Credit card data may be at risk

With reports of new Web security holes seemingly appearing every day, browser vendors are becoming increasingly proactive about heading off any kind of security threat--even ones that aren't their fault.

The latest problem concerns Web sites that perform commercial transactions. It turns out that some of them could unwittingly be exposing credit card numbers to unauthorized users.

The risk involves a function of the hypertext transfer protocol (HTTP) known as GET that is used to transfer data between a Web browser and server. Both Netscape Communications (NSCP) and Microsoft (MSFT) support the protocol in their browsers, and users of Navigator or Internet Explorer are, in theory, at risk.

It is difficult to tell how serious the actual risk is for real Net surfers. Dave Fester, lead product manager at Microsoft, could not say how many sites use GET to handle credit card transactions, but he did say that Microsoft and the World Wide Web Consortium (W3C) have recommended that Web sites employ a more secure HTTP feature called POST. Both Navigator and Explorer also support POST.

"This is not a security flaw in Internet Explorer or in Navigator," said Fester. "It's a Web site authoring issue. If you follow W3C standards, you can responsibly get a credit card number from a user."

But even though GET is not really Microsoft's problem and Microsoft says this hole is probably not a big deal, the company is looking into ways to prevent the use of GET for credit card transactions in Internet Explorer 4.0, due to ship later this year. The company is still evaluating whether to provide a patch for the existing Explorer 3.0.

However, Netscape says it may be difficult to block use of GET for specific types of data since the function has other uses. Instead, the company is looking into educating sites not to use the GET protocol for credit card transactions. "I personally have never seen a site that uses GET [for credit card transactions[, and I shop on the Net all the time," said Eric Greenberg, group security product manager at Netscape.

For users, security risks could arise if they make a purchase at a site that uses the GET function to retrieve their credit card data. Once a user has submitted an order and credit card number, the data is sent to the Web vendor in encrypted format. But if the user clicks on a hyperlink to another Web site, they could be exposing their unencrypted credit card data to that site.

For instance, on an order form page, if there is a link to an external Web site, there is a possibility that a copy of the credit card data, stored locally in the client browser, could be passed on to that other site.

GET is commonly used to retrieve Web pages from a site but was never intended for secure transactions. For example, GET is used to dispatch a page request to a server when a user clicks on a hyperlink.

Experts today said the security risk was probably remote for most users, but that sites should be cautious about setting up their storefronts properly.

"The way to present this kind of problem to the public is fairly tricky," said Stephen Cobb, head of security at consultant Cobb and Associates. "I can't say we are going to see a huge number of credit cards snatched in this way."

But a series of reported security holes in its own Explorer has sensitized Microsoft to the whole subject. The company is anxious to eliminate any new security issues such as the GET protocol, even if the company is not directly responsible.

At the same time, both Microsoft and Netscape are trying to downplay the danger of these kinds of glitches, which they say are more theoretical than threatening.