E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: PC World Magazine

Posted on May 8, 2000

PREVIOUS: Part 1 of this article

E-Commerce's Dirty Little Secret

In less time than it takes to fill an online shopping cart, Eran Reshef types a command into the URL of a large Web retailer and gains access to the site's source code. A few more keystrokes, and he's changed the price of a $3000 computer to $300. "Since it's an automated process with no human looking in," Reshef explains, "no one would discover the change. The company would simply ship the product and charge me the [altered] price."

      The cherub-faced, former Israeli army intelligence officer smiles as he shows us how he hacked into dozens of e-business sites over the past year. From online brokers and banks to shopping and news sites, Reshef found the doors that Web site designers forgot to lock. If he wanted to, he could easily move money between accounts, post bogus news reports, and scoop up a wealth of information about the visitors to these Web sites.

      But Reshef isn't a hacker; he's a security expert. His company, Perfecto Technologies in Santa Clara, California, sells products designed to thwart application hacking--in which attackers bypass a site's firewall to assault its scripts, applets, and code. Companies hire Reshef to probe their sites for weaknesses. And he knows what few e-business firms will admit: No Web site is truly secure.

Breaking and Entering

      In recent months, electronic vandals have temporarily shut down some of the biggest sites on the Web and stolen thousands of credit card numbers from CD Universe and others. These incidents are hardly flukes.

      Reshef says Perfecto has audited more than 50 brand-name sites and found security breaches in all of them. On eight of those sites, he was able to access any file--including sensitive customer information. On two sites, he was able to execute financial transactions using other people's accounts. On two others, Reshef gained full administrative control. The longest amount of time it took to crack a site was 10 hours; the shortest was 10 minutes.

      Because confidentiality agreements prevent Reshef from naming the companies he audited, we could not verify his claims. But all the security experts we contacted said such vulnerabilities exist in thousands of Web sites.

      One half to three-quarters of all commercial sites can be hacked, estimates John Pescatore, a research director for the Gartner Group in Stamford, Connecticut. Jim Finn, principal of Unisys Worldwide Enterprise Security Practice in Reston, Virginia, puts that figure even higher. Finn says he's tested computer vulnerabilities for more than 200 banks, retail chains, and foreign governments, and has always found a way in. "Unless the computer's disconnected and sitting in the basement, it can be broken into."

Too Much, Too Soon

      One reason sites are so vulnerable is that companies are pulling out the stops and scrambling at Internet speed to get online. As a result, designers leave behind files and tools that hackers can use to break in. Another reason is plain ignorance, says Pescatore. "There's a lot of stupidity built into the CGI code [used to transfer content to] Web sites."

      But even the best security measures may not thwart all attacks.

      "Security is not about absolutes, it's always about how many layers [hackers] have to go through to get to something," says Elias Levy, chief technology officer for Securityfocus.com in San Mateo, California. Levy says most companies are just not doing enough.

      "A hacker only has to be lucky once," agrees Nigel Tranter, vice president for Perfecto. "[Sites] have to be lucky all the time." These days, the same could be said for consumers.

They Know Everything About You

It ended in murder, and it started on the Internet.

      So says Tim Remsburg, stepfather of Amy Boyer, a New Hampshire woman who was tracked down and murdered last fall by a cyberstalker who had known her in high school.

      Remsburg places part of the blame for his stepdaughter's death on Docusearch.com, which sold Boyer's Social Security number to Liam Youens for $45. Youens used that information to find out where Boyer worked. Then he went there and shot her to death before turning the gun on himself.

      "I don't see how do-anything-for-a-buck information brokers can sleep at night knowing they've got Amy's blood on their hands," Remsburg says.

      But Docusearch.com, which declined comment, didn't break any laws.

The Business of Net Snooping

      Culling data from public and private sources is not only legal but part of a flourishing industry. There's a burgeoning trade in plucking information from commercial databases. One company, TR Information Services, advertises that it can deliver anyone's monthly bank or credit card statement for $95. A company called A1 Trace promises a list of anyone's stocks, bonds, and mutual funds--including account numbers--for $309.

      I tested one online service called A.S.A.P. Investigations. All I gave them was my name and previous address: Within an hour, the firm delivered my Social Security number, physical descriptions of my wife and me, details of the cars we own, and nearly every former address and employer I've had. A.S.A.P compiled the profile from a half-dozen Web sites selling my past for a price. "We can find out anything," says Robert Reichert, the company's president.

      Reichert says that he doesn't offer his services to the general public. Most of his customers are lawyers looking to recover hidden assets for child support from deadbeat parents, or they are creditors looking for debtors who have skipped town. But clearly not every online investigator is as discriminating about its clients.

      "Anyone can start a business, call themselves a private investigator, and hang a shingle online," says Reichert.

It's Just Business

      Thank PCs and the Internet for making it cheaper and easier to pull together diffuse personal facts, says Robert Ellis Smith, publisher of Privacy Journal.

      Information brokers typically buy addresses, unlisted phone numbers, and Social Security numbers from credit bureaus like Equifax and Experian. State governments sell public data such as driving records, which often contain Social Security numbers. (As of June 2000, states will not be able to sell such information without the driver's consent.)

      In addition, banks and financial service companies can buy, sell, trade, and share their customers' financial information, including account numbers and balances. Courts have consistently ruled that this information is the property of the company, not the customer. However, many banks have curbed the practice because of public outcry.

      There's also the issue of identity theft. Armed with your name and Social Security number, an impostor can open a bank or charge account and destroy your credit. Approximately 400,000 Americans will suffer identity theft this year, say privacy experts. "Our traditional notion of personal privacy is gone," says Andrew Shen, policy analyst with the Electronic Privacy Information Center.

      But privacy advocates can claim some victories, such as new federal restrictions on the use of credit reports and driving records. And Congress recently banned the practice of pretexting--obtaining personal information about others under false pretenses.

      Victoria Streitfeld, spokesperson for the Federal Trade Commission, says the FTC polices the Internet for illegal information brokers and makes arrests when necessary.

      But for Tim Remsburg and his stepdaughter, the FTC's efforts are too little, too late. "What happened to Amy's right to privacy?" he asks. Indeed, what happened?

The Eyes Of Richard Smith

If the Internet is like the Old West--wild and untamed--then Richard Smith is the closest thing we have to a town sheriff. In the past year, the Phar Lap Software CEO turned security guru has uncovered what appear to be privacy breaches in the practices of RealNetworks, Amazon, and DoubleClick. He also coauthored a report revealing that numerous health sites share visitors' personal data without their consent. Last September, Smith retired from Phar Lap to focus on Net security and privacy issues. He spoke to us by phone from his Brookline, Massachusetts, home.
PCW: You've become the unofficial guru of Internet security. How did this happen?

SMITH: My interest in privacy really started with the flap about the Pentium III serial number [in January of last year]. I ended up looking at the use of ethernet address tracking numbers and was surprised at how often they were being used as GUIDs. They're almost like a Social Security number for your computer. The number itself doesn't say who you are, but the fact that it goes into databases all over the Web is depressing.

PCW: What, in your opinion, is the biggest threat to consumers on the Net?

SMITH: As you surf the Web, sites across the board are watching what you do, creating profiles, learning all about you. I'm concerned that all of this data is going to be combined in one big database.... The biggest problem is that a lot of tracking is not disclosed.... Companies like DoubleClick... [are] getting a lot of information that's frankly none of their business.

PCW: Will recent calls by the government for a stronger security infrastructure on the Net lead to even less privacy for consumers?

SMITH: Certainly. There's a real interesting trade-off between anonymity and privacy. What we're really talking about is [setting] up a system so that no matter what we do on the Web we're always tracked. No such thing as hidden IP addresses. [This makes it] real easy to track crime. The flip side is...that you can attack someone...and no one knows who you are. I am troubled by the lack of responsibility due to anonymity on the Web.

PCW: Do we need federal legislation to protect our fundamental right to privacy? SMITH: It's silly to think something as big as the Net won't need regulation, while roads and other parts of commerce do. In privacy, we do need some regulation because of all the tracking going on and the ability to share that information. It can't be too heavy handed, but we need some rules of the road to make clear what's acceptable and what's not.

PCW: What advice would you give wary Netizens today?

SMITH: The main thing is: Computers, like elephants, never forget. Be careful what information you provide Web sites.... If you're registering your toaster, there's no need to tell them your yearly income. Be careful what you say in newsgroups. You can write something today, and three years later really regret it.

      Remember, the Net is still new. It's like a 12-year-old kid, still trying to find its way. A lot of issues--like hacking, privacy, and security--will get worked out over the next five years.

Should You Trust Truste?

Web privacy is more important now than ever. So if your favorite site carries a privacy seal of approval from an independent organization like Truste, you should feel safer, right? Maybe not. Internet giants like Microsoft, Deja, and RealNetworks all have sites approved by Truste. But each made news last year by engaging in practices that allegedly violated user privacy. Which raises the question: How far can you trust a seal from Truste?

      A handful of organizations dole out Web privacy seals. Truste is one of the largest, with licensees paying from $299 to $4999 for a seal that says their privacy policy passes Truste's muster. BBBOnline and CPA Webtrust also charge for audits and seals, as do the top six CPA firms. (Other organizations--such as Enonymous.com--do not charge, but they rate sites on the basis of certain levels of privacy offered under the terms of their policy.)

      But as events cited in these pages show, simply posting a policy and seal doesn't mean a site won't violate your privacy. And critics say Truste monitors members inadequately once it grants a seal. Instead, it relies on consumers and privacy advocates like Richard Smith to report privacy violations.

      The RealNetworks incident, for instance, was resolved after being brought to Truste's attention, but Smith says that the credit goes to the media and consumers. "[Truste isn't] really an enforcement organization," Smith says. "Mostly, the press coverage is what gets companies to change privacy policies."

      Truste does perform quarterly checks of sites. But CEO Bob Lewin admits that Truste doesn't look at a site's books to make sure it's not selling data, or at its programming code to ensure data siphoning isn't taking place. "To do those things would be a bit more expensive than what we do today," he says.

      "We've done a satisfactory job," he adds, "but I agree that we can do better."

      Critics also question Truste's impartiality. The organization was created by the industry it oversees, and critics argue that it relies on its sponsors--Microsoft among them--to support it. Lewin denies this, saying, "Eighty-five percent of our funding comes from license fees. ... No single sponsor has the financial clout to influence this organization."

      In its three years of existence, Truste has never revoked a seal. And Lewin says less than 2 percent of Web businesses that approach it for a seal are rejected.

Sealed for Your Protection?

So what does a privacy seal in general say about a site? "It tells you the site did have to answer questions about privacy, [and] that it does have a privacy policy," says Ari Schwartz, policy analyst at the Center for Democracy and Technology. "But a seal doesn't grant you any more control over your [personal] information than at any other Web site." A Web site can still collect and in some cases sell your data, as long as it tells you it's doing so.

      And most privacy policies don't cover third-party involvement in a site. So a firm like DoubleClick can do what it wants, and until now the host site hasn't been obligated to tell you about it. Also, Truste's license doesn't cover software downloads like RealJukebox or Windows 98. (Last year Microsoft was discovered to be collecting user information through its registration wizard.) Truste announced recently that it plans to expand its policies to include software and third-party contractors.

      In the end, privacy seals tell you that a Web site has a privacy policy and may be held legally accountable for breaking it. How likely a site is to follow its privacy policy is a separate issue, and unfortunately it's one you still have to address by asking yourself a basic consumer question: How well do I trust the company I'm dealing with?

PREVIOUS: Part 1 of this article

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.