From Privacy Times, February 3, 2000

"INTERNET PRIVACY": AN OXYMORON IN PROGRESS?

A swirl of recent events only seems to confirm fears that consumers cannot trust their privacy to the Internet.

There are many sources of the problem: data-hungry Internet firms bent on exploiting personal information; inattention to security and persistent technological glitches; and a growing underground of hackers who are willing to take advantage of the situation. 

Much of the recent attention was focused on DoubleClick, the Internet ad firm (see story below).  But several other less publicized incidents have added fuel to the fire. 

For instance, Outpost.com, a Web site offering palm pilots and other hi-tech gear, promised to fix a glitch that potentially revealed customers' detailed transaction summaries, including e-mail, billing and shipping addresses, type of credit card they used, and their order history.  Outpost.com customers James Wynn noticed his order number was in his URL address.  When he changed digits in the URL address, he was able to see other customers' orders.  Craig Andrews, an Outpost.com spokesman, told Wired News the problem would be fixed Jan. 24, the day that it was brought to the company's attention.

In Jacksonville, Florida, the credit card information of 227 area customers of local ISP Community Connections has been exposed for two years because of a glitch in Microsoft Front Page, a software that allows subscribers to sign up online.  According to the Jan. 28 Gainesville Sun, one of the ISP's customers discovered the Web address to find the credit card numbers as well as other subscriber data, including name, address, telephone number and passwords.  The customer alerted the newspaper, which informed the ISP.  Community Connections corrected the error and sent all "exposed" customers a certified letter explaining the situation. (www.sunone.com/news/articles/01-28-00g.shtml)

Tom Bailey, Microsoft product manager for Front Page, said Microsoft two years ago instructed ISPs to fix the problem with a free patch.  "Since it had been over two years when we first discovered this potential problem, we were pretty confident that it had been resolved," Bailey said.  "Until today."  He added that Microsoft will again contact ISPs.  He wouldn't specify how many ISPs he believed to be using the vulnerable, 1997-98 versions of Front Page.  Community Connections stressed that there had been no reported victims of credit fraud from the glitch. 

The impact of these and other security glitches is softened for some by the fact that "no one was really hurt."  That's why a Jan. 30 story out of the San Jose Mercury News is more unsettling.  A network of hackers are constantly seeking to take advantage of weaknesses in ever-more popular, high-speed "DSL" Internet connection services.  These hackers aren't after you, but want to take over your computer in order to launch attacks on others while hiding their identities. 

It's not the speed of the connection, but the fact that the user is typically connected for much longer periods of time.  A hacker who identified himself as "alkali" said he is always searching for unsecured home systems with a high-speed connection, which he values because he can move data more rapidly.  "Cable modems changed my life," he claimed.

Jerry Asher, a Berkeley subscriber to a Pac Bell DSL service, said he installed a firewall that recently documented attacks from hackers with Internet addresses in North Korea, Germany and Serbia.  German hackers, for instance, checked to see if Asher's computer had three different types of software that could be used to communicate with other computer networks, such as a corporate system.  Asher said that Pac Bell does not warn consumers of possible security problems, and that most don't have firewalls.

Darren Newell, a data security director for SBC Communications, Pacific Bell's parent company, said the firm soon plans to use its Web site to caution consumers about online security issues. But it doesn't tell customers who sign up for $49-a-month home DSL lines about the risks and how to avoid them.

Alan Jackson, of England, said his firewall stopped seven electronic break-in attempts in three days.  The computers at the Energy Dept.'s Lawrence Livermore Natl. Lab are under daily assault from would-be intruders, according to William Orvis, the Lab's computer security expert.  Orvis said he's seen plenty of evidence that hackers break into home computers and use them to mount attacks on others.  The consequences for innocent users can be catastrophic.   

``If we see an attack coming from somebody's home machine, we're going to ask your

ISP to disconnect you,'' Orvis said. Those who get caught up in a serious security breach may find law enforcement authorities seizing their equipment and examining it to try to track down the hacker and develop evidence for a criminal prosecution. http://www.mercurycenter.com/premium/front/docs/vulnerable31.htm

Meanwhile, Bob Sullivan of MSNBC reported on an Internet chat room where "carders" buy and sell credit card numbers stolen from the Internet.  The electronic scene resembles a combination of a commodity traders' floor and a street corner of drug dealers.  Typically, a carder posts a claim that he has a “fresh list of cards,” and then to prove it, he posts a sample card, including billing address, phone number, etc., into the open chat room. A feeding frenzy follows.  A participant reports that the "sample" card is maxed out within 10 minutes, and then others jump in to buy the remaining list.  http://www.msnbc.com/news/365426.asp

One anonymous source across a "list of 10,000 or 20,000 numbers, and it took two days to figure out who to contact."  There is no Web page or e-mail address set up by credit card companies like Visa to help report fraudulent activity.  A spokeswoman for Visa said her company does monitor a number of public sources of information, but declined to offer details, saying that would compromise the company's monitoring methods. Told of a freshly posted Web page with an exposed credit card number, she replied: "You can assume we already know about that."

A great deal is at stake — for Visa alone, there was $487 million in fraudulent charges reported last year — but that’s still a fraction of the $700 billion in total sales. What’s more, Visa says fraud rates are actually down, and fraud rates on Net transactions are only slightly higher than real-world rates (.09 percent to .07 percent).

In Rome, Italian Privacy Commissioner Stefano Rodota ordered Infostrada, the country's second-largest telecom, to temporarily shut down its free ISP service for violating national privacy laws.  The free service, Libero, required users to disclose their age, health status, sexual habits, as well as political, labor, and religious preferences, an unlawful imposition, Rodota said.  He added that his office will be designing a series of guidelines for Internet services and contracts that will insure companies like Infostrada do not trample privacy.  He is looking into other free Internet services as well.  Infostrada admitted the original contract for Libero service did, in fact, conflict with privacy rules and took immediate action to correct the problem.  It was merely an oversight, a company spokesperson told reporters.  The information required was utilized for marketing purposes, as the access for free Internet is compensated by advertising, and not to "spy" on users.