Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Find a Review
Dads & Grads Gift Guide Audio & Video Business Center Cameras Cell Phones & PDAs Communications Components & Upgrading Desktop PCs DVD & Hard Drives Gaming Hardware & Software HDTV Laptops Macs & iPods Monitors Printers Spyware & Security The PCW Test Center Windows Vista & XP
Resource Centers
Asus Notebook Center
CDW Solution Center
HP Ink Center
Intel Technology Center
Lenovo Laptop Showcase
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Free Newsletters
Receive the latest reviews, how-to's, news, and more.
Security & Privacy
Tech-Savvy Business
Weekly Brief
Go
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
RSS Feeds
Get our latest content via convenient RSS feeds.
Latest News
Today @ PC World
Become a PCW Member
Join the community and start enjoying the benefits:
  • Get tech advice from thousands of PC World Members
  • Rate and recommend the latest tech products
  • Share your thoughts in blog and article comments
  • Get free excerpts and exclusive discounts on Super Guides
Signing up is free and easy.
Read More About: Software BugsPrivacyCurrent Events

Bank Closes Web Security Hole

Fleet fixes credit card site flaw after customer discovers, reports breach.

Lucas Mearian, Computerworld online

Monday, December 10, 2001 3:00 PM PST
Recommend this story?
Yes
No

A flaw in the Fleet Credit Card Services online site that could have exposed hundreds of thousands of customer transactions to other Fleet cardholders was repaired over the weekend after a customer went public with the problem.

Jonathan Bryce, a 20-year-old Web site developer at Rackspace Managed Hosting in San Antonio, said he discovered the problem Friday after logging in to Fleet's Mycard.fleet.com Web site. After making a credit card payment, Bryce said, he noticed his payment history had serial numbers attached to it.

When he found out he could view his payment history by typing the serial number related to it into a browser bar, he tried other random numbers and came up with other customers' accounts.

"I tried IDs from number 15 to an ID of 587,600 and got in," he said. "Most of the transactions I could view didn't contain sensitive data. I looked at 40 of them, and some of them contained Social Security numbers, birthdays, phone numbers, and addresses. For some of them, you could view card numbers too.

"It was so simple to figure out that I couldn't believe I was the only one to discover it," Bryce said.

Caught Quickly?

Horsham, Pennsylvania-based Fleet Credit Card Services is a division of FleetBoston Financial. Steven Lubetkin, a spokesman for the division, said today that the company shut down the Web site for six hours beginning late Friday night in order to fix the problem.

"A review of the log files indicated something less than 75 records were accessed using this vulnerability," Lubetkin said. "Even though potentially the number was in the hundreds of thousands, the only person to exploit [it] was this customer."

Of the records that were compromised by Bryce, Lubetkin said, fewer than five contained information "remotely identifying of the customer."

Lubetkin said the hole was caused by an error in the application provided by a vendor who hosts the site whom he refused to identify.

"I can't say who the vendor was. It's just not appropriate. It's been corrected," he said.

Response Criticized

But Bryce said he was most worried about the lack of concern over the problem. After contacting three Fleet customer services representatives, he still had received no response. When he did finally get a response, Bryce said, he was told that a manager would get back to him Monday.

"It especially worried me that they weren't concerned enough to fix it until after the weekend," Bryce said. It wasn't until he began contacting media organizations that Fleet responded, he added.

Theodore Iacobuzio, an analyst at TowerGroup research and consulting firm, said security holes that open financial services companies to identity fraud are fairly common. But Fleet's error sounded particularly egregious.

"If you can walk in the front door, it's obvious that they didn't think everything about security through," Iacobuzio said. "Every piece of primary research I've seen has shown security is the primary inhibiting factor in the growth of e-commerce."


Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.


Recommend this story?
Yes
No
Related Searches: securityfleetprivacycredit cardtransactions
Related Content
HP Ink Center
Bring improved color and brilliance to your printed material. Visit the Resource Center for more info...
CDW Solution Center
Deliver speed and scalability in your storage systems. Find out how at the CDW Solution Center.
Asus Notebook Center
Ultra-fashionable thin and light notebooks with SmartLogon Face Recognition. Find out more at the Asus Resource Center.
Intel Processor Technology
Which Intel Processor is Right for You?
Which Intel Processor is Right for You?Centrino, Core 2 Duo, Core 2 Quad, Core 2 Extreme? Check out the Intel Technology Center for more info...
Are you a gamer?
Are you a gamer?Visit the Intel's Gaming section for the latest downloads, hottest gaming events and to learn about Intel & Gaming.
See what Intel can do for Vista...
See what Intel can do for Vista...Discover how Windows Vista technology work in the benchmarks with Intel Centrino processor technology.
VoIP Web Demo
Join Altigen for a Live Web Demo and learn how VoIP technology can improve your business communications.
The Future Sales Force - A Consultative Approach
This white paper discusses the challenges of selling complex products and services, and the new skill sets sales professionals must employ.
Latest News
Laptop Bags From the Scrap Heap
After hurting the environment by drinking coffee from plastic cups for many years, buying an eco-friendly laptop bag seems... 16-May-2008
Qualcomm Will Trial Future Wireless Broadband in UK
Qualcomm on Friday announced it has acquired 40 MHz of U.K. spectrum in the 1.4 GHz band. It will initially be used for the... 16-May-2008
Verizon Wins $678.5 Million Homeland Security Contract
Verizon will provide Internet protocol and security services, as well as emergency communications services to help the department respond quickly to disasters. 16-May-2008
RIM Will Launch Touch-Screen BlackBerry in Q3: Report
The device, known as the Thunder, is to be sold exclusively through Verizon Wireless in the U.S. and Vodafone abroad. 16-May-2008
Florida Seeks to Fine Verizon for Bad Service
Florida's attorney general said on Thursday the state was seeking to fine Verizon for violating service standards. 16-May-2008
Bogus Grand Theft Auto IV Contains Trojan
Hundreds of Grand Theft Auto IV fans eager to get their hands on a free copy of the game have been targeted by a Trojan virus. 16-May-2008
Apple Dismisses Safari Download Issue
A security researcher has published a demonstration exploit that takes advantage of the download mechanism in Apple's Safari. 16-May-2008
NASA Moves to Save Computers From Swarming Ants
A flood of voracious ants is heading straight for Houston, taking out computers, radios and even vehicles in their path. 16-May-2008
Sega Announces Trio of Games for Wii, DS, 360 and PS3
A fourth unannounced game, being developed by Resident Evil creator Shinji Mikami, is also in the works. 16-May-2008
Online Maps Reveal Noise Levels Across England
Maps showing noise levels in towns across England were published on Friday in an attempt to reduce the disruption caused by factories, planes, trains and cars. 16-May-2008

PC World's Marketplace

PC World's Free Whitepapers

Name City
Address 1 State Zip
Address 2 E-mail (optional)