Credit card cookie theft 'unlikely'

Security experts play down fears of a possible new form of online credit card theft that uses cookie technology

Leading security experts have been quick to play down fears of a possible new form of online credit card theft that uses the cookie technology in Web browsers.

In recent days, it's been reported that Novell CEO Eric Schmidt believes his credit card number was stolen using a cookie, but that is an "unlikely" possibility, according to Paul Fahn, cryptographic analyst for encryption technology provider Certicom. "If the site is run properly and securely it should not be possible but with carelessly implemented security on a site it might be possible."

According to Fahn, the security risk is not so much with the cookies themselves as it is with the company a person is dealing with. Generally, cookies do not contain sensitive information like credit card numbers. Essentially, the information contained on a cookie acts as an account number which can be used to call up private billing information stored on an e-commerce site's secure server to enable faster ordering. According to security experts, the information contained on the cookie is basically useless unless someone is also able to break into a company's server, which should be protected. However, Fahn warns that whether a site is using the best security measures ultimately comes down to a matter of trust.

"The company is the one that controls what gets stored in the cookie file so if they store too much information then that's their fault," explained Fahn. "If this happened (a card number was stolen), it's the company's fault. It's the company's responsibility to protect the consumer against these types of attacks."

Schmidt was not available to discuss the details of how cookies were used to steal his card number, but Adam Shostack, director of technology for Internet privacy software company Zero Knowledge Systems, has his own theory on how the card may have been stolen. "It seems to me, that if his credit card number was stolen the likely places for that to happen would be some e-commerce site where he handed that information over to an insecure server or it was stolen by some clerk at a store or a waitress," said Shostack.

For David Sobel, general counsel for the Electronic Privacy Information Centre, an online privacy advocacy group, even the possibility that cookies could be used to steal credit card numbers demands action. "The technology is always going to be pushed to the limits in terms of getting information," Sobel said. "That means we need legal protections that keep pace with the technological changes."

According to Shostack, taking a "better safe than sorry" attitude is never a bad idea. He believes the best protection against possible misuse of information stored on cookies is knowing which companies are collecting your information, and taking control of how much private data is stored within your browser.

Shostack suggests using a cookie utility like "Cookie Crusher", which lets users see which sites are collecting information or "Cookie Cutter", which instantly erases all the cookies stored in your browser.

What do you think? Tell the Mailroom . And read what others have said.

See also: the e-commerce special .