Web Security-Mostly Virtual
In issue 97:06:03 (The State of Web Commerce) we focused on the reality that shopping on the Internet could be equated with walking through Central Park after dark with cash hanging from your pockets and wearing a "Statue of Liberty" T-shirt.
Things haven't changed lately. Over the Independence Day holiday, more than 2,000 World Wide Web surfers were notified by anonymous e-mail that their credit card numbers had been accessed, specifically stating, "This is one of the worst implementations of security we've seen."
The violated sites were ESPN Sportzone and NBA.com. While none of the cards had been used, the consumers were advised to call their credit card company. The operator of the site, Starwave, put the blame on PRO TEAM, who processed the on-line orders for Starwave. PRO TEAM claims someone at their company used a company password to view the orders after they went on-line, it was not a sophisticated hacker, and procedures have been implemented to prevent a similar occurrence in the future.
Another incident is a little scarier. The Wall Street Journal reports an ex-computer hacker was testing the security of an Internet service provider called the Dorsai Embassy. He asked the computer to offer up the systems news groups users' passwords and forward them to his e-mail. The message was broadcast throughout the Internet, not just to the newsgroups, and he received the passwords of users from all over the globe.
We tend to think of security breaches as top secret missions accomplished by sophisticated technical geniuses holed away in laboratories with mathematical equations scrawled on a chalk board. The ultimate goal of these computer wizards was stealing identities. But, in reality, it is more often errors in programs or hacking by "regular" citizens that cause security breaches.
For example, USA Today recently reported that five Minnesota teens cracked the encryption of an Internet shopping site and made off with 20-25 credit card numbers. They then purchased thousands of dollars worth of merchandise. But, while they're smart enough to crack the code, they weren't smart enough to realize they could be traced through the statements. Not exactly geniuses.
Another example is the Experian credit report debacle. Experian, one the countries leading credit bureaus, was offering credit reports on-line for $8. But, after only 48 hours, they had to disable the site because information requested by one party was being transmitted to another party. A company spokesman said the misdirected reports were the result of a technical breakdown, not a security breach. Again, no grand conspiracy.
Regardless of the cause of compromised data and security breaches, the fact that sites are not as safe as they should be adds fuel to the findings that checks may be the best long term alternative for Internet transactions. Remember, only one-half of one percent of all Web sites are truly secure. Stay tuned for an upcoming Green Sheet story on Internet Checks.
