Security Leaks Found at Dozens of E-Commerce Sites

Using a few simple database commands, developers at Russian Web programming company Strategy LLC found customer credit card numbers, passwords, and even employee records and social security numbers.

“Our developers have detailed knowledge on how easy it is to get information out of e-commerce databases,” said Anatoliy Prokhorov, chief executive of Strategy LLC. “In my business, building e-commerce solutions for U.S. companies, we see security holes all the time. It is obvious that in the U.S., companies of all types and sizes are not taking even simple precautions to keep hackers out of their systems.”

MSNBC Staff Easily Gained Access to 25,000 Card Numbers

An MSNBC reporter contacted Prokhorov and used his simple instructions to view the databases of 20 Web sites that had no password protection. The reporter was able to view customer credit card numbers, billing addresses and phone numbers.

In some cases, the reporter also found employee records, including social security numbers. In each case, the Web sites were running Microsoft’s SQL Server software.

Once the reporter entered a Web hosting company, he was able to access the databases of all the host’s sites. The reporter used a commercially available database tool rather than a Web browser to find the security holes.

Site Owners Believed Their Host Handled Security

Although Prokhorov only discovered a couple dozen sites with loose security, he found those by accident and assumes the problem is widespread. When site owners were contacted about their security breaches, they were unaware of lax security, each believing that the host provided appropriate security.

“When you look at the number of small and medium size companies that rely on third-parties to host, manage or even design their e-commerce solutions and those small companies do not even know that they are wide open and legally responsible for their customer data, it’s disturbing,” added Prokhorov.

Who’s Responsible for Security?

Part of the problem stems from developers that have no liability for flaws that are left behind in the e-commerce sites that they create for hosting companies or individual Web stores. Merchants are left with the responsibility for the cost of stolen merchandise. The merchants that were contacted by Prokhorov had no idea that their sites were vulnerable.

“One of the things that the e-commerce industry needs is a stamp of certification similar to UL testing,” said Prokhorov. “E-tailers and customers need some assurance that they are dealing with software that has been tested and is safe.”