Practical Ecommerce

Interview: Ex-hacker Mitnick On Avoiding Fraudsters

You know that hidden bomb shtick in the movies? There’s a bomb that’s going to go off and kill a gazillion people. First, the good guys have to find it. Then they have to figure how to get into to it to disarm it. Then they almost have it disarmed when they discover a booby trap they have to work around. Then they find the two wires – red and blue. The hero has to snip the blue wire but they both look black under the yellow light. Then he gets lucky. He snips the blue wire.

When it comes to Internet fraud, however, some of us don’t get so lucky

According to master-hacker-turned-security-guru Kevin Mitnick, those layers of resistance set up by the mad bomber ought to be the way everyone thinks when they are trying to keep the bad guys out of their computers, networks and databases.

Mitnick, who knows about as much as anyone concerning Internet security, says it is not easy keeping the bad guys out. He says there is no magic bullet (or wire snipper).

Mitnick: The system is broken. There is no one out-of-the-box solution to network or data security. It takes layers of protection to make it as difficult as possible for hackers to get into your system. Crooks like the easy route. If something takes hours and they only steal $500 they won’t bother next time.

Kevin Mitnick spends most of his life on the road these days. We caught up with him in at his Nevada headquarters, while he was prepping for trips to Caracas, Tokyo, Frankfurt and Slovenia. Mitnick is the one-time, most-wanted superhacker, who got nailed by the Feds after a three-year run, turned good guy. Now he uses his considerable skills and creativity to help folks keep the digital wolf away from the door.

You may not want to read this, but ecommerce entrepreneurs, by virtue of what they do, and, in most cases, their limited understanding of network security, are among the most vulnerable to attack-and yes, “attack” is the right word.

Mitnick: The small on-line business person cannot assume anything when it comes to the security of the data they store. They have to learn to ask questions of their hosting companies about how data is stored and where encryption keys are stored and who has access to them. In most cases businessmen are not experts nor are they interested in becoming experts. For that reason, they have to rely on software and people like myself who are experts at dealing with the problem.

Fraud, identity theft and other cyber-crime threats come in two basic forms. One comes from technical vulnerability and the other a very unsettling and often close-to-home social vulnerability.

Mitnick: I think the threats are equal. What I have discovered through my practice and experience is that business people who are not technically astute will buy software and hardware products and when they are put into place it mitigates the risk to near zero. But then what happens is they get defrauded through social engineering – a rogue employee steals credit card numbers or an employee unwittingly gives out information to a social criminal who commits fraud by gaining trust and asking for information in a seemingly innocent manner.

What I recommend is that you design your security by looking to your technology, your processes and your people. The security should be the sum or all three because the bad guys are going to look to the weakest element, and if it’s your people they are going to exploit it, it is done all the time.

The social engineering threat has always been around – it’s the smooth talking huckster selling snake oil of some kind. But now it’s also a person armed with a little bit of knowledge – username, special language, pure business attitude – who can catch a businessman, consumer or employee unawares and end up gaining access to valuable information or systems. Protecting yourself from that threat is a matter of sensitivity.

Mitnick: Unfortunately it is up to each individual to define in their own mind’s eye what is sensitive. But when anyone requests information from you that could be sensitive, such as passwords or how you connect to a system, you should question that. When people get a phone call from someone who sounds knowledgeable or says certain things about a product they may use, they are of a mind to go ahead and give out the information. But people have to become comfortable with saying no and not giving information to someone when there is no need for them to have it.

A fraudster, for example, could call up and ask you to visit a particular website while you’re on the phone – a site you normally wouldn’t know about or see. When you do, the site plants malicious code in your browser and captures personal info or uses your browser to do something you didn’t intend for it to do.

If you call a company and are buying something from them, say a printer, and they ask question about your system you can give them the information. But if someone calls you, especially someone you don’t know, and starts asking questions like what kind of computer are you using, where you are located, or what operating system you use, it is best not to say anything.

Mitnick’s current book is called “The Art of Deception.” It’s about this social engineering phenomena. It’s a little scary. Most of us have no idea how many different ways people are trying to steal from us.

Mitnick: In my book I use story telling to describe the various tricks and scams that the bad guys use to get the physical assets of your company or to get your contact lists. They could con one of your customer service reps into giving out information. It could be as simple as a customer service rep working on the company computer, when a bad guy calls up and says he’s a tech working on the system and tells them to go to the company’s new website. The new site is only set up to look like the company system and when the employee tries to log in they provide their username and password to the bad guys who then have access to the company system.

So there are a lot of bad guys and a lot of prongs in the attack. How bad is the threat?

Mitnick: If you are connected to the Internet, you are under constant attack. There are always people looking for vulnerabilities. It may not be to steal something but it may be to use your machine as a storage locker for illegal software or they may be launching other attacks from your computer, putting you in legal jeopardy.

Hiring someone like Mitnick to analyze your systems and vulnerabilities is a good step for anyone who trades on the Internet. But beyond that there are things he suggests that can help mitigate the threat.

Mitnick: You can ask your hosting company to enter into an agreement that requires them to provide security. [One thing] I think you should do, if you can negotiate it, is to have some risk transferred to the hosting company so that they have some responsibility.

The other thing is for the entrepreneur to hire an employee who knows about security or to learn about it themselves. The other option is to hire a consultant.

There simply is no security in a box that you can install and forget. It takes layers. Of course, make sure you have a firewall in place. But don’t just rely on that, you want to layer your defenses. The firewalls keeps people out of certain parts of the system but there are other vulnerabilities such as the server operating system, the web applications, the shopping cart – those are all vulnerabilities that have to be addressed somehow.

There is one constant in the Internet and computer world, and that constant is change. That may sound dichotomous, but evolution is the name of the game and the bad guys spend millions of man hours trying to figure out new and more sinister ways to crack the code.

Mitnick: A sure thing is that as soon as we plug one hole the hackers will find another. We need to constantly evolve and identify our vulnerabilities. You know a bad guy only needs one vulnerability to make your life miserable. There is no one technology out there that mitigates all credit card fraud. What you want to do is layer the technology, look at all these data points and make an assessment of the risk and the threat.

I’m working on an ecommerce launch of my own and we decided in a meeting the other night that we were a hard target for credit card fraud. Someone asked what I thought we should do. I suggested three different technologies, layered, to deal with the specific threat we anticipated. What we want to do is make the fraudster work so hard to bypass your fraud checks that it is not worth the trouble.

There is no one plug and play security technology. Mitnick says the system is broken.

Mitnick: There needs to be a new technology developed that makes the system work, because the whole system is broken. The way the entire system works is too easy to exploit. I mean you have no key to your credit card. If someone learns enough about you they can impersonate you and steal from you. It’s all based on knowledge. We need something that is not knowledge-based for secure transactions.

Mitnick isn’t sure we can ever reach that level. We may get ahead of the curve for a while somewhere in the future, but then even that technology may become obsolete. The best thing to do is dress in layers-it’s a cold world out there.

Kevin Mitnick is a former “bad guy” to use his term. He was a hacker who became one of the FBI’s Most Wanted and was eventually apprehended after a three-year run. With his legal problems behind him, Mitnick turned his considerable skills and knowledge to the side of law and order. He now runs a company dedicated to helping business, government and individuals protect themselves from fraudsters. His most recent book is “The Art of Deception,” which deals with the issues of fraud by social engineering. For more, visit Mitnicksecurity.com.

Michael A. Cox
Michael A. Cox
Bio  |  RSS Feed


Get the Practical Ecommerce RSS feed

Comments ( 4 )

  1. Legacy User April 1, 2008 Reply

    Kevin Mitnick's article is a must read for the little guy (& Gals). It is an eye opener. It is time to ask questions of those nice folks hosting your site for a good start.

    Joyce Yaffe
    MarinesUSA.com

    — *Joyce Yaffe*

  2. Legacy User April 1, 2008 Reply

    Yes, if we only knew WHAT to ask. Or what those "three different technologies" are and how to layer them in order to effectively guard against credit card fraud

    Soon to go live ecommerce.

    — *Nikolas Kostakis*

  3. Legacy User April 1, 2008 Reply

    There was no mention in this article of PCI Compliance standards. Responsible ecommerce companies spend hundreds of thousands of dollars ensuring that their customers' credit card information is hosted securely. That is what it costs to be PCI Certified, as opposed to just claiming to be compliant. If there is no "out-of-the-box" solution for compliance, then why does Visa certify companies that take PCI compliance seriously?
    http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

    Online store owners should take security very seriously, given the costs of a breach. However, simply throwing up scary scenarios does not inform merchants of the information that is already out there on the web:
    http://www.pcicomplianceguide.org

    — *Michelle Greer*

  4. Legacy User April 2, 2008 Reply

    Fascinating interview.

    The social aspect of security is pretty important. I call mostly on small businesses and home users, and I am constantly amazed by the cavalier manner in which my customers treat their data. It's a rare thing for me to be refused when I ask for a password, for example.

    On the occasion when the password holder is not present but I need access to solve the problem at hand, I am often able to quickly divine a password based on what I know of the customer.

    My success rate in such cases is about 30%. But if the customer has taken any care whatsoever to use secure passwords, my chances of getting in are much, much lower.

    It's a constant problem for everyone because more secure passwords are harder to remember and keep track of – unless you keep them stored on paper or in a file somewhere. But if you do that and the file is discovered by the bad guys, your valuable data is splayed for the enemy to do whatever they want with it.

    On the other hand, storing passwords in grey matter only introduces the risk that the password owner will forget, have a stroke, get hit by a beer truck, or what have you. And what is worse than having your data opened to the air for all to see? Having it all locked up so securely that no one can see it, not even you!

    — *Jim*

Email Newsletter Signup

Sign up to receive EcommerceNotes,
our acclaimed email newsletter.

And receive a free copy of our ebook
50 Great Ecommerce Ideas



PEC IGNITE
Don't be a late bird.
Early-bird discounts
expire June 30.
View Agenda