Still, few believe that these measures will eradicate a problem that's become so deeply entrenched. The FBI confirmed, for example, that no arrests have been made in any of six recent high-profile cases: * Playboy.com: An intruder slipped past the Web site security systems of the adult entertainment company last November and obtained the personal information of an undisclosed number of customers of the site's e-commerce store. The hacker notified customers that he or she had pilfered the information and, as proof, gave them their credit card numbers. * Ecount: Last summer, a hacker circumvented the Internet defences of the Philadelphia-based company's gift certificate service and notified customers of the breach in an email that included their home addresses. The hacker then demanded $45,000 from the company to keep him from exposing the personal information of 350,000 customers. * Egghead.com: A hacker infiltrated the e-tailer's system in December 2000. After three weeks of investigation, the company said the intruder did not obtain the personal information of its 3.7 million customers, but many banks said they spent millions of dollars to issue new credit cards in the meantime. * Creditcards.com: Also in December 2000, a hacker broke in to systems maintained by the company, which enables merchants to accept payments online, and made off with about 55,000 credit card numbers. The hacker tried to extort the company and, when executives refused to pay, exposed the numbers by posting them on the Web. * Western Union: In September 2000, a hacker exploited an opening in the Web site of the financial services company and got away with more than 15,000 credit card numbers. Human error left "performance management files" open on the site during routine maintenance, allowing the hacker access. * CD Universe: About 350,000 credit card numbers were stolen from the online music company in January 2000, one of the first large-scale hackings of its kind. The thief, identified only as "Maxus," held the card numbers hostage and demanded a $100,000 ransom. When the company refused, the hacker posted the numbers on a Web site. Without commenting on these specific cases, law enforcement officials say many online merchants may be partly to blame for the lack of arrests because they do not devote enough resources to prevent intrusion or facilitate investigations in the event of a crime. "If there is any message to get out there, it would be for companies to upkeep their antivirus and firewall software," said Laura Bosley, a spokeswoman for the FBI's Los Angeles field headquarters. Jennifer Granick, litigation director at the Stanford Law School Center for Internet and Society, said security is often neglected by companies more interested in making a quick buck. E-commerce companies "rushed online during the dot-com boom, and they saw the money that was to be had and didn't give a thought to security," she said. "They were too busy trying to capture eyeballs to secure their sites." Even if they have fortified their Web sites against attack, many companies are still unaware of the importance of preserving evidence if a crime occurs -- ignorance that can kill any hope of catching a perpetrator, said Bruce Smith, an investigator for Pinkerton Consulting & Investigations and a former FBI agent who worked on computer crime cases for six years. Frequently, Smith said, agents will scan the Web logs of a hacked company only to find a blank record that leaves the intruder's trail stone cold. Sometimes, he said, the shopkeeper accidentally destroys the logs, covering the hacker's tracks with other records. More often, the online store never turns on the logging feature to begin with because it could slow a Web site's performance. "You cross your fingers when you start looking at the logs," Smith said. "Sometimes you get lucky, sometimes not." Moreover, precious time can be lost when companies hesitate to contact authorities immediately after an intrusion. The reason for the delay is often rooted in business, not justice. "Fear," Smith said. "They're reluctant to admit that they've been victimised. You can imagine the bad press. Here's someone who's telling clients their information is safe at the same time their site is getting hacked." Security experts blasted Egghead for taking weeks to investigate whether the personal information of its customers had been compromised. A company with good logging capability should have been able to determine the extent of the intrusion within a few days, security specialists said, perhaps saving banks a cost of between $5 and $25 for each new credit card issued out of precaution. "I think there was some things that we wished we did before the attack," said Jeff Sheahan, the former chief executive of Egghead. "We thought we had a tight oversight system. We asked ourselves how we missed this. It was just focusing on other things and not sensing that there was a big enough risk." The investigation was expensive for Egghead, but the intrusion exacted a much higher price in the form of lost confidence among its customers. "When you're an e-commerce business, trust is important. I don't think there is any doubt that trust level took a hit to some degree," Sheahan said. Other online merchants would do well to learn from Egghead's mistakes, for the number of hackings is growing. To gauge this trend, CardCops' Clements posted fake credit card numbers on the Web and then spread the word at sites popular with "carders" -- those who traffic in stolen credit cards -- that a Web site had accidentally divulged the information. In less than a half-hour, the site had 74 visitors from 31 countries. Within a couple of days, the number of visitors had grown to 1,600. No one can say how many came to the site with criminal intent, but Clements believes most did. "There's a war raging online," he said, "and the bottom line is that law enforcement is losing."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
