Amazon, despite denials, was warned about hack

[InfoSec News <isn () C4I ORG>]

http://www.theregister.co.uk/content/8/17387.html

By: Thomas C Greene in Washington
Posted: 07/03/2001 at 08:55 GMT

A humiliating hack which resulted in four months of continuous
credit-card data vulnerability for Amazon subsidiary Bibliofind,
originally broken by the Wall Street Journal Tuesday, appears to
involve fraud on more than one level.

Intruders downloaded the company's customer records, including their
credit card details, names and addresses, over a four-month period
during which Bibliofind claims, incredibly, that it remained ignorant
of any wrongdoing.

"We have no information at this time to suggest that customers' credit
cards have been misused," company spinmeister Jim Courtovich is quoted
as saying.

The Register has reason to believe that Courtovich's statement, while
painfully predictable, is misleading.

At least one merchant known to us experienced "a spate of credit-card
fraud starting late last year," at just the time when Bibliofind's
security breach began.

Items of between $1200-$2000 in value were bought with valid US credit
cards and ordered "to be shipped mostly to eastern-European
destinations."

Our sources, who requested that their identity be withheld, explained
that their operations manager "got suspicious and phoned the
cardholders concerned, who confirmed that they'd not placed any
orders."

"We asked them if they shopped on-line anywhere else, as we suspected
someone's database had been hacked. The only common link was
Bibliofind," the source told us.

No good deed goes unpunished

The merchant dutifully contacted both Bibliofind and Amazon to warn
them that they had trouble, and perhaps vainly hoping get a
'thank-you' in reply.

"The Bibliofind sysadmin seemed quite interested and mentioned that
there was a possible security weakness within the system used by
vendors to log in, although he understandably didn't give details," a
second source continues.

So far so good, but "I then spoke with an Amazon sysadmin and the
Amazon fraud department manager. I forwarded the details that I had
collated and expected them to quietly close the hole."

"I was a bit put out to get an aggravated phone call from Amazon a few
weeks later threatening legal action because I had discussed the
[situation] with the card holders I had contacted. They insisted that
there was no evidence that their site had been broken."

So much for one's good deed of the day. "I muttered a few appropriate
words and left it at that," the disgusted merchant says.

"They had been made aware of this months ago, but have done absolutely
nothing. We still get fraudulent orders, quite possibly from the same
database," he added.

Lies, damned lies, and statistics

So how shall we reconcile Jim Courtovich's bold assertion that the
company has "no information at this time to suggest that customers'
credit cards have been misused," with what we've just learned? Is this
pure ignorance? Or a bald-faced lie? Or Clintonesque hair-splitting
akin to discriminating what the meaning of is is?

We'll take option three. We don't think Courtovich is an imbecile; and
we rather expect he has better sense than to lie outright to the
press, who make it their habit to test relentlessly the self-serving
pronouncements of little PR bunnies like himself.

But if we assume that the information supplied to Amazon and
Bibliofind by our merchant has since been discarded, then "we have no
information at this time" becomes a quite true, if patently
misleading, statement of which Slick Willie himself would no doubt be
proud.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".