The Web retail site for fashion label Guess was leaking customer credit card
numbers like so many cotton-poly five-pocket jeans, and 19-year-old Jeremiah
Jacks wasn't sure how to get it fixed.
Jacks discovered last month that Guess.com was open to an "SQL injection
attack," permitting anyone able to construct a properly-crafted URL to pull
down every name, credit card number and expiration date in the site's
customer database -- over 200,000 in all, by Jacks' count. But if accessing
the trove of card numbers was easy, getting the word to the right person in
the company proved to be more of a challenge.
Three emails to the customer service address buried in the Web site's
found. When Jacks dialed the company's toll-free number, he recalls being
initially mistaken for a salesman. "Then when I told her again, she was
silent and asked me to 'hang on,'" Jacks wrote in an email interview. "All
of a sudden I was transferred to another office where a voice mail picked
up. I once again left the message... I even left my email address as a
A week later, Jacks, a California independent software developer, hadn't
heard anything back from Guess, and the credit card database remained
After being contacted by SecurityFocus Online and provided with a
demonstration URL offered by Jacks, the company closed the hole within
hours. A Guess spokesperson disputes Jacks' account, insisting that they
have no record that he ever phoned the company. "I don't know how long this
has been like this," says company spokesperson Jennifer Munakash. "It was an
Guess.com's situation is hardly unique; Credit Cards Numbers Exposed is fast
becoming the Dog Bites Man story of Internet crime reporting. But the case
underscores one of the chronic obstacles to making e-commerce more secure:
that good Samaritans often have no clear channel for reporting security
holes in Web sites that handle sensitive customer information.
"I've probably reported twenty vulnerabilities to e-commerce companies in
the last year-and-a-half, all with different results, but generally pretty
disastrous," says Dan Clements, founder of CardCops, an online merchant fraud
education venture that tracks credit card abuse. "Trying to get through
customer service, that's a problem. And then the IT people have a definite
conflict of interest when you're reporting a vulnerability, because their
job is on the line. They don't want to go to upper management and say, 'We
left a hole open.'"
"A lot of times it winds up on a security mailing list because the person
just gets so frustrated," says Chris Wysopal, director of research and
development at security consultancy @Stake. "Sometimes the person has tried
for six months."
In some ways the problem parallels the long-running issues surrounding
disclosure of security holes in commercial software. But if that debate
rests on a now-well understood mosaic of interests -- software vendors,
users and bug hunters -- the e-commerce brew is a bit murkier, with
customers, banks, credit card companies, businesses that expose card numbers
to theft and others that inadvertently accept them later all playing
Consumers are generally not liable for fraudulent charges, and merchants are
often left holding the bag. The Web sites who leak the card numbers in the
first place generally stand to suffer -- at worst -- a momentary public
relations black eye.
Last month Wysopal, along with MITRE's Steve Christey, formally proposed an official standard for handling product
vulnerabilities that would -- among other things -- put obligations on
vendors, encouraging them to acknowledge reports within seven days, fix bugs
within thirty days, and establish a standard email alias, "secalert," for
receiving security bug reports.
But the standard would not apply to holes in particular Web sites, like the
Guess credit card leak, says Wysopal.
"We haven't proposed it, but we think it's a great idea, and a lot of things
that could be standardized around product vulnerabilities could have
corollaries in the services space," Wysopal says. "Certainly the corollary
of an address, and that they'd have to respond within a certain time frame,
a lot of those things would work the same."
Clements had the same idea. "If there was protocol where companies could
have a standard email address on their site, say, 'vulnerabilities' or
'security', that would totally take care of the problem."
Meanwhile, Guess' Munakash emphasizes that there's no evidence that credit
card thieves ever discovered the information leak, and says that company
technicians are scouring the site for other vulnerabilities. "They're
dissecting the site right now," says Munakash.
"The difficult part here is the fact that a lot of these companies don't
take you seriously at first," writes Jacks. "It's like telling them the sky
is falling. They aren't going to believe you unless you can shove some sky
in their face." By Kevin Poulsen