ID Thieves Turn Sights on Smaller E-Businesses

ScanAlert is one of many companies providing third-party Web site security audits to online businesses. Other players in this market include Comodo Group Inc. of Jersey City, N.J., which markets its HackerGuardian scanning service; Coral Gables, Fla.-based Xenitel and its HackerFree seal; and the Verified Safe service from Lansing, Mich.-based Periscan.

By and large, the companies offer a range of basic and advanced security services that they say will assure Web customers that a site is doing everything possible to protect their personal data. But computer security experts are quick to question the effectiveness of these services.

"We hear from our assessor contacts who investigate (Web site) breaches that most of the sites had previously passed vulnerability scans," said Avivah Litan, a financial fraud analyst with the Stamford, Conn. research firm Gartner Inc.

Hard data on the number of security breaches at small e-commerce businesses is hard to come by, often because companies are not required to disclose the information publicly, unlike public institutions and large corporations where tougher security standards and notification requirements are in place.

"Most of these breaches aren't being reported," said Litan. "The media has kind of quieted down on this and now only reports on the big data thefts. But I'd estimate that only about two percent of all data thefts from online merchants get reported."

A washingtonpost.com investigation suggests that third-party security seal programs may be more effective at winning the confidence of fraud-weary online shoppers than in protecting customer data from online theft. Over the course of 10 hours spent monitoring conversations on online fraud forums, a washingtonpost.com reporter found conclusive evidence of four commercial Web sites whose customer databases had been compromised within the past month. None of the businesses was even aware of the compromises before being contacted by the reporter.

Credit card records and transaction data posted into the online chat room led back to six individuals who each confirmed making purchases at camera and computer bargain site Leobarnet.com at the same time as the time stamp attached to their records, transactions that spanned from Sept. 2 to Sept. 8.

Brooklyn, N.Y.-based LeoBarnet.com owner Edmond Kabaz said his company's site passed a series of vulnerabilities scans earlier this year from Comodo, which offers online merchants its HackerGuardian seal and vulnerability scanning services starting at $29.95 a month. Kabaz said fewer than 100 customers were affected by the breach, which he said occurred as early as March and was the result of a weakness in the shared Web server his site was hosted on. As of Oct. 1, Kabaz said LeoBarnet.com will be hosted on a dedicated server with a different hosting provider, and his site will feature the HackerSafe logo from ScanAlert.

washingtonpost.com also found data and transaction information for three customers of another HackerSafe client: Batatvia, N.Y.-based Wonderfulbuys.com, which bills itself as the largest online distributor of "As-Seen-On-TV products."

Wonderfulbuys's customer service manager Frank Joseph initially said the site was "unhackable" after being contacted by a washingtonpost.com.com reporter. But a subsequent manual review by ScanAlert determined that hackers broke into Wonderfulbuys's database through a previously undocumented security hole in the site's shopping cart software, which the company had custom-made by a third-party software development firm based in India.

CardCops.com's Clements said his company has confirmed the compromise of more than 500 commercial Web sites over the past three years simply by correlating data found in online fraud forums.

"Even when you show them conclusive evidence that they've been hacked -- data from multiple customers and presented in the same form field format, about 80 percent of the time the merchant will deny it, and often times when they do finally figure out they've been hacked they accuse us."