Bad security exposes credit cards online
Representatives for RegWeb, a conference registration service and software provider, first found out about the hole on Friday when someone posted a link to the Web site of credit card numbers to a hacker chat room. It's estimated around 300 to 400 credit card files were left in the open.
Mark Johnson, a developer at RegWeb, said he thought the problem had been fixed but apparently it wasn't. "We notified the client that it happened to and have been working with them," Johnson said. "Then we've been doing all we can to plug the holes."
The client was 877Chicago.com, which provides online bookings for people traveling to Chicago. The list of credit card numbers is full of hotels in the Chicago area.
Darci Watson of Calo Valley, Illinois, was one of the first on the list. She was obviously shocked to hear her credit card information was left out in the open. "It's a little unnerving because I've only done a handful (of online transactions)," she said. "I'm certainly going to be careful about buying anything online again."
Watson had applied for the reservation to the Allerton Crowne Plaza in Chicago though 877Chicago.com. "Since they book through a third party, and not through us at all, it's really not our responsibility," says Katie Wall, a spokesperson for the Allerton Crowne Plaza.
Interactive Week discovered the hole because someone who knew about it sent an e-mail with the link to the data. It's unclear what his intentions were and e-mail sent to the person for comment has not been returned.
"I thought you might be interested to know that RegWeb.com has major security flaws in its system," reads the e-mail, which then contains a link that points to the list of customer data and credit card numbers. Then he writes in caps, "they are attempting to sell their services to F1000's. Small company not enough (sic) resources to do the job right. Cut corners all the time."
Fred Rica, a partner and analyst with PricewaterhouseCoopers, chalks this up to just another example of poor security practices when it comes to the storing of customer data.
"This is exactly what the problem with e-commerce and credit cards over the Internet is," Rica says. "Credit card numbers are stored online and if those sites aren't configured correctly then you leave yourself open to vulnerability. This is a classic example."
Some customers today feel comfortable making an online transaction because they're told the process is secure. And it is. The actual credit card transaction goes through secure sockets layer (SSL) protocol to encrypt the traffic so no hacker can sniff it.
But Rica says that's not where hackers are stealing credit card information. They're getting it from the stored database that is poorly protected. "The issue is they're stored on an Internet accessible machine," Rica says. "Then to my mind the bigger problem is who ever put this Web site together didn't take the appropriate measures to make sure this didn't happen."
Those measures include proper firewall configuration and intrusion detection systems (IDS). IDS is designed to notify someone when there's somebody breaking into the network.
Also, even if someone gained access to the data, it should have been encrypted so it was unreadable, Rica says.
"We're really adamant about protecting our clients and this issue has definitely been a wake up call," said Steven Holland-Chang, the chief technology officer for Cardinal Communications, which runs RegWeb. "I usually appreciate hackers because they point out things that we may not have seen but it's definitely one of those painful experiences of being a small company."
This hack comes in light of the recent incident involving a third party dealer of wireless service for AT&T Wireless and Verizon Wireless, when customers' driving license and social security numbers were posted to a hacker chat room.
"There is no question that with the popularity of the internet and e-commerce, we're seeing much greater chances that data is getting compromised," says Albert Pang, e-commerce analyst with International Data Corp., "and it's just basically the sites out there have not taken he precautions to keep the data secure."