Posted Tuesday, April 21, 1998
License to Steal
When Dana Weick decided to register his car online earlier this month, he had no reason to suspect that his credit-card number, its expiration date and his home address would be made available to the public. Weick expected that a Web site affiliated with the government and run by IBM would be sophisticated enough to be leak-free.
Unfortunately, Weick, along with hundreds of others, thought wrong. Because of a security oversight on the ServiceArizona site (www.servicearizona.ihost.com), Weick's records, as well as those of other Arizona residents who had registered online, were posted on the Internet.
Neither IBM, which administers the site, nor the state Department of Transportation, which oversees motor-vehicle records, was aware that--for months--consumers' credit-card numbers were available to anyone with even the slightest bit of Internet savvy. No hacking needed. The problem was fixed last week after IBM and DOT learned of the site's lax security system.
Still, Weick and other motorists--who had their card numbers floating through cyberspace--aren't sure on how many hard drives the numbers might have landed. Neither IBM nor state officials would say how many Arizonans had taken advantage of online registration, but a casual check shows that about 300 people use the system each month.
ServiceArizona is the first "electronic commerce" Web site that IBM wants to offer state governments nationwide. Arizona DOT officials liked the idea, because it could shorten long lines at Motor Vehicle Division offices, especially at the end of the month when car owners--who have waited as long as possible to fork over their hefty registration fees--finally pay up. IBM benefits from the program by keeping the $6.95 fee it charges for each registration.
Michael Monti, a Tempe restaurant owner, likes the idea, too. He had forgotten to register his company truck last month. The day the registration expired, he had a large catering job scheduled and no time for a trip to the MVD, he says. Instead, he registered the truck on the ServiceArizona site, which only took a couple of minutes, and the coverage was immediate. Monti says he will "eagerly" use the Internet to register next year despite the security flaws.
"When you use the Web to do anything, you're sticking your neck out," says Monti. "If you want the benefit of this technology, you have to run the risk."
Weick says he, too, will register online again despite security concerns after his recent discovery. After punching in his credit-card information and completing the registration process from his computer at work, Weick surfed around the site for a few minutes. Without any warning or prompting for a password, he says, he found himself on a page with a list of logs for each day's transactions. His name and address, the make and model of his car, the car's value and license-plate number were on that day's log. So were his credit-card number and its expiration date.
"I'm a little sensitive to this [type of security problem]," says Weick, an engineer. He'd found his credit-card number by chance once before in another database on the Web, while using a search engine.
After seeing his personal information posted on the ServiceArizona site, Weick immediately called his bank and had his card canceled--just to be safe. Records dating back to March 1 were available until last Thursday when New Times--which had been alerted to the potential screw-up by Weick--contacted DOT and IBM about the problem. That was the first anyone had heard of it, according to Mark Nelson, an IBM spokesman.
"IBM regards the security and the privacy of our customers to be of the highest priority," says Nelson. "Once we became aware that there was a possible security breach on the ServiceArizona Web site, we immediately closed the thing down."
IBM fixed the problem, and the site was accepting online registrations again as of 10 a.m. Monday.
ServiceArizona is run by IBM's Global Government Industry program headquartered in Bethesda, Maryland. IBM does not bill the state for the service. Instead, it keeps the $6.95 "convenience fee" charged to users for each online registration. There are hyperlinks on the DOT and MVD sites to ServiceArizona, and the ServiceArizona site links back to both of the state's Web sites.
Nelson says an internal investigation showed that "human error, not a failure of our security technologies, was the source of the problem" and that a programming error caused it. He also says that IBM does not plan to tell users of the site what has happened. Instead, IBM notified the credit-card companies involved in the transactions.
Nelson also says an IBM review of use of the service shows only a few people actually accessed the personal data while it was mistakenly available. Arizona DOT and MVD are not responsible for the security of the ServiceArizona site, according to Katherine Kisiel, a public information officer for the MVD. "This is not something technically we have control over," says Kisiel. "However, this would make us very unhappy."
But both security and privacy experts consider IBM's lax security a serious problem, especially on a site that contains public records and credit-card information.
Since the information was not knowingly released, DOT might legally be off the hook, says David Banisar, staff counsel at the Electronic Privacy Information Center (EPIC), a public-interest group in Washington, D.C. But, he adds, the state still has a "moral obligation" to tell people what happened.
"This is possibly the stupidest setup I've heard of on the Net yet," says Banisar.
Under federal privacy laws, the state Department of Motor Vehicles can be fined up to $5,000 a day for unauthorized release of personal information. Congress made motor-vehicle records off limits in 1994 as a reaction to the 1989 killing of actress Rebecca Schaeffer, who was murdered by a stalker who had found her address through driver's records.
Michael Cummings is the director and CEO of Georgia Tech's Center for Advanced Technologies and the interim director of information security at the center. "It's either naiveté, ignorance or incompetence," says Cummings. "It can set back the whole electronic commerce movement a good ways, because people lose trust in the system. You've got to go back to the dark ages because of this one oversight."
Beth Givens, founder of the Privacy Rights Clearinghouse in San Diego, California, and author of The Privacy Rights Handbook, says: "The fact that they didn't install ironclad security mechanisms is shocking to me.
"The Internet, by design, is an insecure communications vehicle. It wasn't meant to be a secure method of transmitting information from its very start."
Givens suggests that users of the ServiceArizona site should put a fraud alert on their credit report to cover themselves in case of misuse. The Privacy Rights Clearinghouse Web site (www.privacyrights.org) has a section on credit-card fraud and where to get more information on protecting private information.
Arizona is the first state IBM has signed up for the "EZ Renewal" project (registration by Internet or telephone). Arizona was initially chosen since auto registration fees are higher here than in most states, and cities are more spread out, making it less convenient for some residents to get to MVD offices, says Kathy Riemer, an IBM spokeswoman. In other states, where yearly registration can cost as little as $20, there isn't nearly the incentive there is in Arizona to wait until the last possible day of the month to register, says Riemer.
IBM plans to further expand the online portion of the program; for example, hunting and fishing licenses could be renewed over the Internet. IBM officials hope soon to offer similar services in other states. In Ontario, Canada, the company runs a similar program, but people use public kiosks rather than register from home.
Despite the major security flaw on the ServiceArizona site, users, for the most part, like the system. Many people who responded to an IBM survey on the site complain about the $6.95 fee. Since the service is a convenience and money saver for the MVD, they say, it shouldn't cost extra. A handful worry about potential security problems, but none (except Weick, who didn't take the survey) appears to have known about the recent security problem.
"My only concern is with the safety of my credit-card number," says one.
"As long as the security of the system is assured, many of your customers including me will definitely make use of this system again and again. A million thanks!" writes another.
Adds another: "If you have a good track record of no credit card scams, this will make life a lot easier than it ever has [been] renewing this stuff!"
A portion of the log posted April 9 (Dana Weick's personal information has been deleted)