X
Business
Home Business E-Commerce

Stealing credit cards from babies

E-commerce's dirty little secret surfaces after teen-ager grabs and gives away thousands of credit card numbers.
Written by Bob Sullivan, Contributor
How did it happen? How was a teen-aged computer thief able to glean thousands of credit cards from an e-commerce site, and give them away one at a time for weeks? And why, if the thief is to believed, is he still able to raid that Web site for credit card numbers?

CD Universe, the victim, isn't saying, but interviews with the hacker and experts are offering some early hints. It's a dirty little secret of e-commerce - credit card numbers are stored in plain-text files by Web sites all over the Internet.

An intruder called himself "Maxus" broke into CD Universe's computers last year, and stole up to 300,000 credit card numbers. After the Web site refused his Christmas-season demand for $100,000, Maxus began releasing card numbers on a Web site.

And he probably would still be giving those numbers away if he hadn't chosen to make a name for himself.

Maxus decided to pull a publicity stunt this weekend, notifying a computer security news Web site named SecurityFocus about his credit-card giveaway page.

Elias Levy, chief technology officer of SecurityFocus, then broke the story, and soon after, Maxus' Web page was removed.

Stopped, for now
In an e-mail to NBC News on Tuesday, a writer claiming responsibility for the theft said he would "soon" open a new Web page and give away more numbers.

That writer also told MSNBC he had already sold 10,000 card numbers and could get more from CD Universe whenever he needed them.

How? With all the talk about encryption and secure transactions, how was Maxus able to copy all that data from CD Universe users?

Experts agree there are really only two possibilities, one much more likely than the other.

Either the credit-card data was stored by the Web site in plain text, readable by anyone who gained access to the computer, and Maxus simply copied the data -- or the intruder managed to decrypt an encrypted database full of card numbers. Most think CD Universe hadn't encrypted their user data.

'Dirty little secret'
"It's the dirty little secret of e-commerce," said Dave Mullan, CEO of online payment processing company Vitessa Corp. "People are using technologies that aren't secured to the level they need to be ... you'd be surprised at how lazy some companies' processes are."

It's still unknown which of thousands of possible vulnerabilities Maxus might have used to break into CD Universe's computers in the first place.

When the break-in was reported, Brad Greenspan, chairman of CD Universe parent company eUniverse, blamed credit-card processing software called ICVerify. The New York Times also reported on Monday that Maxus told the paper he exploited a flaw in ICVerify.

Recently acquired by CyberCash, this is not the only black eye ICVerify software has received recently. Just last week, it developed perhaps the nation's most significant Y2K bug. After Jan. 1, the system was charging consumers repeatedly for the same purchase.

ICVerify is off-the-shelf e-commerce software that sells for around $400; one of its selling points, according to one reseller, is the fact that the software tracks customers and allows merchants to store credit-card numbers.

On Tuesday, the company issued a press release saying CD Universe didn't even use ICVerify, and a company spokesperson repeated that claim to MSNBC, saying: "I don't know what the hell Brad is telling people ... they told us they had credit cards stored in an SQL database."

But the spokesperson did not offer more details, and did not return phone requests for additional information.

Log files the culprit?
Several credit-card experts suggested that the way ICVerify records transactions could be the culprit.

According to one consultant, the software logs each transaction, then at the end of the day saves that log file -- credit-card numbers and all -- in a plain-text archive file. According to an ICVerify reseller, up to nine years of data can be saved.

This makes printing business-analysis reports easy, but it also makes life easy for criminals. Once they gain access to the computer performing the credit-card verification services, they can see in plain text all the cards ever processed.

The logs aren't prohibitively large files. "You have to assume that it's pretty much everywhere by now," according to one informed source.

On CD Universe's Web site, the company claims to have "successfully processed over 300,000 credit-card transactions." That's the same number of cards Maxum claims to have stolen.

"This scenario is very likely. I would guess that is what happened all along," Levy said. "Perhaps they didn't realize the logs existed and they never bothered to delete them."

In e-mail correspondence, a writer claiming to be Maxus refused to say ICVerify's logs were the culprit -- in fact, he spread blame around a bit.

"CyberCash (ICVerify's owner) is lame, because (it) stores *.set files in plain text with important data," he wrote. "Microsoft is lame because I can view in plain text their *.MDB files... "

All of which points to the central question surrounding credit-card use on the Internet.

While plenty of attention has been paid to encrypting important data while it travels across the Net from consumers to Web sites and back again (so-called SSL encryption), little has been paid to how the information is stored by merchants.

Why store card numbers?
"The real issue is, why are merchants storing the credit cards at all?" said Jim Cannavino, CEO of CyberSafe. His company is promoting a new online transaction scheme that eliminates credit card numbers entirely.

"I thought it was going to happen last year. Hackers would realize they can access credit information in merchant systems ... you've created a lucrative environment for a hacker to go to."

Other experts expressed similar lack of surprise by this week's break-in. In fact, intruder extortion schemes have long been rumored; one MSNBC source says he once helped broker a deal where a London bank paid $1 million for a hacker to destroy stolen data.

E-commerce sites keep customer information on file to make the checkout process easier, but it also means they must store critical personal data. And even if that data is kept on a separate computer, it must have some connectivity with the Web site. That leaves an opening for computer criminals.

"Credit-card numbers -- whoop-de-do," said Space Rogue, editor of Hacker News Network and research scientist at @Stake, formerly known as L0pht. "What's surprising to me is they got this FAX (the extortion threat) and ignored it."

Bad blood
During the two-week period when the stolen card numbers were being doled out, CD Universe did not inform its users that their cards might have been comprised.

While consumers are only liable for up to $50 of fraudulent credit-card charges, and most banks don't even seek that amount, many CD Universe users still felt cheated.

"I wasn't so much upset about what happened as I was upset that CD Universe had not contacted me. They still haven't," said 40-year-old Joe Maloney of Boston.

Between Dec. 26 and Jan. 4, 12 or 13 fraudulent $250 charges had been made with his Visa card. He had been a regular CD Universe customer.

"They called this guy's bluff and they lost ... I don't know if I'll be ordering anything from them for a while, if ever."






Editorial standards
Show Comments

Related

screenshot-2024-05-07-at-10-05-22am.png

This $349 iPad was secretly the best announcement during Apple's event

iPad Air blue from the back

I've used every iPad since the original. Here's my buying advice for the new 2024 models

mouse

How much tech can I get from Temu for $100 (and is it any good)?