Wednesday, July 12, 2006
They've Got Your Number - credit card theft - Industry Trend or Event
FRAUD: The bad guys want your customers' credit card information. But there are things you can do to tighten security on your site.
It was an e-retailer's nightmare. When Bibliofind, an Amazon.com-owned online shop that hooks up buyers with used-book sellers, was hacked this past February, the proprietors thought only their homepage had been defaced. Then the company looked at its server logs. It found that a rogue had been accessing customer data files since the previous October, exposing the credit card numbers of 98,000 Bibliofind buyers.
While e-commerce sites publicly pooh-pooh the threat of credit card theft, it's a real and far-reaching problem. A recent report by the San Francisco-based Computer Security Institute found that 85 percent of e-commerce and government sites polled experienced a security breach in the past year. Thirteen percent reported that customers' credit card numbers were rendered accessible.
The reality is that "no system is 100 percent secure," says Chris Wysopal, director of research and development.
Hackers usually break into sites through holes in Web server software. Hundreds of these holes are discovered every year. To keep track of them, many sites use e-mail lists like Bugtraq. That's where, for example, you would have learned about the 32nd hole discovered in Microsoft's Windows 2000 Internet Information Server. Technically known as a "critical buffer overflow problem," the Windows design flaw could let a malicious hacker take control of an entire Web server.
Once hackers break into your Web server, they can satisfy themselves simply by fiddling with your homepage. To do real damage -- to steal credit card numbers, for instance -- they have to get beyond the Web server and into the box that houses your customer database. Assuming your IT department is on the ball, that means breaking through a firewall. There are a raft of hardware and software tools -- Check Point Firewall-1, Cisco Pi, PGP Gauntlet and Symantec Raptor are a few examples -- that protect your network by admitting only approved users and applications.
Subscribe to Posts [Atom]
