Internet Bilking

Do a search for "hacking" on the Internet, and you will see hundreds of web sites where people claim the ability to penetrate any computer system connected to the Internet. Computer hacking has become the "cool" thing to do among teenagers and 20-somethings. For some, it is a hobby; for others, it is a job. The big payoff is access to your customers' billing records, credit-card numbers or personal data, which they can either sell or use themselves. A hacker can profit more from accessing a wireless carrier's system than by hitting other industries because carriers have something valuable to steal -- wireless service.

"The risk to a utility company is much less than to a wireless carrier because what is someone going to do with stolen electrical usage?" said Cynthia Ward, Vestcom vice president of marketing and product development. "There are a lot of privacy issues for wireless. If they get into your data, they are in your system deep."

Some wireless experts say hackers' claims are only scare tactics. Others argue that no Internet transaction is 100 percent secure. Either way, any company involved in electronic bill presentment and payment (EBPP) or e-commerce should have a definite security plan.

HACK ATTACKBefore you can implement web-security solutions, you first must understand potential problems. David Dumas, GTE Laboratories principal member of technical staff, said passive attacks are when hackers listen and collect data, often as a prelude to an active attack. Active attacks are when they change, delete, alter or add to your data.

Dumas explained the various ways people can hack into your billing records and data through the World Wide Web. Social engineering is a common, non-technical way to access system passwords, and sometimes all too easy. The attacker socializes with company personnel to find out people's names and the departments in which they work, then he name-drops in conversations with other employees to learn user names and passwords as a front end to an electronic attack. Once he has that information, he can break through firewalls to look at customer records, credit-card numbers and security PINs.

Other hackers will pose as employees. They might make an authentic-looking company badge and walk into your building or apply to the company as a janitor. Sometimes a hacker will install a sniffer while he is there. Dumas said a sniffer, which is commonly available from various Internet sites, plugs into a network jack and collects user names and passwords.

"It could be on your box today," Dumas said. "You can't detect it."

Some hackers don't even have to install a device because they find Post-It notes in plain view with passwords written on them.

Hackers have other means to get at your passwords. One is through simple trial and error. If they know you have security in place, hackers actually will slow down attacks to avoid setting off bells and whistles, Dumas added. Password-guessing software, such as Cracker, also facilitates attacks. Some can listen to your system, capture passwords and then knock the legitimate user off the system so the hacker becomes the user.

Attacks known as man-in-the-middle, spoofing and Trojan horse also can capture passwords and PINs. A "man-in-the-middle" attack is when a hacker appears to the server as if he were the legitimate remote agent. To the end user, he looks like the server. The user unknowingly sends credit-card information to the hacker. Spoofing occurs when a user logs in to a remote system. The workstation is not actually connected to the remote system, but it generates the log-in banner and prompts the user to input his user ID and password. Software captures the information and kicks the end user off the system. In a Trojan-horse attack, the hacker alters the local system to allow a later entry. He may use a bogus code to bypass system controls to hide the existence or current status of an account.

"They create a trap and get out, then come back in three months," Dumas said.

EN GARDE!Dumas stressed that he is not trying to scare wireless carriers out of EBPP or e-commerce.

"Don't not do e-commerce; just learn how to do it right," he said.

Some solutions can be yours for a price; others simply involve free software and altered business practices. Encryption protects data as it moves from a user's browser to your server, while user IDs and firewalls protect your back-end data. Perry Finn, Technologic CTO, said most on-line shopping sites use secure socket layer (SSL) protocol that encrypts a connection between a consumer's browser and your server so hackers can't see credit-card information as it travels over the Internet. A big concern among consumers and carriers is that hackers can spy on traffic and access personal information. Using encryption for connections eliminates that risk, he said.

John Ryan, Entrust Technologies CEO, said different levels of encryption can increase or decrease your protection. The minimum encryption most companies accept today is 128-bit encryption.

"When things get jumbled up in that kind of context, people trying to figure out what it means technically couldn't unscramble all those combinations," he said.

There are lower levels of encryption, such as 40- or 64-bit. Ryan said any mainframe or sizable computer could crack and unscramble these low encryption levels. In the next few years, 256-bit encryption will become prevalent.

"We keep moving the complexity up as the processing speed of computers gets faster, which then makes it an impossible challenge for computers to crack it," he said.

Ryan said when you look for good encryption technology, look for one that the U.S. government has approved. The Federal Information Processing Standard 140-1 verifies that the government's cryptographic experts have evaluated the technology, and it is secure.

"That would be the most objective third-party assessment people can get," he said.

But just because you have implemented encryption does not make your back-end data secure. Because SSL makes it difficult for hackers to view data as it travels from one place to another, attackers will try to target back ends, such as your subscriber databases, Dumas said.

"Why go for one free credit-card number as a user sends it to a carrier vs. 1,000 numbers? Hackers will go for the database," he said.

Klaus Ottradovetz, LHS director of product management, said you can add an additional security level with validation or authentication between the two sides, either by exchanging electronic keys or through tools such as smart cards and hardware that identifies a person as a unique user.

A firewall offers even more protection for your back-end data. For example, the Interceptor firewall provides perimeter security, which controls access at the point where your network connects to the Internet, Finn said.

"It is like providing a guard at the gates to a city where you can control who can come in and go out," he said.

A firewall allows users connected to your internal network to download information from servers on the outside but blocks file transfers that originate from the outside. You can get into great detail about permissible activity by allowing file-transfer requests from a select group of people. Those people will be required to identify themselves through authentication.

Teligent is one carrier that takes security seriously. The company has completed security audits. It has automatic detection systems in place to alert it during a security breach as well as an IT staff dedicated to security access and network monitoring. A series of automated systems regularly monitors its computer system. Most importantly, the company's customer data sits behind double firewalls.

"All companies should put these (security measures) in," said Phil McKinney, Teligent CIO. "A lot of them don't, but they should."

Teligent has taken a different approach to e-commerce and EBPP to ensure billing data security. Its customers, primarily businesses, are not comfortable typing in financial information for funds transactions. Teligent takes payment information over the phone and loads it into a private server.

"Even though we use SSL transfer, their confidential information never goes out on the Internet," McKinney said.

When a customer wants to make a payment, he goes to the "pay bill" section and authorizes a payment. Teligent pulls his information and uses it to complete the electronic funds transfer on a secure network.

Peter Rozek, Paymentech e-commerce product manager, suggested that all carriers use a recurring payment processor and keep sensitive data off the web. The moment billing information gets to the web server, you should remove it to a secure place on your own network. If someone breaks into the web server, your database does not live there.

"The payment processor has a leased line, which is dedicated and secure between it and the carrier, and that data goes back and forth between two companies," he said.

INSIDE JOBSRoland Jones, Sun Microsystems senior product manager for Java security, said you can spend all of the money in the world on encryption, but security is a bigger package.

"Why go off the deep end and encrypt every little thing, only to find out everyone has their passwords stuck on their computers?" he said.

The whole package includes better business practices, Dumas said. You should train all existing staff and new hires about Internet security and give a refresher course every year. Support should come from the top, down. One way to test your business processes is to think about whom you would call if you discovered a security breach. You should have at least one full-time person dedicated to securing infrastructure.

Finn noted that employee security breaches also are an issue. Insiders often inappropriately use company information.

"There are not any foolproof technological means for preventing that; you have to rely on good procedural measures to address those kinds of risks," he said.

If you have a database server that is storing credit-card information or user profiles, you can do several things to make sure your system can't be compromised. Methods include doing background checks and maintaining strong host security. Host security means locking down and limiting access to your systems where you maintain sensitive information. You should issue policies stating which users are allowed to log in to a computer, who is allowed to maintain systems and how often employees must change passwords. Keep records of who accesses internal systems, and audit what they do when they are connected.

Dumas added that sometimes untrustworthy employees will defend criminal actions by saying that nobody told them breaching inside security was wrong. You should notify employees that you don't permit internal breaches. Another way to maintain security while connected to the Internet is to partner with security companies or organizations. When programmers develop a product, or when web designers create a site, they think about functionality and design rather than security. Asking a cryptologist or security specialist to check out your system can plug security holes. Vestcom's Ward said organizations such as the National Automated Clearinghouse Association are working to set industry standards for EBPP that address security and passing data.

Ward pointed out you should ask your bank how it is enabling electronic information exchange, and follow its lead. Most big banks have their own initiatives and will share them with you. You also should make sure you are dealing with a reputable party before you ask a company to help you. Finn said you can gauge reputation by asking a company if it is certified by the International Computer Security Association. This industry group evaluates firewalls and ensures they meet minimum security criteria. Potential partners should be familiar with the various kinds of attacks that hackers can mount against computer systems. Look for a company with vast experience, and check its references.

Ryan said you can have the best security system in the world, but the real challenge is implementation. Look for vendors with the most experience in security. Government agencies, for example, are not likely to hire amateurs, so references such as post offices or other federal agencies are a good sign the vendor is legitimate.

* Between 80 percent and 90 percent of successful computer attacks come from insiders.

* Thirty percent of employees would do the unethical thing, given the right amount of money. Companies only catch 2 percent of security break-ins.

* Most hackers are single males, age 16 to 28, from middle-income families.

* Of 8,932 computers attacked, 7,860 were broken into, 390 detected the attack, and only 19 reported the attack, according to the Department of Defense.

* In the first six months of 1993, the Forum for Internet Response and Security Teams identified more than 2 million sniffers running on Internet hosts.

* For every incident a human operator finds, he misses 75, according to Los Alamos National Laboratories.

The good news is that help regarding hacking exists all over the Internet. The bad news is that the help usually is for the bad guys, said David Dumas, GTE Laboratories principal member of technical staff. To see some sites where hackers learn their techniques and communicate with one another, check out the following:

www.thecodex.com/hacking.html

www.insecure.org/index.html

www.fc.net/phrack

utopia.hacktic.nl/

verbosity.wiw.org/neogenesis/features/hack.html

According to Cynthia Ward, Vestcom vice president of marketing and product development, several industry initiatives have sprung up to help companies ward off hack attacks. She pointed to The National Automated Clearinghouse Association (www.nacha.org) and Just in Time Solutions (www.justintime.com) for helpful information. Carriers also can find anti-hacking help from Purdue University (www.cs.purdue.edu/coast/coast-library.html), CTIA (www.wow-com.com), The Forum of Incident Response and Security Teams (first.org/), The Security Assurance Company (www.icsa.net/), Information Security Magazine (www.infosecuritymag.com/) and Secure Computing (www.sctc.com/).

Security is not the only thing you have to worry about when it comes to e-commerce, according to Arthur Andersen's Interconnect. U.S. Congressman Billy Tauzin, chairman of the House Commerce Committee's Telecommunications Subcommittee, predicted consumers will soon pay taxes on e-commerce. Andersen said the National Governors' Association reports states could lose 15 to 20 billion dollars a year in sales taxes due to e-commerce's popularity.