Students crack Internet shopping code

Two graduate students at the University of California have cracked the software which protects electronic shopping on the Internet, putting a business with a projected value of billions of pounds at risk.

The software, from Netscape Communications, is used by about 8 million people to visit "sites" on the Internet's World Wide Web, which can show pictures and text. Thousands of companies, including Barclays Bank and Sainsbury's, advertise products at their sites and encourage users to send their credit card details to buy items by electronic mail order.

To protect credit card details from hackers, they are encrypted by Netscape's program before being sent over the network. The two students, Ian Goldberg and David Wagner, have written a program to run on a PC which, given basic information such as the time of the transaction, can break the code of any transaction in a few minutes. They released the code and their results on the Internet this week, claiming Netscape was guilty of "shoddy implementation" and that its program is "insufficient and insecure".

Netscape said the breach is "very serious" and that it is working on an improvement. Unlike earlier versions, this will be tested by independent software security experts before it is released to the public.

John Hemmings, chief executive of the electronic shopping company MarketNet, said yesterday: "It's a mistake by Netscape. It raises questions about effective commercial arrangements for electronic shopping."

Netscape was floated on the New York stock market last month for $1bn (pounds 625m), reaching a high of $74 (pounds 46) on its first day. The share price yesterday was around $50, but appeared unaffected by the news.

Last month a French student used a team of supercomputers to crack a single example of an encoded Netscape transaction. But researchers view the latest breach as more serious because it applies to any transaction.