I think that there will be a substantial increase in on-line credit card and bank account fraud, both by thieves exploiting vulnerabilities and by social engineering. There may be some very large crimes accomplished by a cracker quietly accumulating owned systems and credit card or bank account numbers. Then, perhaps on a Friday afternoon before a major holiday, he will drain all of them of credit or money.

The BugBear virus was the first seen that exhibited a disturbing trend that I predicted in early 2001: It did not just scan the disk for information useful to it. Instead, it also collected keystrokes, stored them in an encrypted manner that made this action very hard to detect, and sent them to one of the cracker's system.

Why is this disturbing? This allowed BugBear to collect all of a user's password and passphrases used to protect confidential information. This includes on-line bank account access, on-line shopping sites, etc. This allows BugBear to defeat a user's SSL, SSH, IPSec, GPG, encrypted file system, and any other encryption or security efforts. I am unaware of BugBear actually taking advantage of this very powerful capability. However, expect new viruses to make use of this to harvest passwords.

Even those Linux users with good security are at risk if they make on-line purchases from sites with poor security. Almost all large e-commerce

sites use hardened Linux or Unix servers. Unfortunately, a fair number of "Mom and Pop" sites use IIS, though a surprisingly high percentage

do use Linux. For this reason, before giving my credit card to a new web merchant I always do:


nmap -O -sS -F -P0 -T Aggressive newguy.com

and require that all ports show as closed or filtered except for 80, 443, and, possibly, 25 and 22, and that the Operating System is not Windows.

Other ways to protect yourself are to use only a single credit card for all on-line transactions, preferably one with a small limit. Have a different card for large purchases, such as airline tickets and hotel rooms. Never, but never, use a debit card for on-line purchases or with any merchant other than one you trust highly. Remember that "possession is nine tenths of the law". With a credit card problem, you still have your money and only a successful law suit will take it from you. With a debit card problem, your money already is gone, making it much harder to get back.

A reasonably secure web server is not all that is needed for a web merchant. It is critical to secure the database in a way that makes it exceptionally hard for a cracker to download the entire database. Most small companies (and even many large ones) keep the database on the web server itself. Thus, a single vulnerability will allow a cracker to get the credit card numbers and expiration dates of every customer. Solutions include not saving this information, my "One-way credit card data path", and separate encryption keys for each customer. Perhaps Underwriters Laboratories will start rating the security of various techniques similarly to the way they rate how hard different safes are to crack.