ONLINE SECURITY: Warding off hacker attacks

Apr 01, 2000 10:30 PM  By

Simple ways to keep your Website secure

After a cyber extortionist calling himself or herself Maxus hacked into the database of the CD Universe music Website in January and stole tens of thousands of credit card customers’ names and numbers, the media were filled with stories questioning e-commerce security.

Although much of the hype about Web security has since died down (the spate of Internet “denial of service” hacker attacks in February notwithstanding), the CD Universe example raises a valid question: Are sites doing enough to ensure security?

“Some sites have done a good job with security,” says Elias Levy, chief technical officer of SecurityFocus.com, a San Mateo, CA-based provider of security information on the ‘Net. But a large number of Websites have done little or no work to secure their systems. Even when security problems or “holes” are detected, many Web marketers fail to apply security patches (typically a simple software application), he says. Others make their sites vulnerable to hackers by accidentally misconfiguring their systems.

Levy contends that security lapses are fairly common among catalogers, particularly those that maintain customer databases that include credit card numbers and transactional histories on the same server as the Website itself. The actual transactions – from the customer to the Website – are generally considered secure because the data, including the credit card number, are routinely encrypted while in transit. But online security experts say transactional data stored on the i.merchant’s server after the sale are not secure. Web servers can be accessed by using the Web address, whereas getting into a separate server takes a more concerted effort.

Restoration Hardware, a Corte Madera, CA-based home goods cataloger/retailer, maintains two distinct servers, but that’s only part of its security measures. “When we register customers, we ask for their name, street address, and e-mail address, not their credit card number,” says Jonathan Plotzker, director of catalog and Web operations. And after a transaction, “we don’t store the customer’s credit card number.” Twice a day, Restoration transfers Web orders to its Portland, TN, warehouse for fulfillment. The data are encrypted and password protected.

A touchy subject

Other marketers are less forthcoming in discussing security. Spokespeople for Amazon.com and Recreational Equipment Inc. (REI) declined outright to answer questions, while CD Universe, Buy.com, and L.L. Bean either did not respond to requests for information or failed to return phone messages. CDNow.com, a Fort Washington, PA-based music site, would say only that it employs “highly secured, proprietary methods for protecting credit card information from unauthorized access,” according to director of corporate communications Marlo Zoda. “We have been using and improving these methods for the past five years, and they have never been compromised. Our transactions are encrypted, and credit card information is stored on systems that are not accessible from the Internet.”

Fortunately, there have been relatively few thefts of data as in the CD Universe case, especially when compared to credit card fraud in the “real” world. In the highly publicized cyber theft, the hacker Maxus used a commercial database tool to gain access to CD Universe’s database. The site had a simple password, and the data were not encrypted, so Maxus simply copied them.

But as e-commerce continues its dizzying growth rate, now is the time to deal with security issues. “We have gotten more inquiries about risks and asking what we would recommend,” says Rick Mack, manager of corporate communications for RSA Security, an e-commerce products provider based in Bedford, MA. “We like to think companies have done the best they could to secure their systems…but there are vulnerabilities,” such as transaction data left exposed on a Website, inadequate security software, and a failure to run security audits of a system.

Mack says that RSA has advocated a “call to arms” among government, industry, and consumer groups, similar to the efforts mounted to head off the Y2K threat of computer crashes anticipated in January. “With similar collaboration from the same parties, we could address those vulnerabilities,” he says. For instance, these groups could work together to set industry standards for certain security measures, passwords, and encryption codes, and make third party Web security audits mandatory.

But for now, what’s a Web cataloger to do to secure its site? “It’s fairly basic,” says SecurityFocus.com’s Levy. “Keep your database and your Website on separate servers. Use good passwords and sophisticated transaction encryption codes, and invest in security products,” such as virus detectors, which can find and patch security holes that diligent hackers could penetrate. And most of all, beware: the Maxuses of the cyber underworld are out there.