There are Web site cracks, there are break-ins, and there are thefts. But now and then one rises above the fray to teach a sudden lesson about all things Internet.
That was the case Monday, with the news that a major Web database had possibly been cracked, exposing up to 300,000 credit card numbers.
"It is a first, as far as its scale, if we are to believe how many credit cards were stolen," said Elias Levy, chief technology officer for Security Focus.com.
The theft drove home in a new way the scope of financial vulnerability online, Levy and other Internet security experts agreed.
The FBI is hunting for the alleged cracker, believed to be located in eastern Europe, who claimed to have stolen customer data from the CD Universe site. The New York Times, which received allegedly stolen credit card numbers from the hacker, reported the story Monday. After the CD site refused to pay US$100,000, the cracker published the data on a Web site.
CD Universe would only acknowledge that an electronic break-in had occurred.
"We have experienced some sort of security breach," said Brett Brewer, a vice president of eUniverse. But he declined to be specific.
"It's an interesting case, in the sense that it illustrates a variety of risks all in one episode, said Peter Neumann, principal scientist at SRI International's Computer Science Laboratory. Neumann chronicles information-age security risks in Risks Digest.
"It illustrates the vulnerability of computer databases that contain sensitive information," Neumann said. "It illustrates the risk of having sensitive info posted massively on a Web site, because that would encourage misuse almost instantly. People are poised to exploit it."
Victims of the attack are subject to the same protections as any credit card theft, Neumann said. The lion's share of the liability is always assumed by credit card companies.
"The argument is that consumers are not affected if it only costs them 50 dollars," Neumann said. If massive fraud occurs, credit card companies will "even waive the 50 dollars because they don't want to lose their credibility."
But Neumann predicts that if the Net remains vulnerable credit card companies won't be able to absorb the losses.
"If you get to the point where systematic fraud takes place, the idea that the company is going to eat all those losses ... in the long run, it is not a viable model," he said.
If the incident leads people to conclude that law enforcement should more avidly target hackers, the concerns are entirely misplaced, said Emmanuel Goldstein, editor of the hacker quarterly 2600.
"All it proves is that private information is still being left unguarded on the Net and that people need to hold these companies accountable for not protecting their customers. This story has nothing at all to do with hacking, despite every story appearing that claims a 'hacker' did this," Goldstein said.
The person responsible is simply an extortionist, he added. "Just because he knows how to use a computer, he does not instantly become a hacker."
As things stand, most people are simply oblivious to the financial security concerns, either online or off, Neumann said.
Levy believes that will change.
"Most people worried about local crime -- carbons stolen from stores. With the Internet, you have globalization of commerce, but we also have globalization of crime," he said. "Online crime has really taken off, and we might not have the resources to track it down and bring some of these people to justice."
What to do?
"One of the fundamental answers is that people need to be a lot more aware than they are," Neumann said.
Neumann and Levy agreed that a successful security strategy online has to do with simple staffing and proper administration. But few companies provide the proper resources.
Levy said one might expect smaller online operations to fall victim to such break-ins. But if a good-sized Web store like CD Universe was as vulnerable as early indications of the attack suggest it was, the e-tailer "should have known better."
The Critical Infrastructure Assurance Office is charged with assessing the security of the nation's infrastructure at large, from its energy grid to online commerce.
Even the biggest company puts its customer relationships at risk if it is not alert to security, said Nancy Wong, a senior executive at the agency. More companies will likely incur greater liabilities if they're shown to be negligent in protecting sensitive information.
"This is a message I've been carrying out to industry, and industry seems to resonate to this and understand and nod their heads when I talk about this," she said.
"There's also the other side of industry which is saying, 'Well shoot, people should just not worry anymore -- there is no such thing as privacy and confidentiality, and they just need to live with and get over it,'" Wong said.
"I don't think the average American has been informed of that yet, and I don't know that they would accept it."
