Credit Cards Online Information

FRAUD: The bad guys want your customers' credit card information. But there are things you can do to tighten security on your site.

It was an e-retailer's nightmare. When Bibliofind, an Amazon.com-owned online shop that hooks up buyers with used-book sellers, was hacked this past February, the proprietors thought only their homepage had been defaced. Then the company looked at its server logs. It found that a rogue had been accessing customer data files since the previous October, exposing the credit card numbers of 98,000 Bibliofind buyers.

While e-commerce sites publicly pooh-pooh the threat of credit card theft, it's a real and far-reaching problem. A recent report by the San Francisco-based Computer Security Institute found that 85 percent of e-commerce and government sites polled experienced a security breach in the past year. Thirteen percent reported that customers' credit card numbers were rendered accessible.

The reality is that "no system is 100 percent secure," says Chris Wysopal, director of research and development for online-security firm @stake. But you can minimize the threat of theft by taking a few precautions.

Hackers usually break into sites through holes in Web server software. Hundreds of these holes are discovered every year. To keep track of them, many sites use e-mail lists like Bugtraq. That's where, for example, you would have learned about the 32nd hole discovered in Microsoft's Windows 2000 Internet Information Server. Technically known as a "critical buffer overflow problem," the Windows design flaw could let a malicious hacker take control of an entire Web server.

Once hackers break into your Web server, they can satisfy themselves simply by fiddling with your homepage. To do real damage -- to steal credit card numbers, for instance -- they have to get beyond the Web server and into the box that houses your customer database. Assuming your IT department is on the ball, that means breaking through a firewall. There are a raft of hardware and software tools -- Check Point Firewall-1, Cisco Pi, PGP Gauntlet and Symantec Raptor are a few examples -- that protect your network by admitting only approved users and applications.

But there's a chink in this armor: Firewalls on e-commerce sites must be configured to admit data traffic from your Web server. If they weren't, none of the transactions from that server could get through to your site's back end. So if a hacker finds a hole that lets him control your Web server, he could also get through your firewall.

That's why your site should encrypt sensitive data. The simplest way is by configuring your Web server to use the secure sockets layer, or SSL. (If your IT people don't know how to do this, get some new IT people.) SSL encrypts incoming and outgoing data streams, hiding them from hackers who've penetrated your Web server or who are simply sniffing at data traffic from your ISP or Web hosting service.

You might also consider encrypting your customer database using specialized hardware or software. But that, says Ric Steinberger, technical director at Security Portal, a security news site, is "like putting an extra fence around Fort Knox." If your OS is patched, you've got a good firewall and you're using SSL, that should be enough to stop most hacks.

Unfortunately, few sites bother to implement all these precautions. That's why hackers are usually caught after the fact, when system operators have had a chance to notice unusual activity in network logs. Companies like Cisco, ISS and NFR all make intrusion detection software - priced anywhere from $2,000 to $25,000 - to alert you if anything odd happens.

If your customer data is compromised, you have little choice but to admit it as quickly as possible. That's what Bibliofind did. The company took the site down and sent e-mail to customers whose cards had been exposed. Sure, it was a public relations nightmare. But at that point, there's not much else you can do.

# posted by Medical Information : 5:06 AM