X

Online stores try to bar the doors

Two high-profile hacking incidents this month have put pressure on e-tailers to do a better job of securing their sites from intruders.

Greg Sandoval Former Staff writer
Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.
See full bio
Greg Sandoval
2 min read
Two high-profile hacking incidents this month have put pressure on e-tailers to do a better job of securing their sites from intruders.

Hackers recently broke into electronics e-tailer Egghead.com and credit card transaction company Creditcards.com. More than 55,000 credit card numbers were stolen from Creditcards.com, and the hacker left them exposed on the Web for at least a day after a failed extortion attempt, the company said.

At Egghead, as many as 2.7 million customer accounts may have been exposed. An investigation is underway.

And in a case that the FBI said may be related to the Creditcards.com case, hundreds of U.S. online shoppers over the past two weeks have received unauthorized charges on their credit cards from a Russia-based company called Global Telecom.

And although credit-card companies protect customers from fraud and reimburse them for any unauthorized charges, surveys show that many consumers still refuse to shop online for fear criminals will pilfer their credit card information.

But security experts say that best security measures may also be inconvenient for shoppers: Online shops can refuse to store the credit card information, forcing customers to type in their credit card numbers every time they use their card.

"It's less of a security headache not to store any numbers," said David Kennedy, director of research services for security company TruSecure. "But that's a business decision. If you require your customers to fill out their card information every time they make a purchase, it's safer but much more of a nuisance."

Some experts say that short of making customers punch in their credit card numbers and personal information every time they shop, there is no full-proof way of locking out the bad guys.

"You can't make any site completely secure," said Chris Painter, deputy chief of computer crime at the U.S. Department of Justice. "But there is plenty to do to lower the risks of break-ins and that's what e-tailers should be focusing on."

If companies do store credit card information, it should be encrypted. MasterCard requires all merchant to encrypt cardholder information. Creditcards.com, which stores credit card information for e-commerce companies, said it did not encrypt any of the customer information.

Additionally, companies storing credit card information should diligently test their sites for weaknesses in firewalls and procedures.

Howard Schmidt, Microsoft's chief of corporate security, said that companies must hire security teams to patch any holes in security defenses. The team must be aware of break-ins at companies that use the same types of firewall software and then patch up the same weaknesses in its own software.

Kennedy acknowledges, however, that there is only so much a company can do to wall out intruders. The suspect in the Creditcards.com case boasted in emails to Creditcards.com customers that it took him three months to sneak past the company's security.

"A determined hacker willing to spend thousands of hours hacking past defenses will eventually get in," Kennedy said.