Egghead customers: Dumb's the word By Robert Lemos and Troy Wolverton, Special to ZDNet January 2, 2001 2:49 PM PT

URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2669672,00.html?chkpt=zdnnstop

Nearly two weeks after an intruder cracked into Egghead.com's computer systems, the online retailer is still mum on whether any credit card numbers were stolen from its database of 3.7 million customers.

Representatives for Egghead and for the San Francisco office of the FBI confirmed Tuesday that investigations were continuing, but they would not provide details.

Customers, however, were talking.

"Any company that's going to do something as stupid as maintain a credit card online on a vulnerable server that long after the transaction, I have no reason to trust them at all," said John Groseclose, of Scottsdale, Ariz. "That goes against every industry best practice that's out there."

On Dec. 22, Egghead acknowledged that someone had cracked its systems and may have accessed its customer database. Sources within the credit card industry said that Egghead had handed over more than 3.7 million credit card numbers to Visa, American Express, MasterCard and Discover as potentially stolen.

Customers inconvenienced At the time, Egghead co-chairman Jerry Kaplan said the company expected to know within the week if any credit card data was compromised. The auditing team hired by Egghead, security firm Kroll Worldwide, referred all questions back to Egghead.

'There currently is a complete lack of standards for online commerce.' -- Paul Robertson, TruSecure

For Groseclose, the breach has been a big inconvenience.

Last week, his credit union canceled his debit card--the only credit-type card he holds--blaming the Egghead breach. He said he still hasn't gotten a replacement, which means he's had to go to the bank to get cash to pay for his gas and groceries and has had to forgo several online transactions.

Groseclose said the last time he remembers shopping at Egghead was 18 months ago. He said won't ever shop at Egghead again.

Visa, MasterCard react The credit card companies, and their member banks, have handled the situation in different ways.

MasterCard notified its member banks about the breach and left it up to them to decide whether to cancel cardholders' accounts, spokeswoman Sharon Gamsin said. Gamsin declined to say whether MasterCard has taken any other action or how many MasterCard holders were affected.

Visa notified its member banks and has itself been monitoring the 1.8 million affected accounts, Visa spokeswoman Casey Watson said. As of Thursday, Visa had not seen any indication that the affected cards had been used fraudulently, she said.

As with MasterCard, Visa's member banks will determine whether or not to cancel affected accounts and reissue cards, Watson said.

No fraud reported "What you need to keep in mind is that the banks that own these card numbers will do whatever they can to protect those numbers from fraudulent use," she said. "They will determine the best approach."

Discover Financial Services is also monitoring the affected accounts, but declined to say whether any fraudulent activity had been detected, spokeswoman Cathy Edwards said.

The Egghead hack may push credit card clearinghouses, or the banks that issue them, to embrace higher security standards, said Paul Robertson, director of risk assessment with security specialist TruSecure.

"There currently is a complete lack of standards for online commerce," Robertson said. "It is pretty easy to make a bar high enough so that hacking is difficult, but make it easy enough (to set up security) to be practical in the real world," he said.

MasterCard already requires merchants to encrypt cardholder information. Visa launched an e-commerce security initiative last June, which sets minimum security standards for its affiliated merchants, Visa's Watson said. Discover and American Express have security programs that include throwaway credit card numbers.

-- Martin Thompson (mthom1927@aol.com), January 04, 2001