GS Logo
The Green Sheet, Inc

Please Log in

A Thing Five


The Future of Internet Credit Card Theft


 By Alex Horvath

     On January 7 an extortion attempt was made on the online music retailer “CD Universe.” The popular e-commerce Web site, which sells music and movies on video, was ordered to pay $100,000 ransom, or credit card numbers obtained from their client database would be released freely over the Internet. CD Universe refused to comply with the demands, which would have netted them details about the company’s “security hole, along with a promise to destroy the stolen data. Instead, the extortionist, a hacker going by the designation “Maxus,” then released 25,000 of the estimated 300,000 stolen card numbers onto the worldwide Web.

     In addition to exposing the purloined credit card numbers to public view, the guest book of the Internet address belonging to Maxus gave the thief and an unknown number of associates a ready-made market for the data—this time for a price. Trusted associates of Maxus were permitted to buy 1000 “virgin” credit cards—meaning those that had not yet been shared-for $1,000. According to reports, those cards were then wholesaled to other “carders” (people who use fraudulent cards for their own gain) at the price of 50 cards for $500, a tidy tenfold profit, said the published report.

     While the nature of this crime itself is horrific, there is some important information that ISOs attempting to sell e-commerce should remember: None of what happened could have been avoided with secure socket layers (SSL), smart cards, encryption, biometrics, or any of the other common industry buzzwords that pertain to credit card security on the Internet. The thieves who did this were after a much bigger target than a consumer’s individual credit card number. And they were successful because the merchant involved sloppily stored credit card numbers in an unsecured space.

     The thieves in this case came through the backdoor, attacking the vulnerable merchant instead of the cautious consumer. Their main weapon was knowledge—knowing what to look for in the way of certain software programs that are easily penetrable. Their tool was utilizing an existing type of program known as “scanners” which spiders the Web searching for Web sites that use known software that has specific, common vulnerabilities. A hacker can turn on the scanning program before bed at night, and when he wakes he will have knowledge of many Web sites that utilize vulnerable software.

     “It used to be that hackers would merely deface Web pages,” noted Internet security analyst John Vranesevich, founder and president of AntiOnline, a Pennsylvania based company that specializes in finding the culprits of Internet-security related crimes. “Today, hundreds of Web sites are defaced every day, including official government Web sites. It’s so common it doesn’t even make the news anymore,” said Vranesevich.

     “The problem here is in the software that is run on these servers. Some companies use their own proprietary software, which is more difficult to break through. Other companies use software off the shelf. There are chat pages devoted entirely to this issue, where people find and share vulnerabilities in commercial product.” Vranesevich said.

     “There is no danger to the consumer making a purchase over a secure socket layer, or other encrypted method,” said Vranesevich. Can you imagine how long it would take a hacker to break into an Internet Service Provider (ISP) and to watch each individual transaction and then steal that card number? Even if he could, it would be much too time consuming, and he would most likely get caught.”

     Vranesevich said that the reason the credit card numbers were so easy to steal had to do with where CD Universe chose to store them: “It was a major snafu. They were in a non-encrypted mass repository.” This means that virtually anyone could gain access to the financial information with little or no effort.

     “There is no reason for businesses to store credit card account numbers,” asserted Vranesevich. “They are stored for the convenience of the user and so merchants can track buying habits. There are plenty of ways merchants can track buying habits without credit card numbers. If the consumers were educated they would quickly agree that it’s not worth the risk.”

     While the idea of breaking into a Web site and stealing classified information may have an aura of mystery and intrigue, Vranesevich worries that soon it will be the rule, rather than the exception, and that the people responsible are going to be members of the defiant high-tech youth of today-known in security circles as “kiddies.”

     “We’re beginning to see an alarming new trend. These days, the ‘kiddie’ is starting to be looked down upon by his peer group for simply hacking a page. No longer does the act of Web defacement net the kind of notoriety it once did. To evolve, he has found greater feats that will draw the type of respect and recognition he is looking for. What the kiddie has found, it seems, is your credit cards.”

      ISOs should remember that one of the keys to selling e-commerce is knowing what kind of security (encryption) is utilized with the service they are marketing. Anyone considering building a commerce-enabled Web site will most likely want to know this. Additionally, merchants should be cautious when storing sensitive information. As security expert Vranesevich points out, there are plenty of other methods for tracking customer-buying habits or providing easy “return” service other than storing credit card numbers.

     For more information about security on the Internet, visit the AntiOnline Web site at Be certain to check out their archive of hacked Web pages and to read through the index of articles about security on the net that they have published. To reach AntiOnline by telephone please call (724) 773-0940.

Back | Next


© Copyright 1995-2000 
The Green Sheet, Inc.