How to steal 2,500 credit cards, Part 1
Just how easy is it to steal credit card numbers on the Internet? Last week, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site.
Credit card theft, a problem long lurking in the background of Internet commerce, leaped to the top of consumers' minds earlier this month when a computer intruder calling himself Maxus was able to break into CD Universe's database of user credit cards. There's still speculation about how he did it. But perhaps Maxus didn't have to work so hard. Last week, MSNBC was able to view nearly 2,500 credit card numbers and other data essentially by browsing e-commerce Web sites using a commercially available database tool rather than a Web browser. Not only were the sites storing the credit cards in plain text in a database connected to the Web -- the databases were using the default user name and in some cases, no password.
These basic security flaws were found by a legitimate Russian software company named Strategy LLC, according to CEO Anatoliy Prokhorov, and shared with MSNBC. He says he tried contacting some of the companies first and got no response. "From our point of view this is just unprofessionalism in a very high degree that's not explainable," Prokhorov said. His company writes software that helps consumers compare prices across multiple e-commerce sites, so his developers become familiar with data structures at hundreds of e-commerce sites. He says they weren't looking to find security flaws, but rather stumbled on these. "This is just a hole we passed by, an open door. Our people were amazed."
But security experts were not. Given the speed required to succeed in the fast-paced Internet economy, companies are in a big hurry to publish working Web sites and often skimp on security measures. "This is a microcosm of what's out there," said Elias Levy of SecurityFocus.com. Levy's site was the first to report the CD Universe break-in last weekend. "One could only imagine what they would have found if they were looking for problems ... The problem is fairly widespread, and what Anatoliy has found is a small snapshot." Prokhorov also contacted SecurityFocus.com with his information, and the site today will issue its own report based on its independent investigation.
The security flaws Prokhorov found involve more than just easy-to-steal credit cards. At all seven sites, MSNBC was able to view a wide selection of personal data including billing addresses, phone numbers and in some cases, employee Social Security numbers.
Prokhorov sent the list and instructions to MSNBC on Tuesday. It included about 20 Web sites which either had no password protection at all on their database servers -- in each case, they were running Microsoft's SQL Server software -- or had password information exposed on their Web site. Connecting to all the sites was as simple as starting SQL Server and opening a connection to the Web site. (Note: Microsoft is a partner in MSNBC.)