Fake News Release Costs Investors Millions

Distributing press releases to the media is usually a routine public relations function that occasionally attracts the attention of reporters. At least that’s normally how the distribution of press releases goes. However, when the night crew at Internet Wire showed up for work the other evening, little did they know that over the next few hours their actions would rock Wall Street and involve the FBI. Their distribution of a fake news release cost investors millions of dollars and highlighted how lax security is at many web sites.

Most email messages don’t have the impact of the email that contained a fake news release about the electronics company Emulex. The release said that the company would restate recent profits as a loss, that the company was under investigation, and that a senior executive had resigned. Within just a few hours after the release was distributed, the stock price of Emulex dropped by more than 60 percent, reducing its market capitalization by approximately $2.5 billion before trading was halted.

The perpetrator of the hoax didn’t hack his way into a highly secure server. Nor did he steal secret pass codes to gain entrance. He was just familiar with procedures used at Internet Wire and was able to fool staffers into thinking the release was authentic. CNET reported that the fake news release was apparently sent using a free Yahoo email account that had been obtained only minutes before the email was sent.

While the hoax was damaging to the company and many of its investors, it does point out the potentially larger security problem on the Internet.

The freedom to be anonymous on the Internet has received a great deal of support, which has resulted in many sites being rather open about allowing people to retrieve data and post information.

Marketers spend a great deal of money targeting what they believe to be the right audience for their message. In many cases, marketers are unable to identify exactly who is receiving their messages but that generally doesn’t cause anyone harm. However, the growing use of accessing key applications over the Internet points up the need for tighter security.

There are two main security problems that every site manager should review: authentication and validation.

A number of technologies can be used to ensure that material sent over the Internet is not accessed by unauthorized persons. These include using passwords on web sites and when accessing email, and using firewalls to validate access. However, most problems are not due to hackers breaking into the system but are related to ensuring that a person accessing the system is supposed to have that access. In other words, should an employee, customer, or vendor who has access to your system actually be allowed to have that level of access?

In the case of Internet Wire, the site now has password protection for added security. In addition, Internet Wire’s president says the site now has added an extra layer of verification by having a supervisor double check news releases received overnight.

Unfortunately, most web sites don’t make it easy for conscientious users to practice safe security techniques. For instance, many in-house computing systems require users to change their password monthly. But when was the last time you saw a web site that even allowed you to change your password?

My online banking site requires me to enter a password each time I use the system; however, my online grocery store and other online stores use cookies to identify me, which means that many of my accounts are only as safe as my laptop computer.

When it comes to the process of authenticating users on the web, the openness of the Internet makes it rather ifficult. Some companies use offline methods to match a person with their account ID, such as:

  • Requiring a user to make a purchase using a credit card that can be validated

  • Calling the consumer or company on the telephone to confirm information in an email
  • Sending a unique web site identifier to the individual via U.S. mail
  • Having a user make a telephone call to a specified number where Caller ID can identify the household

Once someone is authenticated and validated, the next step is to make it easy for him or her to have appropriate access to your system. We typically do this by assigning access levels in the profile database to control which links they see and which content is included in web pages and email messages.

The challenge of ensuring that only authorized people are accessing your web site needs to be balanced with the right of ordinary people to preserve their anonymity. By combining appropriate authentication techniques with effective security technology, both goals can be achieved.

Related reading