OPM

Week of June 19, 2001

E-commerce lost an estimated $2.8 billion in revenues for the year 2000 because of security breaches, according to CNET.

Some of the juicier tidbits for the year 2000 included:

• The Swedish furniture giant IKEA exposed their entire customer database - involving names, addresses, phone numbers, and email addresses - for customers ordering the IKEA catalogue.
• The online cosmetics company Sephora exposed names, addresses, and credit card information for an estimated 168,000 customers.
• The diamond giant DeBeers exposed 35,000 customer records on their website.
• Nissan Motors exposed tens of thousands of customer records through their email system.
• eUniverse exposed credit card information for 350,000 customers on their website.
• Microsoft exposed information for 50,000,000 Hotmail account holders.
• Travelocity exposed the names, addresses, phone numbers and email addresses of customers participating in an online promotion.
• Egghead exposed 3,700,000 accounts at their website.
• Credit Cards Inc. exposed over 55,000 accounts at their website.

The list is endless. A search at Google for the phrase 'Credit Card Data Exposed' will yield over 78,000 hits. A search for the phrase 'Customer Order Data Exposed' will yield over 142,000 hits.

The roadmaps and cookbooks are there for the taking, yet clearly something is very wrong. Surveys consistently reveal that most people do not trust e-commerce. The surveys also reveal that those who do not trust e-commerce have the facts on their side.

Why does e-commerce insist on ruining its own act, on not only jeopardising other people's money and thereby incurring customer wrath, but also on tripping up over its own legs time and again?

There are a few golden rules when it comes to doing business with other people's money - ask the bankers and they will tell you what they are. But e-commerce doesn't follow these rules, and despite these rules being basic common sense, e-commerce acts as if these rules and common sense itself do not exist.

1. OPM belongs to other people and these people value their money above all else. You must therefore act as if you treat this money with the utmost respect and you must also treat these people with the same utmost respect.
2. People who entrust you with their money expect you to be beyond reproach. Even a parking ticket can make people suspicious of you.
3. Accidents do not happen. If something tragic occurs, you must avoid the long-winded lofty explanation, avoid trying to pass the buck and simply admit the incident - while convincing the holders of the OPM that the accident will never happen again.
4. Customers are never interested in the details of an accident or its remedy. What they need to have is restored confidence in you, and the way to achieve this is not by drowning them in too much information about things which do not concern them.
5. Insure your organisation against accidents and malicious acts.
6. In the event of an accident or malicious act, inform your customers immediately and assume full financial responsibility.
7. Above all else, be polite.

But e-commerce people do not appear to be particularly careful or have any prior experience dealing with OPM. They're not exactly experienced bankers.

E-commerce people are often clueless about IT and web security as well. Even solid banking operations require considerable work to port successfully to the Web.

Following Microsoft's 'Zero Administration' tune, e-commerce people often rely on IIS and new inexperienced MCP recruits, neither of which bode for sufficient security.

Keeping an e-commerce site secure entails allocating sufficient time for personnel to study potential security threats, review site code, read advisories and implement security patches. It also might entail contracting the services of a dedicated security organisation to continuously monitor site security.

Securing an e-commerce site follows a rule book of its own. In January 2001 William Tait wrote an article for Vision Online in which he admonished e-commerce sites to 'get [your] data off the public network ASAP' and to understand that 'the Internet [is] a hostile, public network'.

On Saturday June 16 2001 Keith Little of PC-Help received a funny package in the mail. It was sent to him by Computer HQ, an online supplier of computer hardware and software. The problem with the package, which had been ordered for one of Keith's customers, was that it was the wrong package: Computer HQ had shipped the wrong stuff.

There was an invoice in the Computer HQ package, so Keith took it out and looked at it and found a URL at the bottom which pointed to an online copy of the invoice.

But when Keith accessed the URL given on the Computer HQ invoice, he saw something he wasn't supposed to see. Through at least two unbelievably dumb errors Computer HQ had exposed full credit card data for all its customers dating back more than a year in time.

The more superficial error was a bug in the JavaScript running the URL and a myopic assumption on the part of the programmer that no one would ever access the URL without JavaScript being enabled. The other more egregious error was having all this sensitive customer information out in the open on the wrong side of the firewall.

Naturally Keith was worried: His customer's credit card information was there for the taking. Keith spent the next few hours trying in vain to contact someone at Computer HQ who could take the data down, and when he finally did reach someone, he still had to do a lot of arguing and convincing before this someone finally condescended to look at the site.

Keith went back to the Computer HQ site the following day to make sure his customer's credit card data was now offline, and discovered it was not. Everything was as before - and by simply changing the order number in the URL, full credit card data for over 15,000 transactions dating back a year could be exposed. Keith again contacted Computer HQ, and finally two days after the breach was discovered it was finally closed.

Computer HQ tested their new JavaScript code online, with the credit card data of their customers still exposed, and even in the end did not move this data behind their firewall.

News of the breach hit both Wired and ZD, and both news agencies tried in vain to reach Computer HQ for comment. Yet shortly after their articles went online Computer HQ began a counter-attack. In a response to customer complaints Computer HQ first thanked Keith Little for his help in alerting them to the breach and then went on to describe him as 'a hacker who roams the Internet looking for sites to break into'. They also lied about the nature of the breach, claiming it was behind a wall of security and could only be accessed by 'illegal hacking'. Finally, Computer HQ implied that the actions of Wired and ZD were tantamount to theft.

Perhaps worst of all, the Computer HQ letter does not even make sense, contradicting itself repeatedly, and commits the ultimate blunder of providing 'footprinting information' for real hackers who may now attack the site.

At the time of writing no general alert has been issued by Computer HQ to its 15,000 affected customers.

'A PC consultant / web security firm called PCHelp (www.pc-help.org) that apparently searches the net for security breaches decided to try to break into a restricted area of our site. While we have no excuse for the security hole, it was an accident caused by moving the site to a new server a few days earlier. When PCHelp notified us we immediately took the site down and applied a fix - the site was down until Monday morning at 8am, with sporadic restarts to test the patch. At 8am Monday the programmers were confident the security hole was fixed and we put the site online. This happened on the 16th, and the site with the fix was put online in the morning the 18th.

'Now, we would obviously not alert anybody about a security breach before it was fixed - that's the last thing you would do. Furthermore, since the PChelp web security firm notified us about this, we believed they had good intentions, and while we didn't hire them, we did call and ask him how he got into the restricted area of the site. Since the site was moved to the new server on Thursday (and we were down most of the day because of that), and we were notified by a security firm on Friday, we believe that the chances of any compromise of personal info is extremely low.

'While we apologize for the security breach, I feel that for the web security firm to explain to a magazine HOW TO RETRIEVE confidential information from a site, and they in turn hack into our site and then USE the illegally obtained information, now that is not right. Both the web security firm and Wired magazine should know right from wrong, and as an attorney explained to me tonight, 'the fact that a door is open does NOT make it right to enter and take something.'

'I realize that your concern is with your confidential information, but at this point we know of know other breach than PCHelp, Wired Magazine and possibly Ziff-Davis. The PCHelp guy apparently did it as a publicity stunt, and while I have no problem with that part of it, I have a serious problem with him walking through that door and taking information. For Wired Magazine, part of Lycos, to do it, and possibly Ziff-Davis as well, I find even stranger, but realize that they use freelance journalists that are just as interested in making a statement as the PCHelp guy.

'In case of your card being used without your permission I believe there is a maximum $50 charge for you according to the law, and we will certainly cover that for you if necessary. Also, if your credit card company charges you for replacing your card (not likely), please let me know.

'I hope you understand our position and accept our apologies - for the short breach of our site, and especially for the behaviour of PCHelp and Wired Magazine. They have the right to report this security breach, but NOT use it to retrieve confidential information, as they apparently did for the Wired story.'

As far as blunders go, this is as bad as it gets. And with track records like this, it's no wonder e-commerce loses billions.