More NewsSecurity and the Single Store

Security and the Single Store

Five years ago, when the web was new, the idea of having a credit card number stolen online seemed ludicrous. The real danger, we quickly learned, lurked among the buyers, bad guys using stolen credit cards to order dozens of pantsuits RIGHT NOW for delivery to a P.O. box across the country from the address of the cardholder. Times have changed. Hackers have been busy. All the 56-key encryption schemes that were standard five years ago have been hacked.

Five years ago, when the web was new, the idea of having a credit card number stolen online seemed ludicrous.

Back then we still imagined the Internet as a haven of intelligent, rational beings – scientists, engineers, and other responsible professionals – using ethical netiquette to control behavior. (How young we all were.)

The real danger, we quickly learned, lurked among the buyers, bad guys using stolen credit cards to order dozens of pantsuits RIGHT NOW for delivery to a P.O. box across the country from the address of the cardholder. (The upshot was we built new “commerce service provider” firms like Cybersource, whose algorithms alerted us to dangers and let us adjust the risks.)

Times have changed. Hackers have been busy. All the 56-key encryption schemes that were standard five years ago have been hacked. Firewalls have been breached, and behind those of CD Universe, 30,000 card numbers were stolen. The thieves posted some on a web page, and sold the rest, according to John Vranesevich of AntiOnline.

While the Internet is the entry point for hackers, the real jewels are in authorization systems, which are supposed to be separated from the Internet by powerful firewalls. Visa, which is based in the San Francisco Bay area, had its base system compromised in July, according to London’s Sunday Times. Source code files were stolen, and the hackers reportedly sought a #10 million ransom.

The Visa hack is a far bigger concern than the CD Universe hack. Visa’s software implements standards that must be met by every other merchant processor, and the source code gives hints to those standards that compromise every processor. Given the fact the hack came from London, it’s possible systems were compromised from there, meaning only a 56-bit encryption key, not the more powerful 128-bit keys common in the U.S., was broken.

What can you do, as a merchant, to protect yourself and your customers? The most important thing to do is to take card numbers behind your firewall and erase them from memory after every transaction. According to Faisal Jawdat of Faisal.com, this still leaves you vulnerable to hackers entering the card processing system and taking card numbers as they enter, but that’s a relatively minor risk. As CD Universe found, it’s risky to keep numbers around as a convenience to customers. While they can be re-used without being re-entered, they can also be stolen if they’re in front of the firewall.

Another way to ensure safety, Faisal adds, is to break Amazon.com’s patents on its “one-click ordering” system. The Amazon system is secure, Faisal says, but Amazon is suing everyone who uses it.

The real key to security, of course, is keeping hackers from getting behind the firewall in the first place. There’s good news here in the Clinton Administration’s approval of rules removing virtually all restrictions on the export of powerful encryption. The new rules include some restrictions on sales to foreign governments (they ban sales to Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba). But they should make powerful 128-bit encryption standard on all servers, as well as clients, very quickly. The war against hacking depends on strong encryption, whatever the risks that other kinds of bad guys may misuse it.

Related Articles

GDPR: The role of technology in data compliance

Data & Analytics GDPR: The role of technology in data compliance

3w Clark Boyd
What companies can learn from the We-Vibe lawsuit about the Internet of Things

Legal & Regulatory What companies can learn from the We-Vibe lawsuit about the Internet of Things

8m Al Roberts
Has advertising arrived on Google Home?

Media Has advertising arrived on Google Home?

8m Al Roberts
Is Twitter slowly dying?

More News Is Twitter slowly dying?

9m Al Roberts
FedEx launches fulfillment service to take on Amazon

Ecommerce FedEx launches fulfillment service to take on Amazon

9m Al Roberts
Target is the top retail digital marketer, so why is it struggling?

Ecommerce Target is the top retail digital marketer, so why is it struggling?

8m Al Roberts
YouTube is "on pace to eclipse TV" thanks to savvy algorithm use

More News YouTube is "on pace to eclipse TV" thanks to savvy algorithm use

9m Al Roberts
YouTube is getting rid of 30-second unskippable pre-roll ads

Ad Industry Metrics YouTube is getting rid of 30-second unskippable pre-roll ads

9m Al Roberts