Securius Newsletter

February 5, 2001
Volume 2, Number 1

Learn to Forget
broken eggs

By Seth Ross

Last December 22, Internet retailer made an alarming
announcement. Someone or some group had broken into their network
and accessed stored credit card records for 3.7 million customers.

If you live or die by online sales, here's a note that you NEVER want to send out: has discovered that a hacker has accessed our computer systems, potentially including our customer databases. As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit card companies we work with. They are in the process of alerting card issuers and banks so that they can take the necessary steps to ensure the security of cardholders who may be affected.

This isn't the first report of intruders stealing credit card information from an ecommerce company. It doesn't seem to matter how many times companies get burned: they keep on storing customer
credit information where bad actors can access it.

The security of credit card numbers has been an albatross for the Internet industry since the first merchants starting accepting credit cards back in 1994. As soon as credit-accepting systems went up, the idea that eavesdroppers could steal them during transmission spread like wildfire. The industry responded by embracing an inexpensive and reasonably effective standard for encrypting web browser sessions: Secure Sockets Layer (SSL).

SSL is a solid security technology. But it's the right solution to the wrong problem. Credit card information is far more at risk while stored than while in transmission. Think about it from the attacker's point-of-view. You could risk detection by eavesdropping on the line and laboriously picking up one credit card number after another as they're sent. Or you could break into Egghead's system, scoop up millions in one fell swoop, and run.

The best way to avoid this threat is to not store the credit card numbers in the first place. Ecommerce companies have been extremely aggressive in collecting and storing information about their customers — whether their customers consent or not. While storing a credit card number for a future transaction may save the customer a few seconds, is the minor convenience worth the liability and risk of theft?

Internet retailers should learn to forget. Instead of retaining every bit of data on every customer, they need to keep clean and orderly data warehouses that only store low-risk and absolutely necessary customer information. Once the transaction is completed, they should purge the sensitive info and securely store the rest. Not only will observing this basic protocol protect customer security and privacy, but it will protect merchants from extremely damaging blows to their reputation.

A couple of weeks after its initial disclosure, put out a release that said, essentially, "Nobody got the credit card numbers." Supposedly, only 7,500 credit card accounts showed fraudulent activity during the time period in question; a number within the expected range. According to the company:

Our internal investigation, led by Kroll Associates, has uncovered evidence which suggests that's existing security systems interrupted this intrusion while it was in progress. Moreover, reports from the credit card companies we work with suggest that fewer than 7,500 credit card accounts that appear in our system have shown suspected fraudulent activity. This number represents only about two-tenths of one percent of the approximately three million credit card numbers in our database at the time of the attack. It is possible that this activity may be related to credit card theft elsewhere. The evidence Kroll Associates and our team have gathered to date suggests that neither these, nor any other credit card numbers, were obtained from our site.

The wording of this statement is strange. If existing security systems interrupted the intrusion, why did it take two weeks to figure that out? While there might be clear evidence if the credit card numbers were stolen, how can Kroll or know for sure that they were NOT stolen? Maybe the thieves are laying low for a while. Given the weasel language at work here, it's hard to know which is more damaging to the original announcement or the cryptic retraction.

A disgruntled customer summarized the situation quite nicely on ZDNet: "Any company that's going to do something as stupid as maintain a credit card online on a vulnerable server that long after the transaction, I have no reason to trust them at all. That goes against every industry best practice that's out there."

Copyright © 1999-2011 Seth T. Ross. All rights reserved.