'

Biggest hacking fraud ever

Every e-commerce site's nightmare as hacker gets nasty with credit card details

A malevolent computer hacker claims to have pulled off the greatest information technology heist in history after temporarily posting credit-card numbers stolen from a large US e-commerce firm.

American online CD-retailer CD Universe, admitted that "a portion of its customer data" had been stolen and that an attempt had been made to blackmail the firm over the return of the information.

eUniverse -- parent of CD Universe -- admitted it was contacted by a malicious hacker last week who claimed to have stolen thousands of credit card numbers. The hacker demanded thousands of dollars not to go public according to eUniverse. After calling the blackmailer's bluff, eUniverse discovered hundreds of card numbers had been posted to an anonymous Web site.

According to some reports, these numbers were used to make fraudulent transactions over $1000.

A press release from eUniverse states: "The company learned on Saturday January 7, 2000 that customer data was posted on the Internet and immediately notified the FBI which caused the site to be shut down the same day."

The hacker, Maxus, reportedly put his exploits down to the credit-card software protecting the CD Universe Web site, ICVerify, created by US-based CyberCash.

Computer security expert David Litchfield of security firm Cerberus believes this may well be more than a wild boast. "It is extremely likely," Litchfield told ZDNet. "The trouble with software companies these days is that getting stuff out quickly is all important and so security suffers. He posted credit card numbers and the company seems to have admitted that he got hold of them some how. He could only have exploited a hole somewhere."

In a statement, however, CyberCash denied that its software could have been compromised. "ICVerify is a PC-based payment system, not a web-enabled product and is not being used by cdUniverse on its Web site. Therefore the credit card information cited in recent coverage could not have come from ICVerfiy."

Richard Tyson-Davis of the Association of Credit Payment Services confirmed that British consumers at least are protected from this sort of occurrence. He says, "The consumer credit act of 1974 says that people have to pay £50, but in practise the banks don't ask for this." Tyson-Davis says that the new breed of Internet banks who offer special protection from Internet fraud, "don't have anything that anyone else doesn't have."

According to Tyson-Davis, when fraud has been committed without the presence of a card itself, is retailers and not banks who will be put out of pocket by this type of fraud. He adds, "It's the poor old retailer that stands to loose most in this sort of situation. 10% of all credit-card fraud in 1998 was carried out when the card was not present, and retailers picked up the bill for all of this."

Chairman of eUniverse Brad Greenspan has also issued a statement explaining why his company decided not to pay the hacker's ransom demands: "Refusing to bow to this new breed of cyber-criminals, we have taken a stand against a new form of online blackmail on behalf of all legitimate e-commerce retailers. We take great pains to safeguard the privacy of our customers' information and will take all necessary action to limit any loss or inconvenience to customers which may occur as a result of this unusual occurrence."

The hunt is now on for the computer hacker behind this extraordinary heist.

Take me to Hackers

What do you think? Tell the Mailroom . And read what others have said.