Cingular systems open door to fraudulent credit card transactions

TalkBack 7 of 23:: Next »; « Previous

Thread View
Flat View

"Good luck" as security strategy: Over the past 2 years I came across a number of similar cases like these on major websites. What is worse is the attitude that most of the operators demonstrate when you point the finger onto the flaws.

Without any hacking attempts (or knowledge, for the matter) I accidentially downloaded an entire database with detailed information about users, addresses and their calls from the public website of Winstar. All it took was to type in a search term into the povided search box. They never even bothered to fix the hole (and finally went out of business). Just 2 weeks ago, I alerted Ebay about a fairly clever credit card phishing attempt by a Swiss company, delivered the name, phone number, address, website etc. to Ebay's fraud department. After a week, the site was still online, a second attempt to contact Ebay was as fruitless as the first (no response at all), only after I contacted PayPal they started some action. So much about Ebay's dedication to combat fraud...Tower Records recently got fined for not fixing security holes after they were alerted about them, Covad's online account manager was not even encrypted (any cheap hosting account provides better security then this!), a US Healthcare company enabled me to break into their entire client database without any particular skills ( this got fixed later) etc. etc.

It is my job to build web applications, so maybe I tend to look a bit more closely at the details. I always explain to clients the importance of not only designing a secure system, but also testing it extensively before a launch. Of course, in the meeting they always approve everything "Yes!Yes!Yes!" - until the next budget request comes in. Reality is that the all-mighty "Return on investment" and "Time to Market" is the best guarantor that systems will sooner or later fail, simply because the development team is not given the necessary means to develop and test it properly from all the angles that a creative hacker (or a clueless lucky/unlucky user) will probably approach it from.

When large players like Cingular demonstrate such a degree of ignorance and arrogance for the privacy of their customer information, there is truly no excuse. They have the money & means to build good systems & interfaces, and compared to the funds that they spend on advertising and their exec's top salaries, the effective costs would be ridiculously small.

On the other hand, software developers are also partly to blame for not being more responsible (or aware) of the complexity and vulnerabilities of online web-based e-commerce and CRM applications, and for not insisting on more extensive Q/A. Unfortunately, especially on the lower end of software projects, the competition among developers often leads to underfunded projects and irrealistic development times - simply for the sake of "getting the job". But I doubt that this was the case in this example.

MG; Posted by: mgfint Posted on: 06/09/04 You are currently: a Guest | Members login | Terms of Use