X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
It was an e-retailer’s nightmare. When Bibliofind, an Amazon.com-owned online shop that hooks up buyers with used-book sellers, was hacked this past February, the proprietors thought only their homepage had been defaced. Then the company looked at its server logs. It found that a rogue had been accessing customer data files since the previous October, exposing the credit card numbers of 98,000 Bibliofind buyers. While e-commerce sites publicly pooh-pooh the threat of credit card theft, it’s a real and far-reaching problem. A recent report by the San Francisco-based Computer Security Institute found that 85 percent of e-commerce and government sites polled experienced a security breach in the past year. Thirteen percent reported that customers’ credit card numbers were rendered accessible. The reality is that “no system is 100 percent secure,” says Chris Wysopal, director of research and development for online-security firm @stake. But you can minimize the threat of theft by taking a few precautions. Hackers usually break into sites through holes in Web server software. Hundreds of these holes are discovered every year. To keep track of them, many sites use e-mail lists like Bugtraq. That’s where, for example, you would have learned about the 32nd hole discovered in Microsoft’s Windows 2000 Internet Information Server. Technically known as a “critical buffer overflow problem,” the Windows design flaw could let a malicious hacker take control of an entire Web server. Once hackers break into your Web server, they can satisfy themselves simply by fiddling with your homepage. To do real damage — to steal credit card numbers, for instance — they have to get beyond the Web server and into the box that houses your customer database. Assuming your IT department is on the ball, that means breaking through a firewall. There are a raft of hardware and software tools — Check Point Firewall-1, Cisco Pi, PGP Gauntlet and Symantec Raptor are a few examples of tools that protect your network by admitting only approved users and applications. But there’s a chink in this armor: Firewalls on e-commerce sites must be configured to admit data traffic from your Web server. If they weren’t, none of the transactions from that server could get through to your site’s back end. So if a hacker finds a hole that lets him control your Web server, he could also get through your firewall. That’s why your site should encrypt sensitive data. The simplest way is by configuring your Web server to use the secure sockets layer, or SSL. (If your IT people don’t know how to do this, get some new IT people.) SSL encrypts incoming and outgoing data streams, hiding them from hackers who’ve penetrated your Web server or who are simply sniffing at data traffic from your ISP or Web hosting service. You might also consider encrypting your customer database using specialized hardware or software. But that, says Ric Steinberger, technical director at Security Portal, a security news site, is “like putting an extra fence around Fort Knox.” If your OS is patched, you’ve got a good firewall and you’re using SSL — that should be enough to stop most hacks. Unfortunately, few sites bother to implement all these precautions. That’s why hackers are usually caught after the fact, when system operators have had a chance to notice unusual activity in network logs. Companies like Cisco, ISS and NFR all make intrusion detection software — priced anywhere from $2,000 to $25,000 — to alert you if anything odd happens. If your customer data is compromised, you have little choice but to admit it as quickly as possible. That’s what Bibliofind did. The company took the site down and sent e-mail to customers whose cards had been exposed. Sure, it was a public relations nightmare. But at that point, there’s not much else you can do. Related Articles from The Industry Standard: Consumers Have Control Over Online Privacy, Experts Say Lucent Scientists Accused of Stealing Software Get Favorable Bail Rulings Source of Anxiety Copyright � 2001 The Industry Standard

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 
Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.

 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.