July 9, 1997 1:50 PM PDT
Credit data taken off NBA, ESPN sites
It appears that the intruder never used or intended to use the credit card numbers, though.
Patrick Naughton, president and chief technology officer at Starwave, said the alleged burglar did not perform any complex hacks to break into the sites, but instead used a password to get in and download credit card numbers from people who had made Net purchases that day. Naughton added a few people had the password, which is used to access credit card numbers by both employees at the company and at buildings where the actual merchandise is stored.
"We don't know who it is," he said. "We don't know how they got it. Some people have it as a matter of business."
Naughton noted that he's pretty sure, however, that digital traces will lead him to the person who did it. Naughton refused to label the act either a hack or a break-in. But in the email he sent to 2,397 customers, he called the perpetrator an "intruder" and said that Starwave changed all passwords and added a level of encryption to credit card data. He also said the company has contacted authorities including the FBI, the Secret Service, and credit card issuers.
So far, there is no evidence that shows the intruder actually used the cards. Instead, it seems that he took the data and used it to send messages to credit card owners, warning them of alleged security problems.
"Beware Michael Williams!" began one email sent to Williams, who had bought a New York Knicks T-shirt for his father's birthday on one of the sites. "You are the victim of a careless abuse of privacy and security. Your recent use of a credit card on 'zonestore-espnet.sportszone.com' or 'store.nba.com' is documented in a simple text file on a Web page with practically no security. One of our associates found the URL posted in a Usenet group."
The message also gave Williams his address, phone number, and the last eight digits of his credit card number. It also stated: "We feel the victims of this abuse deserve to know the truth."
In addition, it recommended that Williams contact his credit card company. "Clearly, [Starwave] doesn't consider the protection of individual credit card numbers a worthwhile endeavor. (This is one of the worst implementations of security we've seen.) Because of the potential danger to you, we suggest you cancel your credit card immediately and check with your local authorities regarding any specific rights you may have in this matter.
"This notice was sent on behalf of an anonymous organization seeking to make the Internet a safe place for the consumer to do business," the email concludes.
But Starwave's Naughton said there were no inherent security flaws on the sites, likening the alleged crime to an employee with access to an office who takes a file with credit card numbers from someone's desk or downloads credit card data onto a computer disk, leaves with that information, and then warns everyone about a security problem because nothing stopped him or her.
Naughton also reassured Netizens in the Starwave letter that this was an isolated event. "We have determined this incident was not a random person hacking past security measures, rather someone who unlawfully used inside information to commit this crime."
"My belief is they have no intention of selling or brokering the credit card information," Naughton said of the perpetrators. "They just wanted to make a statement to the Net. Ironically, it's not a statement about the Internet at all. If I have keys to a building that doesn't have armed guards, I can open the building and get in."
Williams, who called the email with his information "disconcerting," said he was never alarmed because "I do not feel I would be liable for any of the improper charges."
He added that after getting Naughton's letter, he was even less concerned. "I have faith in American Express to help me with any problems that may arise."