hold
of these two stories because of the nature of the crimes. Most computer
intruders silently break into large companies or deface government and
military web pages. In these two cases, each has surrepticiously copied
large credit card databases from commercial sites and posted pieces of
the information to public web sites.
Each vandal has found a vulnerability in a major online site that handles
financial transactions via customer credit cards. Online shoppers browse
their virtual stores in search of good deals, enjoying the convenience
of not leaving their home. As shoppers find what they are looking for,
each takes the time to send in their credit card number, billing address
and other personal information. The mechanism that carries this sensitive
information from desktop to virtual store is almost always secure. Protected
by casual encryption, it prevents would-be snoopers from seeing the
information as it passes from one point to another in its travel to the
The real threat to your personal information comes after it has landed
on the remote server. Once outside of the protected layer between
desktop browser and remote web server, the information must be stored
somewhere. A surprising number of these virtual stores are not aware of
the 'hacker' threat, or choose to ignore it. This is seen on a daily basis
as site after site is compromised and their web pages
Ignoring this threat often leads to little or no protection of the
sensitive data. Huge databases of personal credit information and private
billing data are collected, and left in plain text format on the remote
server. The first intruder gaining illicit access to the company's server
can read everything, just as fast as their modem can download it.
"Maxus" and "Curador" have done just that in recent weeks. Shortly after
compromising these systems, each has turned to free web space providers
AntiOnline to post web pages that
include thousands of these compromised credit cards. Their message? Essentially
"Secure your sites, I've proven I hacked you." Law enforcement and
picked up on these events as they usually do. The problem is that each
seem to have lost focus of where to place blame, and who is really guilty.
If you were to walk up to an ATM machine and find that with a few
extra buttons you could display the account information for any
bank customer, would you be surprised? Would you consider yourself
a criminal for your actions? What if you posted an anonymous note next
to the ATM for everyone to read, explaining what you had discovered and
demanded that the bank take action? The FBI and the press would
condemn you for your actions. If they
stuck to the same principals for reporting the actions of "Maxus"
and "Curador", they would brand you a dangerous criminal guilty of
millions of dollars of damage. Meanwhile the bank you exploited would
cry to the FBI that they were under attack by unscrupulous individuals
hellbent on hurting their institution.
I think it is safe to say that the ATM example would be treated
quite differently. An FBI driven manhunt would not be underway to find you,
the media would not be intent on discovering your identity. Yet in the
virtual world, that is the primary focus of their attention. The
disparity in response to
virtual verse real world crime
is not new by any means. Looking beyond the response to such crimes, one
has to wonder why these vulnerable online sites are not held accountable
for their negligent actions. By storing the sensitive information
on vulnerable servers, without using any sort of encryption or protection,
they are often making it so any casual Internet user can view it. In some
cases, these vulnerabilities are nothing more than supplying the wrong
information to the site.
Vulnerable online sites are costing credit card companies and
citizens a considerable amount of money as well as being responsible
for many a headache.
I have no doubt that current damage estimates for these two incidents will climb
into the millions of dollars. Despite this, there are no public outcries
condeming these sites for their actions. There are few laws in place
to protect the consumers doing business with these companies. There
are no fines or penalties imposed on the negligent sites, and no guarantees
they will fix the problems once the 'hacker' is caught.
Due to the slow pace of creating and passing new laws to protect consumers,
we must turn to another mechanism in holding these companies responsible.
The obvious solution to this problem is for the large credit card agencies
like Visa, Mastercard and American Express to quit doing business with
negligent companies. By cutting off a major revenue source, this would force
companies to maintain secure web sites and better protect consumer privacy.
The real incentive for such action is the prevention of similar incidents
in the future. Having to change thousands of credit card numbers, deal
with any resulting fraud, and loss of public confidence is a high price
While the need to punish those who publish private information exists,
the real culprit in many of these cases gets to move on without so much
as a stern lecture. In their quest for profit, they are willing to
step on the customers and their privacy if needed. Until some form
of accountability is placed on these companies, they will continue
to get away with what should be a serious crime.
Brian Martin (firstname.lastname@example.org)