How to steal 2,500 credit cards

18 Jan 2000 - Just how easy is it to steal credit card numbers on the Internet? On Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site.

Credit card theft, a problem long lurking in the background of Internet commerce, leaped to the top of consumers' minds earlier this month when a computer intruder calling himself Maxus was able to break into CD Universe's database of user credit cards. There's still speculation about how he did it.

But perhaps Maxus didn't have to work so hard. This week, MSNBC was able to view nearly 2,500 credit card numbers and other data essentially by browsing e-commerce Web sites using a commercially available database tool rather than a Web browser. Not only were the sites storing the credit cards in plain text in a database connected to the Web -- the databases were using the default user name and in some cases, no password.

These basic security flaws were found by a legitimate Russian software company named Strategy LLC, according to CEO Anatoliy Prokhorov, and shared with MSNBC. He says he tried contacting some of the companies first and got no response.

'This is just a hole we passed by, an open door. Our people were amazed.' -- Anatoliy Prokhorov, Strategy LLC

"From our point of view this is just unprofessionalism in a very high degree that's not explainable," Prokhorov said. His company writes software that helps consumers compare prices across multiple e-commerce sites, so his developers become familiar with data structures at hundreds of e-commerce sites. He says they weren't looking to find security flaws, but rather stumbled on these.

"This is just a hole we passed by, an open door. Our people were amazed."

But security experts were not. Given the speed required to succeed in the fast-paced Internet economy, companies are in a big hurry to publish working Web sites and often skimp on security measures.

The need for speed
"This is a microcosm of what's out there," said Elias Levy of SecurityFocus.com. Levy's site was the first to report the CD Universe break-in last weekend. "One could only imagine what they would have found if they were looking for problems ... The problem is fairly widespread, and what Anatoliy has found is a small snapshot."

Prokhorov also contacted SecurityFocus.com with his information, and the site today will issue its own report based on its independent investigation.

The security flaws Prokhorov found involve more than just easy-to-steal credit cards. At all seven sites, MSNBC was able to view a wide selection of personal data including billing addresses, phone numbers and in some cases, employee Social Security numbers.

Prokhorov sent the list and instructions to MSNBC on Tuesday. It included about 20 Web sites which either had no password protection at all on their database servers -- in each case, they were running Microsoft's SQL Server software -- or had password information exposed on their Web site. Connecting to all the sites was as simple as starting SQL Server and opening a connection to the Web site. (Note: Microsoft is a partner in MSNBC.)

Protecting the innocent
Some of the sites didn't include personal information; they are not included in this report.

The others -- PMIWeb.com, Softwarecloseouts.com, EPCdeals.com, Expressmicro.com, Computerparts.com, Directmicro.com and Sharelogic.net -- were all contacted 24 hours before this story so they could close the security hole.

While the flaws are obvious, assessing blame is a much more sticky business. There's a mounting concern that small businesses are particularly vulnerable to attack; many don't have computer experts on staff. Other times, non-technically savvy business owners take lowball bids from developers who promise a secure Web site but don't deliver. Then there are inherent problems in software itself that make flaws more likely.

In some cases, the server-side code underlying a Web page is viewable if a browser places "::$DATA" at the end of the page's Web address. That code, normally hidden, can contain any usernames, passwords and other information about any computer connected to that server. This flaw was revealed over two years ago and has since been patched. Four of the vulnerable sites MSNBC found were hosted on the same Web server and had not plugged this hole.

'You can't rush out to set up an e-commerce site regardless of how much you want to make money. Many people don't give (security) a second thought.' -- Elias Levy, SecurityFocus.com

But even without knowing that technique, an intruder could have entered the sites anyway -- the username required for entering the database was the default "sa," which stands for "system administrator"; the password was the name of the company.

"We used a developer, and obviously the developer didn't take that flaw into consideration," said a spokesperson for the sites. "The flaw could have lied within the software, but maybe the developer should have taken that into consideration ... and one thing we didn't do, we didn't hire a security company to come in and test our Web site."

Getting a second opinion when building an e-commerce site is a good idea, said security expert Russ Cooper, who maintains the popular NTBugTraq mailing list.

"Make a condition of the contract that it has to pass scrutiny of another individual who tests the site," Cooper recommended. The fundamental problem, he said, is that developers have no liability for flaws they leave behind in e-commerce sites. Merchants are responsible for the cost of any stolen merchandise, while most developer contracts make clear they are not responsible for what happens with a site they build. "So a lot of people end up with a working site but not a secure site." The other three vulnerable sites MSNBC visited simply used "sa" as the username for their database, and no password.

No way to know
Average consumers have no way of knowing how well-guarded their personal information is when they submit it to a Web site. Levy said the problems MSNBC found at these seven sites are hardly isolated.

"The blame falls on more than one person. You can't rush out to set up an e-commerce site regardless of how much you want to make money. ... Many people don't give (security) a second thought," he said.

One of the fundamental flaws in all these sites -- and, experts say, in many other sites -- is the storing of private consumer information in the first place. While encryption techniques that scramble the data are available, it's often kept on a computer in plain text -- one step away from the Internet. While that's more convenient, experts agree it's a bad idea.

"My advice is, if nothing else, don't store the data where it physically has access to the Web," said Wesley Wilhelm, a fraud prevention consultant at the Internet Fraud Prevention Advisory Council. "Take them off every night and make a sneakernet run."

As for consumers, there isn't much they can do to ascertain how well a Web site is guarding their personal information. Some experts suggest using only one card online, and religiously checking credit card bills. While consumers are liable for at most $50 of fraudulent purchases, they are responsible for catching them and alerting their bank.

MSNBC's Curtis Von Veh contributed to this story.