Like stealing credit cards from babies

E-commerce's dirty little secret surfaces after teen-ager grabs and gives away thousands of credit card numbers

How did it happen? How was a teen-aged computer thief able to glean thousands of credit cards from an e-commerce site, and give them away one at a time for weeks? And why, if the thief is to believed, is he still able to raid that Web site for credit card numbers?

CD Universe, the victim, isn't saying, but interviews with the hacker and experts are offering some early hints. It's a dirty little secret of e-commerce -- credit card numbers are stored in plain-text files by Web sites all over the Internet.

An intruder called himself "Maxus" broke into CD Universe's computers last year, and stole up to 300,000 credit card numbers. After the Web site refused his Christmas-season demand for $100,000, Maxus began releasing card numbers on a Web site. And he probably would still be giving those numbers away if he hadn't chosen to make a name for himself.

Maxus decided to pull a publicity stunt this weekend, notifying a computer security news Web site named SecurityFocus about his credit-card giveaway page.

Elias Levy, chief technology officer of SecurityFocus, then broke the story, and soon after, Maxus' Web page was removed. In an email to NBC News on Tuesday, a writer claiming responsibility for the theft said he would "soon" open a new Web page and give away more numbers.

That writer also told MSNBC he had already sold 10,000 card numbers and could get more from CD Universe whenever he needed them. How? With all the talk about encryption and secure transactions, how was Maxus able to copy all that data from CD Universe users?

Experts agree there are really only two possibilities, one much more likely than the other. Either the credit-card data was stored by the Web site in plain text, readable by anyone who gained access to the computer, and Maxus simply copied the data -- or the intruder managed to decrypt an encrypted database full of card numbers. Most think CD Universe hadn't encrypted their user data.

"It's the dirty little secret of e-commerce," said Dave Mullan, CEO of online payment processing company Vitessa "People are using technologies that aren't secured to the level they need to be... you'd be surprised at how lazy some companies' processes are."

It's still unknown which of thousands of possible vulnerabilities Maxus might have used to break into CD Universe's computers in the first place. When the break-in was reported, Brad Greenspan, chairman of CD Universe parent company eUniverse, blamed credit-card processing software called ICVerify. The New York Times also reported on Monday that Maxus told the paper he exploited a flaw in ICVerify.

Recently acquired by CyberCash, this is not the only black eye ICVerify software has received recently. Just last week, it developed perhaps the nation's most significant Y2K bug. After 1 January, the system was charging consumers repeatedly for the same purchase.

ICVerify is off-the-shelf e-commerce software that sells for around $400; one of its selling points, according to one reseller, is the fact that the software tracks customers and allows merchants to store credit-card numbers.

On Tuesday, the company issued a press release saying CD Universe didn't even use ICVerify, and a company spokesperson repeated that claim to MSNBC, saying: "I don't know what the hell Brad is telling people... they told us they had credit cards stored in an SQL database."

But the spokesperson did not offer more details, and did not return phone requests for additional information. Several credit-card experts suggested that the way ICVerify records transactions could be the culprit.

According to one consultant, the software logs each transaction, then at the end of the day saves that log file -- credit-card numbers and all -- in a plain-text archive file. According to an ICVerify reseller, up to nine years of data can be saved. This makes printing business-analysis reports easy, but it also makes life easy for criminals. Once they gain access to the computer performing the credit-card verification services, they can see in plain text all the cards ever processed.

The logs aren't prohibitively large files. "You have to assume that it's pretty much everywhere by now," according to one informed source.

On CD Universe's Web site, the company claims to have "successfully processed over 300,000 credit-card transactions". That's the same number of cards Maxum claims to have stolen. "This scenario is very likely. I would guess that is what happened all along," Levy said. "Perhaps they didn't realise the logs existed and they never bothered to delete them."

In email correspondence, a writer claiming to be Maxus refused to say ICVerify's logs were the culprit -- in fact, he spread blame around a bit.

"CyberCash (ICVerify's owner) is lame, because (it) stores *.set files in plain text with important data," he wrote. "Microsoft is lame because I can view in plain text their *.MDB files... "

All of which points to the central question surrounding credit-card use on the Internet. While plenty of attention has been paid to encrypting important data while it travels across the Net from consumers to Web sites and back again (so-called SSL encryption), little has been paid to how the information is stored by merchants.

"The real issue is, why are merchants storing the credit cards at all?" said Jim Cannavino, CEO of CyberSafe. His company is promoting a new online transaction scheme that eliminates credit card numbers entirely. "I thought it was going to happen last year. Hackers would realise they can access credit information in merchant systems... you've created a lucrative environment for a hacker to go to."

What do you think? Tell the Mailroom. And read what others have said.

Take me to the Hackers news special