http://newstrolls.com/news/dev/guest/021100.htm

Placing the Blame




As I type this article, there is a significant effort under way to track down two individuals. Both "Maxus" and "Curador" are wanted by several law enforcement agencies, most notably the Federal Bureau of Investigation (FBI). Each person has committed a crime involving unauthorized computer access. Unlike many 'hacker' cases, the media has grabbed hold of these two stories because of the nature of the crimes. Most computer intruders silently break into large companies or deface government and military web pages. In these two cases, each has surrepticiously copied large credit card databases from commercial sites and posted pieces of the information to public web sites.

Each vandal has found a vulnerability in a major online site that handles financial transactions via customer credit cards. Online shoppers browse their virtual stores in search of good deals, enjoying the convenience of not leaving their home. As shoppers find what they are looking for, each takes the time to send in their credit card number, billing address and other personal information. The mechanism that carries this sensitive information from desktop to virtual store is almost always secure. Protected by casual encryption, it prevents would-be snoopers from seeing the information as it passes from one point to another in its travel to the store.

The real threat to your personal information comes after it has landed on the remote server. Once outside of the protected layer between desktop browser and remote web server, the information must be stored somewhere. A surprising number of these virtual stores are not aware of the 'hacker' threat, or choose to ignore it. This is seen on a daily basis as site after site is compromised and their web pages defaced. Ignoring this threat often leads to little or no protection of the sensitive data. Huge databases of personal credit information and private billing data are collected, and left in plain text format on the remote server. The first intruder gaining illicit access to the company's server can read everything, just as fast as their modem can download it.

"Maxus" and "Curador" have done just that in recent weeks. Shortly after compromising these systems, each has turned to free web space providers like Geocities, Tripod and AntiOnline to post web pages that include thousands of these compromised credit cards. Their message? Essentially "Secure your sites, I've proven I hacked you." Law enforcement and media outlets picked up on these events as they usually do. The problem is that each seem to have lost focus of where to place blame, and who is really guilty.

If you were to walk up to an ATM machine and find that with a few extra buttons you could display the account information for any bank customer, would you be surprised? Would you consider yourself a criminal for your actions? What if you posted an anonymous note next to the ATM for everyone to read, explaining what you had discovered and demanded that the bank take action? The FBI and the press would condemn you for your actions. If they stuck to the same principals for reporting the actions of "Maxus" and "Curador", they would brand you a dangerous criminal guilty of millions of dollars of damage. Meanwhile the bank you exploited would cry to the FBI that they were under attack by unscrupulous individuals hellbent on hurting their institution.

I think it is safe to say that the ATM example would be treated quite differently. An FBI driven manhunt would not be underway to find you, the media would not be intent on discovering your identity. Yet in the virtual world, that is the primary focus of their attention. The disparity in response to virtual verse real world crime is not new by any means. Looking beyond the response to such crimes, one has to wonder why these vulnerable online sites are not held accountable for their negligent actions. By storing the sensitive information on vulnerable servers, without using any sort of encryption or protection, they are often making it so any casual Internet user can view it. In some cases, these vulnerabilities are nothing more than supplying the wrong information to the site.

Vulnerable online sites are costing credit card companies and citizens a considerable amount of money as well as being responsible for many a headache. I have no doubt that current damage estimates for these two incidents will climb into the millions of dollars. Despite this, there are no public outcries condeming these sites for their actions. There are few laws in place to protect the consumers doing business with these companies. There are no fines or penalties imposed on the negligent sites, and no guarantees they will fix the problems once the 'hacker' is caught.

Due to the slow pace of creating and passing new laws to protect consumers, we must turn to another mechanism in holding these companies responsible. The obvious solution to this problem is for the large credit card agencies like Visa, Mastercard and American Express to quit doing business with negligent companies. By cutting off a major revenue source, this would force companies to maintain secure web sites and better protect consumer privacy. The real incentive for such action is the prevention of similar incidents in the future. Having to change thousands of credit card numbers, deal with any resulting fraud, and loss of public confidence is a high price to pay.

While the need to punish those who publish private information exists, the real culprit in many of these cases gets to move on without so much as a stern lecture. In their quest for profit, they are willing to step on the customers and their privacy if needed. Until some form of accountability is placed on these companies, they will continue to get away with what should be a serious crime.



Brian Martin (bmartin@attrition.org)
Copyright 2000