Egghead fends off Christmas hackers

The hackers showed no Christmas spirit. In December, online electronic retail storep?" found itself...

The hackers showed no Christmas spirit. In December, online electronic retail storep?" found itself under attack from a hacker who was trying to steal custom credit card records from its servers, writes Danny Bradbury

Obviously spooked by the incident, in which the hacker was caught red-handed, Egghead decided to inform the credit card companies and hand over 3.7 million customer credit card details, so that they could make the necessary security arrangements.

After the intrusion was detected, the company worked with a security consultancy to find out whether any of the records had been compromised. The online retailer now believes that it stopped the hacker in time.

"All this has done is speed our security process up," said company spokeswoman Shoreen Maghame, adding that the company had already budgeted for security enhancements this quarter. However, none of this will do anything to reassure a customer base that is still concerned about online security and privacy.

The real issue is that online retailers are putting revenue growth and market share above security, said Jonathan Gossels, vice president of US-based security consultancy SystemExperts and former director of business development for the Open Software Foundation. "Security is a low priority," he said. "Over and over again, we hear companies saying that they are growing too fast to make their sites secure."

The incident occurred almost a year after online retailer CDUniverse had 25,000 credit card numbers stolen from its site and posted on the Internet when it refused to give in to blackmail. Press reports of other such hacks have littered the news, and credit card companies such as Visa have issued zero liability guarantees to try and lure customers on to the Internet.

"Credit card companies are applying risk analysis while looking at the cost of transactions on the Web compared to paper transactions," said Gossels. He believes firms will shoulder some of the inevitable fraud on the Internet as long as it is offset by the reduced overhead associated with online transactions.

According to Gossels, a security audit for online retailers taking credit cards is out of the question, because there are very few online traders that could call themselves hacker-proof. For the time being, credit card companies are willing to take the risk - but if online revenues do not measure up in the long-term, or if online fraud becomes too much of a problem thanks to careless retailers, then the situation may change.

Top e-commerce slip-ups

Common mistakes that SystemExperts has seen being made by companies doing business online:

  • Web problems (trusting input data, running server as root, using default configuration)

  • Not designing fail-over plans for a denial of service attack

  • Assuming that one part of the security design "fixes" other problems, such as assuming that SSL makes you secure

  • Making modems available with direct access to routers, gateways, and hosts

  • Not applying the most recent OS or application patches

  • Designing the network in terms of inside/outside, instead of appropriate access, and relying too much on firewalls

  • Depending on manual reviews of events and logs

  • Not testing Internet readiness through penetration analysis

  • Using default OS or application parameters, including passwords and default-enabled services

  • Using unencrypted administrative access and making it reachable from the Internet

  • No escalation policy, or even no detection (meaning that a company may not know that it has been broken into)

    Internet security resources

    There are organisations that can help combat inadequate security and protect companies from infiltration. These include the System Administration, Networking and Security (Sans) Institute, (, formed in 1989 as a forum to help share information about security issues. Sans runs the Global Incident Analysis Center, which detects new security threats and makes information about them available online.

    The Cert Coordination Center, operated by Carnegie Mellon University ( is another information hub that circulates data about Internet security threats, while the Center for Internet Security ( is a not-for-profit organisation with methods and tools to help secure networks.

  • Read more on Antivirus, firewall and IDS products