X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
It was an e-retailer’s nightmare. When Bibliofind, an Amazon.com-owned online shop that hooks up buyers with used-book sellers, was hacked this past February, the proprietors thought only their homepage had been defaced. Then the company looked at its server logs. It found that a rogue had been accessing customer data files since the previous October, exposing the credit card numbers of 98,000 Bibliofind buyers. While e-commerce sites publicly pooh-pooh the threat of credit card theft, it’s a real and far-reaching problem. A recent report by the San Francisco-based Computer Security Institute found that 85 percent of e-commerce and government sites polled experienced a security breach in the past year. Thirteen percent reported that customers’ credit card numbers were rendered accessible. The reality is that “no system is 100 percent secure,” says Chris Wysopal, director of research and development for online-security firm @stake. But you can minimize the threat of theft by taking a few precautions. Hackers usually break into sites through holes in Web server software. Hundreds of these holes are discovered every year. To keep track of them, many sites use e-mail lists like Bugtraq. That’s where, for example, you would have learned about the 32nd hole discovered in Microsoft’s Windows 2000 Internet Information Server. Technically known as a “critical buffer overflow problem,” the Windows design flaw could let a malicious hacker take control of an entire Web server. Once hackers break into your Web server, they can satisfy themselves simply by fiddling with your homepage. To do real damage — to steal credit card numbers, for instance — they have to get beyond the Web server and into the box that houses your customer database. Assuming your IT department is on the ball, that means breaking through a firewall. There are a raft of hardware and software tools — Check Point Firewall-1, Cisco Pi, PGP Gauntlet and Symantec Raptor are a few examples of tools that protect your network by admitting only approved users and applications. But there’s a chink in this armor: Firewalls on e-commerce sites must be configured to admit data traffic from your Web server. If they weren’t, none of the transactions from that server could get through to your site’s back end. So if a hacker finds a hole that lets him control your Web server, he could also get through your firewall. That’s why your site should encrypt sensitive data. The simplest way is by configuring your Web server to use the secure sockets layer, or SSL. (If your IT people don’t know how to do this, get some new IT people.) SSL encrypts incoming and outgoing data streams, hiding them from hackers who’ve penetrated your Web server or who are simply sniffing at data traffic from your ISP or Web hosting service. You might also consider encrypting your customer database using specialized hardware or software. But that, says Ric Steinberger, technical director at Security Portal, a security news site, is “like putting an extra fence around Fort Knox.” If your OS is patched, you’ve got a good firewall and you’re using SSL — that should be enough to stop most hacks. Unfortunately, few sites bother to implement all these precautions. That’s why hackers are usually caught after the fact, when system operators have had a chance to notice unusual activity in network logs. Companies like Cisco, ISS and NFR all make intrusion detection software — priced anywhere from $2,000 to $25,000 — to alert you if anything odd happens. If your customer data is compromised, you have little choice but to admit it as quickly as possible. That’s what Bibliofind did. The company took the site down and sent e-mail to customers whose cards had been exposed. Sure, it was a public relations nightmare. But at that point, there’s not much else you can do. Related Articles from The Industry Standard: Consumers Have Control Over Online Privacy, Experts Say Lucent Scientists Accused of Stealing Software Get Favorable Bail Rulings Source of Anxiety Copyright � 2001 The Industry Standard

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.