How to steal 2,500 credit cards, Part 2

Protecting the innocent: part two of How to steal 2,500 credit cards

Previous page

Some of the sites didn't include personal information; they are not included in this report. The others --,,,,, and -- were all contacted 24 hours before this story so they could close the security hole.

While the flaws are obvious, assessing blame is a much more sticky business. There's a mounting concern that small businesses are particularly vulnerable to attack; many don't have computer experts on staff. Other times, non-technically savvy business owners take lowball bids from developers who promise a secure Web site but don't deliver. Then there are inherent problems in software itself that make flaws more likely.

In some cases, the server-side code underlying a Web page is viewable if a browser places "::$DATA" at the end of the page's Web address. That code, normally hidden, can contain any usernames, passwords and other information about any computer connected to that server. This flaw was revealed over two years ago and has since been patched. Four of the vulnerable sites MSNBC found were hosted on the same Web server and had not plugged this hole.

But even without knowing that technique, an intruder could have entered the sites anyway -- the username required for entering the database was the default "sa," which stands for "system administrator"; the password was the name of the company.

"We used a developer, and obviously the developer didn't take that flaw into consideration," said a spokesperson for the sites. "The flaw could have lied within the software, but maybe the developer should have taken that into consideration ... and one thing we didn't do, we didn't hire a security company to come in and test our Web site."

Getting a second opinion when building an e-commerce site is a good idea, said security expert Russ Cooper, who maintains the popular NTBugTraq mailing list. "Make a condition of the contract that it has to pass scrutiny of another individual who tests the site," Cooper recommended. The fundamental problem, he said, is that developers have no liability for flaws they leave behind in e-commerce sites. Merchants are responsible for the cost of any stolen merchandise, while most developer contracts make clear they are not responsible for what happens with a site they build. "So a lot of people end up with a working site but not a secure site." The other three vulnerable sites MSNBC visited simply used "sa" as the username for their database, and no password.

Average consumers have no way of knowing how well-guarded their personal information is when they submit it to a Web site. Levy said the problems MSNBC found at these seven sites are hardly isolated.

"The blame falls on more than one person. You can't rush out to set up an e-commerce site regardless of how much you want to make money... Many people don't give (security) a second thought," he said.

One of the fundamental flaws in all these sites -- and, experts say, in many other sites -- is the storing of private consumer information in the first place. While encryption techniques that scramble the data are available, it's often kept on a computer in plain text -- one step away from the Internet. While that's more convenient, experts agree it's a bad idea. "My advice is, if nothing else, don't store the data where it physically has access to the Web," said Wesley Wilhelm, a fraud prevention consultant at the Internet Fraud Prevention Advisory Council. "Take them off every night and make a sneakernet run."

As for consumers, there isn't much they can do to ascertain how well a Web site is guarding their personal information. Some experts suggest using only one card online, and religiously checking credit card bills. While consumers are liable for at most $50 of fraudulent purchases, they are responsible for catching them and alerting their bank.

MSNBC's Curtis Von Veh contributed to this story.

Take me part 1

Take me to the Hackers News Special for all the latest hacking news.