washingtonpost.com
ID Thieves Turn Sights on Smaller E-Businesses
For Online Shoppers, Security Seals No Guarantee That Hackers Aren't Watching

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, September 28, 2006 7:38 AM

Schuyler Cole needed an accessory for his Palm Treo 600 smartphone, so the Haleiwa, Hawaii, resident fired up his Web browser last month and ran a Google search.

After scanning the search results, he purchased the inexpensive item -- a USB cable used to synchronize the Treo's settings with his personal computer -- from Cellhut.com, the first online store displayed in the results that looked like it carried the cable. The site featured a "Hackersafe" logo indicating that the site's security had been verified within the past 24 hours.

Later that day, information from Cole's purchase --- including his name, address, credit card and phone numbers, and the date and exact time of the transaction --- were posted into an online forum that caters to criminals engaged in credit card and identity theft. Ostensibly, the data on Cole was posted as an enticement to other fraudsters lurking on the forum who might be interested in buying large numbers of similar records.

Other personal data posted into the fraud forum included the personal and financial information for Shane Galloway, an 18-year-old freshman at Louisiana State University in Baton Rouge. When contacted by washingtonpost.com, Galloway said he purchased a wireless phone from Cellhut.com shortly after midnight on Sept. 6, just minutes after the time stamp on Cole's purchase.

Another individual whose data was found in the online chat channel --- a southern California resident who asked that his name not be used --- confirmed that he bought wireless accessories from Cellhut.com at 9:15 a.m. on Sept. 7, the exact time listed in the entry that was posted into the online forum along with his credit card data and other personal information. Later, he discovered that $6,000 in fraudulent charges were made using his credit card.

While public attention has remain fixed on a series of high-profile data losses or database breaches at federal government agencies, large corporations and universities, experts who study financial fraud say hackers increasingly are targeting small, commercial Web sites. In some cases, criminals are able to gain real-time access to the sites' transaction information, allowing them to steal valid credit card numbers and quickly charge large numbers of fraudulent purchases.

Small e-businesses offer fewer total victims, but they often present a softer target, either due to flaws in the software merchants use to process online orders or an over reliance on outsourced Web site security.

Cole's and Galloway's information was recorded being traded in an online chat room by Dan Clements, co-founder of CardCops.com, a fraud prevention service that monitors underground chat rooms where criminals trade in stolen credit cards and information used to commit identity theft. Clements said many smaller online merchants use generic shopping cart software that they fail to maintain with the latest software security patches.

"Most of these merchants that get hacked do not have updated versions of the software that runs their business, they're just trying to sell widgets," he said.

Nearly 80 percent of all software vulnerabilities discovered in the first six months of 2006 involved Web-based applications produced by hundreds of different software vendors, according to a report released Monday by Cupertino, Calif.-based security vendor Symantec Corp.

"The people writing these applications often don't know very much about Web-based vulnerabilities," said Alfred Huger, a senior director at Symantec Security Response. "Many of these Web vulnerabilities are not that difficult to discover and are very easy to exploit."

False Sense of Security

Cellhut.com, like many e-commerce Web sites, features the "HackerSafe" seal on its homepage proclaiming that the site "is tested and certified daily to pass the FBI/SANS Internet Security Test." ScanAlert Inc., a Napa, Calif.-based company that sells the service, scans some 75,000 online merchants each day for thousands of known Web site flaws.

ScanAlert is one of many companies providing third-party Web site security audits to online businesses. Other players in this market include Comodo Group Inc. of Jersey City, N.J., which markets its HackerGuardian scanning service; Coral Gables, Fla.-based Xenitel and its HackerFree seal; and the Verified Safe service from Lansing, Mich.-based Periscan.

By and large, the companies offer a range of basic and advanced security services that they say will assure Web customers that a site is doing everything possible to protect their personal data. But computer security experts are quick to question the effectiveness of these services.

"We hear from our assessor contacts who investigate (Web site) breaches that most of the sites had previously passed vulnerability scans," said Avivah Litan, a financial fraud analyst with the Stamford, Conn. research firm Gartner Inc.

Hard data on the number of security breaches at small e-commerce businesses is hard to come by, often because companies are not required to disclose the information publicly, unlike public institutions and large corporations where tougher security standards and notification requirements are in place.

"Most of these breaches aren't being reported," said Litan. "The media has kind of quieted down on this and now only reports on the big data thefts. But I'd estimate that only about two percent of all data thefts from online merchants get reported."

A washingtonpost.com investigation suggests that third-party security seal programs may be more effective at winning the confidence of fraud-weary online shoppers than in protecting customer data from online theft. Over the course of 10 hours spent monitoring conversations on online fraud forums, a washingtonpost.com reporter found conclusive evidence of four commercial Web sites whose customer databases had been compromised within the past month. None of the businesses was even aware of the compromises before being contacted by the reporter.

Credit card records and transaction data posted into the online chat room led back to six individuals who each confirmed making purchases at camera and computer bargain site Leobarnet.com at the same time as the time stamp attached to their records, transactions that spanned from Sept. 2 to Sept. 8.

Brooklyn, N.Y.-based LeoBarnet.com owner Edmond Kabaz said his company's site passed a series of vulnerabilities scans earlier this year from Comodo, which offers online merchants its HackerGuardian seal and vulnerability scanning services starting at $29.95 a month. Kabaz said fewer than 100 customers were affected by the breach, which he said occurred as early as March and was the result of a weakness in the shared Web server his site was hosted on. As of Oct. 1, Kabaz said LeoBarnet.com will be hosted on a dedicated server with a different hosting provider, and his site will feature the HackerSafe logo from ScanAlert.

washingtonpost.com also found data and transaction information for three customers of another HackerSafe client: Batatvia, N.Y.-based Wonderfulbuys.com, which bills itself as the largest online distributor of "As-Seen-On-TV products."

Wonderfulbuys's customer service manager Frank Joseph initially said the site was "unhackable" after being contacted by a washingtonpost.com.com reporter. But a subsequent manual review by ScanAlert determined that hackers broke into Wonderfulbuys's database through a previously undocumented security hole in the site's shopping cart software, which the company had custom-made by a third-party software development firm based in India.

CardCops.com's Clements said his company has confirmed the compromise of more than 500 commercial Web sites over the past three years simply by correlating data found in online fraud forums.

"Even when you show them conclusive evidence that they've been hacked -- data from multiple customers and presented in the same form field format, about 80 percent of the time the merchant will deny it, and often times when they do finally figure out they've been hacked they accuse us."

Jason Lam, who teaches a course on securing Web sites for the SANS Institute, a Bethesda, Md.-based security research and training group, estimated that Web site scanning services in most cases only identify about 60 percent of a Web site's potential security problems.

"Having one of these scanning services in place is definitely better than nothing because a lot of small and medium sized online stores don't have the staff in place to make sure their applications are secure," Lam said. "That said, a lot of [e-commerce] software is very customized and a lot of the problems in Web applications are logic-based, can't easily be found by machines, and require manual testing."

The data security problem at Web businesses is big enough that Visa, MasterCard and other major credit-card companies this month demanded tougher security guidelines for all online merchants, new standards that can spell heavy fines if ignored or flouted.

According to a report released this month by VISA, four-out-of-five of the top causes of card-related breaches were digital security weaknesses common at merchants large and small, including missing or outdated software security patches, misconfigured Web servers, and the use of vendor-supplied default passwords and settings, all of which are a violation of new payment card industry standards.

Cellhut.com manager Khalid Singh said the company is not sure how the data was compromised, and that it is working with ScanAlert to find the source of the data breach.

Brett Oliphant, managing director of security services for ScanAlert, said his company is still investigating the data breach, but that it could find no obvious signs that the hack leveraged a flaw in Cellhut's Web site.

"We've identified several other areas where the data might have leaked from -- including the payment processing and order fulfillment sides," Oliphant said.

Oliphant said that prior to becoming customers, roughly 75 percent of the companies ScanAlert contracts with were vulnerable to some sort of Web site flaw that hackers could use to steal sensitive data. Still, he said, no amount of Web site scanning will prevent companies from losing control of customer data if they fail to secure all of the means by which that information is transmitted.

"Even when the Web site itself is secure, there are all kinds of other points in the chain that need to be secured."

View all comments that have been posted about this article.

© 2006 Washingtonpost.Newsweek Interactive