Learn to Forget
By Seth Ross
Last December 22, Internet retailer Egghead.com made an alarming
announcement. Someone or some group had broken into their network
and accessed stored credit card records for 3.7 million customers.
If you live or die by online sales, here's
a note that you NEVER want to send out:
Egghead.com has discovered that a hacker has accessed our computer
systems, potentially including our customer databases. As a precautionary
measure, we have taken immediate steps to protect our customers
by contacting the credit card companies we work with. They are in
the process of alerting card issuers and banks so that they can
take the necessary steps to ensure the security of cardholders who
may be affected.
This isn't the first report of intruders stealing credit card information
from an ecommerce company. It doesn't seem to matter how many times
companies get burned: they keep on storing customer
credit information where bad actors can access it.
The security of credit card numbers has been an albatross for the
Internet industry since the first merchants starting accepting credit
cards back in 1994. As soon as credit-accepting systems went up,
the idea that eavesdroppers could steal them during transmission
spread like wildfire. The industry responded by embracing an inexpensive
and reasonably effective standard for encrypting web browser sessions:
Secure Sockets Layer (SSL).
SSL is a solid security technology. But it's the right solution
to the wrong problem. Credit card information is far more at risk
while stored than while in transmission. Think about it from the
attacker's point-of-view. You could risk detection by eavesdropping
on the line and laboriously picking up one credit card number after
another as they're sent. Or you could break into Egghead's system,
scoop up millions in one fell swoop, and run.
The best way to avoid this threat is to not store the credit card
numbers in the first place. Ecommerce companies have been extremely
aggressive in collecting and storing information about their customers
whether their customers consent or not. While storing a credit
card number for a future transaction may save the customer a few
seconds, is the minor convenience worth the liability and risk of
Internet retailers should learn to forget. Instead of retaining
every bit of data on every customer, they need to keep clean and
orderly data warehouses that only store low-risk and absolutely
necessary customer information. Once the transaction is completed,
they should purge the sensitive info and securely store the rest.
Not only will observing this basic protocol protect customer security
and privacy, but it will protect merchants from extremely damaging
blows to their reputation.
A couple of weeks after its initial disclosure, Egghead.com put
out a release that said, essentially, "Nobody got the credit card
numbers." Supposedly, only 7,500 credit card accounts showed fraudulent
activity during the time period in question; a number within the
expected range. According
to the company:
Our internal investigation, led by Kroll Associates, has uncovered
evidence which suggests that Egghead.com's existing security systems
interrupted this intrusion while it was in progress. Moreover, reports
from the credit card companies we work with suggest that fewer than
7,500 credit card accounts that appear in our system have shown
suspected fraudulent activity. This number represents only about
two-tenths of one percent of the approximately three million credit
card numbers in our database at the time of the attack. It is possible
that this activity may be related to credit card theft elsewhere.
The evidence Kroll Associates and our team have gathered to date
suggests that neither these, nor any other credit card numbers,
were obtained from our site.
The wording of this statement is strange. If existing security
systems interrupted the intrusion, why did it take Egghead.com two
weeks to figure that out? While there might be clear evidence if
the credit card numbers were stolen, how can Kroll or Egghead.com
know for sure that they were NOT stolen? Maybe the thieves are laying
low for a while. Given the weasel language at work here, it's hard
to know which is more damaging to Egghead.com: the original announcement
or the cryptic retraction.
A disgruntled Egghead.com customer summarized
the situation quite nicely on ZDNet: "Any company that's going
to do something as stupid as maintain a credit card online on a
vulnerable server that long after the transaction, I have no reason
to trust them at all. That goes against every industry best practice
that's out there."