The Petco case is at least the fourth instance in which the FTC has pursued enforcement actions against companies whose security and privacy practices fall short of assurances made to consumers. "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. "It's not just good business, it's the law."
In June, designer clothing maker Guess Inc. agreed to settle FTC charges that it left consumers' credit card numbers vulnerable to known attacks by hackers. The agency previously gained settlements with Eli Lilly for disclosing the electronic mail addresses of Prozac users, and with Microsoft for overstating the security of its Passport identity management product.
In each case, the commission has settled for a consent decree - in which the company takes no stance on the accuracy of the charges, but agrees to specific steps to improve security. PetCo has told investors the inquiry creates uncertainty about "the financial impact any (FTC) action might entail."
In both the PetCo and Guess cases, the security holes were discovered by programmer Jeremiah Jacks, who exposed credit card data on each site using SQL injection exploits, in which SQL commands entered into Web page forms provide access to the server. Jacks used a Google search to locate Active Server Pages on PetCo's site that accepted customer input. "It took me less than a minute to find a page that was vulnerable," Jacks told Security Focus. "Any SQL injection hacker would be able to do the same thing."
Netcraft's application auditing services test for exactly this type of scenario.
The Australian Internet security firm b-sec says that 72 percent of corporate web applications it surveyed were vulnerable to an SQL injection. Steps to prevent these exploits include validating user input into Web forms (the usual entry point for intruders) and suppressing error messages that provide system information. A recent white paper by WebCohort documents how crackers may be able to use a technique called blindfolded SQL injection to skirt these defensive measures.