|
The
Future of Internet Credit Card Theft
|
|
By
Alex Horvath
On January 7 an extortion attempt was made on the online music retailer
“CD Universe.” The popular e-commerce Web site, which sells music and
movies on video, was ordered to pay $100,000 ransom, or credit card
numbers obtained from their client database would be released freely over
the Internet. CD Universe refused to comply with the demands, which would
have netted them details about the company’s “security hole, along
with a promise to destroy the stolen data. Instead, the extortionist, a
hacker going by the designation “Maxus,” then released 25,000 of the
estimated 300,000 stolen card numbers onto the worldwide Web.
In addition to exposing the purloined credit card numbers to public view,
the guest book of the Internet address belonging to Maxus gave the thief
and an unknown number of associates a ready-made market for the
data—this time for a price. Trusted associates of Maxus were permitted
to buy 1000 “virgin” credit cards—meaning those that had not yet
been shared-for $1,000. According to reports, those cards were then
wholesaled to other “carders” (people who use fraudulent cards for
their own gain) at the price of 50 cards for $500, a tidy tenfold profit,
said the published report.
While the nature of this crime itself is horrific, there is some important
information that ISOs attempting to sell e-commerce should remember: None
of what happened could have been avoided with secure socket layers (SSL),
smart cards, encryption, biometrics, or any of the other common industry
buzzwords that pertain to credit card security on the Internet. The
thieves who did this were after a much bigger target than a consumer’s
individual credit card number. And they were successful because the
merchant involved sloppily stored credit card numbers in an unsecured
space.
The thieves in this case came through the backdoor, attacking the
vulnerable merchant instead of the cautious consumer. Their main weapon
was knowledge—knowing what to look for in the way of certain software
programs that are easily penetrable. Their tool was utilizing an existing
type of program known as “scanners” which spiders the Web searching
for Web sites that use known software that has specific, common
vulnerabilities. A hacker can turn on the scanning program before bed at
night, and when he wakes he will have knowledge of many Web sites that
utilize vulnerable software.
“It used to be that hackers would merely deface Web pages,” noted
Internet security analyst John Vranesevich, founder and president of
AntiOnline, a Pennsylvania based company that specializes in finding the
culprits of Internet-security related crimes. “Today, hundreds of Web
sites are defaced every day, including official government Web sites.
It’s so common it doesn’t even make the news anymore,” said
Vranesevich.
“The problem here is in the software that is run on these servers. Some
companies use their own proprietary software, which is more difficult to
break through. Other companies use software off the shelf. There are chat
pages devoted entirely to this issue, where people find and share
vulnerabilities in commercial product.” Vranesevich said.
“There is no danger to the consumer making a purchase over a secure
socket layer, or other encrypted method,” said Vranesevich. Can you
imagine how long it would take a hacker to break into an Internet Service
Provider (ISP) and to watch each individual transaction and then steal
that card number? Even if he could, it would be much too time consuming,
and he would most likely get caught.”
Vranesevich said that the reason the credit card numbers were so easy to
steal had to do with where CD Universe chose to store them: “It was a
major snafu. They were in a non-encrypted mass repository.” This means
that virtually anyone could gain access to the financial information with
little or no effort.
“There is no reason for businesses to store credit card account
numbers,” asserted Vranesevich. “They are stored for the convenience
of the user and so merchants can track buying habits. There are plenty of
ways merchants can track buying habits without credit card numbers. If the
consumers were educated they would quickly agree that it’s not worth the
risk.”
While the idea of breaking into a Web site and stealing classified
information may have an aura of mystery and intrigue, Vranesevich worries
that soon it will be the rule, rather than the exception, and that the
people responsible are going to be members of the defiant high-tech youth
of today-known in security circles as “kiddies.”
“We’re beginning to see an alarming new trend. These days, the
‘kiddie’ is starting to be looked down upon by his peer group for
simply hacking a page. No longer does the act of Web defacement net the
kind of notoriety it once did. To evolve, he has found greater feats that
will draw the type of respect and recognition he is looking for. What the
kiddie has found, it seems, is your credit cards.”
ISOs should remember that one of the keys to selling e-commerce is knowing
what kind of security (encryption) is utilized with the service they are
marketing. Anyone considering building a commerce-enabled Web site will
most likely want to know this. Additionally, merchants should be cautious
when storing sensitive information. As security expert Vranesevich points
out, there are plenty of other methods for tracking customer-buying habits
or providing easy “return” service other than storing credit card
numbers.
For more information about security on the Internet, visit the AntiOnline
Web site at www.antionline.com. Be certain to check out their archive of
hacked Web pages and to read through the index of articles about security
on the net that they have published. To reach AntiOnline by telephone
please call (724) 773-0940.
© Copyright 1995-2000 |
