Slashdot Mirror
Largest Online Credit Card Heist Ever?
Brian writes, "Today InternetNews.com
broke a story about a Russian cracker who claims to
have stolen 300,000 credit cards from CDuniverse.com. After failing in an
attempt to blackmail the company for $100,000 to keep quiet, the cracker
posted the cards at his site."
So, a few weeks before I was going to declare bankrupcy, I get that super-duper chummy letter from Faster Charge (tm) telling me that, " since you've been a very nice customer of us for the last 15 years, we'd be glad to settle for (55% of the balance owed) . You send us back the credit card with the dough, and you'll never hear from us ever again ".
So, if they can afford to lose 45% of their outstanding 4-digit balances, they really don't have to give a shit about online fraud...
We don't have to care: we're the credit card company.
It is not bullshit, dickweed, it's what everyone with more than 2 braincells already knows:
Server: Microsoft-IIS/4.0
Location: http://www.cduniverse.com/asp/cdu_main.asp
ANY E-commerce site using IIS with ASP is begging for this sort of thing to happen. Get a clue.
And if you'd like to know HOW Maxus did it, try here:
http://www.phrack.com
That is a different OS than the first is my suggestion. If really big, even a third server = n degrees of isolation. No matter how hard, least until independent review, someone will find a hole, and use it before alerted. The odds of expoiting 2 OS's is lower, unless the admin is a total twit, with sleepy security guys
It doesnt really matter where the numbers came from, wether they were phoned in (e-)mailed in web-formed in or whatever... if they are stored in a compromised database the same number of cc's can get out. In fact Im pretty sure there was a story a couple of years ago from somoene on the inside of a big company (IBM?) stole the cc numbers from phone customers.
And the banks wanted a huge fee- hardly an open solution. Who said pennies -- low volume merchants pay 4-8% in my town. If you set up an online store, you have obligations.
And those internal networks arent connected to the internet in any way shape or form?
Apart from laws, lets make the seller wear some of the cost too, as in contributory negligence, If the hole is older than 3 months, hacker should walk free. IMHO Blackmail, extortion demands the usual heavy hand. Bad publicity or upsetting public faith should get the 5th.
Actually, the AC is correct. Being anonymous doesn't make their reply any less accurate, nor does your pseudo non-anonymity make your opinion any more valid.
Languages change over time with use. Only Latin remains the same. Live with it.
I'll take my masters in linguistics over your "Tom 'Its Hacker!' G" anyday.
Anyway, it hardly matters either way. Just let it go. Stop whining.
I'm not the same AC as above.
It's just words.
Hardly worth making a fuss about.
Also, I know a few software makers that would say the people you call respected and skilled are nothing but criminals themselves.
They're just words.
I think that if I was planning to buy CDs online anytime soon, I'd buy from them. I bet that they'll have the best security money can buy in less than a month. Loren.
You should have got -1 just for spelling.
Except is is very expensive, and not open sourced, plus the banks want to charge you for each transaction (a fair hit). Open SSL and PGP is quite adequate, unless you dont use it properly.
Relax. Let it go. It's just a word. There's no "right" terminology. Language isn't static. Once a word is out there you don't own it anymore. The meaning of a word is whatever enough people agree to. In this way languages grow, change and adapt.
This is a good thing.
When my parents said that they hadn't made those purchases, the bank immediatly cancled the card and wiped the fradulent charges from my parent's bill.
The bank did the right thing.
Step one is find they guy so you can pay him $50,000 for the list of cards so you can turn them all off. If he is politicaly well connected in .ru then there is no way corp america is going to do anything to him other than pay to keep this as quite as can be. Keep in mind that both visa and mc both manage security based on their risk and their ability to cover that risk. 50k is one consultant for 3 months and is small change.
I did some consulting work for a windows webhosting firm.
You could download all of their databases (MS Access) by typing in www.domain.com/databasename.mdb.
You bet. It's called dumpster diving and it's been around a long time.
Appears to be running NT/IIS
fucking theif. you are no better than the credit card scammers, or any of the others. you are on their level stealing webpages w/o the ads. i hope you burn in the eternal lake of fire for ever and ever, bad man.
go rape your grandma or something, at least that is more socially acceptable than stealing bandwidth and rejecting the ads, you disgust me
It is even easier in Moscow or St. Petersburg to hire a hitman than it is in Chicago or New York (and that is saying quite a bit). I'm amazed the company involved, or one of the credit card holders, hasn't done the obvious, and removed this pest from the gene pool perminantly.
It is a disturbing trend, that to buy something, some places require you to register your Credit number with your user info.
They should not keep your credit card number past the shipment.
One way around this is to go change your number or experation date after shipment. Of course if they keep your number somewhere else...
Well, the $50 max liability rule isn't made by the credit card companies. It's Federal law. CC companies may claim to have the same policy, but I ain't gonna rest easy until there's a law to make sure they live up to their word.
Yeah, the SOME of the looneytunearian types have advocated not only getting rid of your credit cards but taking all your money out of the bank and buying gold maple leafs and junk silver US coins, etc.. Then I suppose you could go hide out up in the the mountains of North Carolina like Eric Rudolph.
Well, dickweed, if you think that running *nix makes you immune to administrative fuckups, I hope that you'll publish here the URLs of any financially-critical sites YOU manage. If you manage anything at all.
What about the hundreds of thousands of Visa check cards? Anyone that got stung with one of those is out of cash and has no immediate recourse.
he probably gets lots of russian babes. give the guy a break.
It's too late, you idiot - now that everybody knows about this thing, the opening stock price will be very low tomorrow. Maybe it is time to buy it if the market overreacts?!?! If you knew about this thing before everyone else did (like if you were that Russian cracker), THEN you could make some major $$$ by shorting the stock.
If you sign a piece of paper for the CC purchase, they give you a copy. Look at your copy very seldom do they XXXXX out the numbers except the last few; most of the time, it has the entire number on there in all its glory, as well as the expiration date (especially Exxon pay at the pump--look and notice-don't drop that on the ground!). And they keep a copy, and depending on the setup, their cash register system may store a copy on disk somewhere.
Now, if it is this way at a physical store, then you have to know that a e-commerce site is going to store all of this information. The record of the transaction, including all of the numbers, is all they have to prove that it ever happenned. No record, no transaction, they don't make any money.(Not only that, but how do you expect businesses to do bookkeeping without records of their transactions?)
Drewbert
No, not all online merchants do that. Our system never stores the credit card number, except in memory while the transaction is being processed. The new Cybercash system lets you simply bundle up the CC in an encrypted message which gets shot off to Cybercash for verification. You get back a yes or no on the transaction, and dump the CC info from memory. The only thing we store is a one-way hash of the credit card numbers so that if someone wants to verify their identity we can ask for the CC number (and of course that is over a secure server) and compare the hashes. Jim
To further this...If a merchant 'swipes' a card through the machine he pays a lesser % to the CC companies than he would if he just keyed in the number or used auth software. The reasoning being that if he is 'swiping' the card then the card holder would normally be present for other types of verification (signature comparison, drivers liscense, etc)
nope. all information is real. beleive me, i know maxus face-to-face and meet him almost everyday on irc. we're fully in carding bizness. and don't worry, feds willn't get him. our laws are best! hehe.
Always leaving their laundry detergent around... Chef
We have all heard a lot of talk about whether shopping on the internet is safe. The fact is that this year on-line shoppers will spend over $5.7 billion dollars according to International Data Corp. The main concern of on-line shoppers is that their credit card information will somehow end up in the wrong hands. We use Netscape's Secure Commerce Server technology, which encrypts your order information, keeping it private and protected. It's a Netscape technology called "SSL" (Secure Sockets Layer) and it's used by us and all the other major commercial shopping sites, including: The Wall Street Journal, Barnes & Noble Books, FTD Flowers, Microsoft, and Netscape itself. It is actually safer to transmit your credit card info over the Internet than it is to use your credit card around town.
CD Universe has successfully processed over one hundred thousand credit-card transactions, without a single credit card number being compromised. In February 1997 we were named one of the 10 best commerce sites in the world by PC Week magazine.
What most people don't realize is that shopping with your credit card is actually safer than paying by check. In the event that there is a problem with your purchase, the credit card company will remove the purchase from your bill and the on-line merchant is not paid. In the event that your credit card number is stolen, the credit card companies do not hold you responsible for any unauthorized purchases.
So go ahead and join the six million other people that are experiencing the pleasure of on-line shopping.
Privacy Statement
with nowadays connections we almost never do sniffing to get cc#s. that's lame. show me the machine that can easily sniff an 155mbit connection and be also a good http server at that time. yes, we own machines on such connections.... that's funny ;). smurf r0x.
Sniffing is easy. That's why anyone with a lick of sense is using switches. While this doesn't stop all sniffing, it sure cuts down on it. Any yes, us old farts do tend to think you young whipper snappers can't do anything without us. The reason is that out of a 1000 of you, maybe fifty are good, and if you are VERY lucky, maybe two are as good as they THINK they are.
We must blame this on Micros*ft:
MS should be sued for advertising/marketing things that are just damn lies.
Look at the statistincs on "http://www.attrition.org/mirror/attrition" and you will see that more than 60% of all the hacked sites were running NT/W2K and IIS.
I'd call them vandals, theives, robbers, or just plain fraud artists.
Yep, software companies call crackers criminals, just like Master Locks would call a lockpicker a robber... (No, Master Locks would not do that. Some software companies just don't get it yet. Strange how high tech warps the mind.).
you're right at some points. most carders almost never use amex cards. for example, i use it only when i'm tired of my neibourgh, who 10 time per day asks me to do him account on XXX site. and don't worry so much, US credit cards have AVS(adress verification system) that's why i like non-us cc#s.
ehhee. carders also like to listen to music. for example, i got from them ~20 cds. ;)
I suppose a Link to the page is out of the question...I promise it's for informational uses only, J/K of course :)
It should be possible to not only transmit credit card information securely (encrypted), and not only store it securely (encrypted), but also to securely decrypt that credit-card information as part of my authenticating myself to the system. And all accomplished automatically through public/private key encryption.
(Ie: Server stores my credit card number encrypted with my public key. It sends this information back to me, along with the server's public key. I decrypt the credit card number with my private key, and re-encrypt it with the server's public key. The server can now use my credit card number.)
The sole barrier to this is government legislation, which exists for the purpose of facilitating domestic spying.
Real CC == Bank assumes risk of fraud.
Debit CC == *you* assume the risk of fraud.
I like the former, myself. Why would anyone use a debit card (If your credit history is shaky, then *at least* go the secured card route). Never ever ever get a debit card.
slashdotted is slashdotted... no matter what OS/webserver is running...
IMHO, when most unix servers are slashdotted, they just get very slow because they don't serve enough bandwidth to handle all the requests at the same time...
ps: i never used the words "NT sucks"...
Ricardo.
eheh. but what can police do if someones credit card has been used to order 100 TNT2 videocards and shipped to zimbabwe/ex-ussr? can you trace us? hehe. yea, trace, ship us a postcard ;).
i can't say from which country we with maxus are from. but that not russia. russia has laws about such fraud. our country not. we're carding a lot of goods. and you can't bust us. interpol don't have rights here. cops... hehehe... call them, complain ;).
Security - Is Internet Shopping Safe?
We have all heard a lot of talk about whether shopping on the internet is safe. The fact is that this year on-line shoppers will spend over $5.7 billion dollars according to International Data Corp. The main concern of on-line shoppers is that their credit card information will somehow end up in the wrong hands. We use Netscape's Secure Commerce Server technology, which encrypts your order information, keeping it private and protected. It's a Netscape technology called "SSL" (Secure Sockets Layer) and it's used by us and all the other major commercial shopping sites, including: The Wall Street Journal, Barnes & Noble Books, FTD Flowers, Microsoft, and Netscape itself. It is actually safer to transmit your credit card info over the Internet than it is to use your credit card around town.
CD Universe has successfully processed over one hundred thousand credit-card transactions, without a single credit card number being compromised. In February 1997 we were named one of the 10 best commerce sites in the world by PC Week magazine.
What most people don't realize is that shopping with your credit card is actually safer than paying by check. In the event that there is a problem with your purchase, the credit card company will remove the purchase from your bill and the on-line merchant is not paid. In the event that your credit card number is stolen, the credit card companies do not hold you responsible for any unauthorized purchases.
So go ahead and join the six million other people that are experiencing the pleasure of on-line shopping.
stealing numbers is not so funny as making profit from them. with the middle salary here ~40$ we do more than 10,000$/week. heh. kewl?
Then I hope for your sake they are selling off their NT servers and finding some real admins.
May you be on the receiving *end* of some big lifer brute. I'm sure he will be glad to watch CBN and talk crap about Marx with you (between love-ins). All the cute guys aren't in prison, anyway ;-)
hehe. he was working alone, almost noone from us likes to work with NT. it sucks. ;) goverment... hehehe. what can this say to you: our minister of communications said in interview: "Internet? our grandfathers, fathers were living without it and we can also! why do we need it?" hehe.
well, server overload is one thing and yeah all web servers are suspect BUT its GOT to hurt that an IIS server is running a site that just allowed 300,000 credit card numbers to leave by the back door.
You're kidding right? If you're not, you're a fucking idiot.
It doesn't matter that the public doesn't understand the issue at all. The public thinks that stronger encryption will prevent this from happening again? Let them! As long as I get what I want!
ok, so if a hacker = someone who tinkers with computers and technology, and a cracker = someone who cracks games and programs. then what do we call people who break into web sites and deface them or steal info??
we use something, others are selling.... my flat is full of goods already, i'm tired ;). anyway, ~30% of computer hardware here were carded.
ever hear of assasination? click-bang-no more carder. it's not going to be long till assasination becomes a standard way of dealing with monkey-ass-hackers.
This "fee" is used to cover the cardholder banks losses due to fraud.
Not entirely true.
I am a merchant that has an online store. When someone commits fraud with credit cards, we do NOT get paid. The credit card company voids the charge on the customers card, but we get hit with the bill, and service fees. It is a total loss. We've lost thousands due to internet credit card fraud.
To combat this we are requireing all credit card orders to be sent to the customer's billing address. Not to convienent, but it is the only way to be sure.
It was weird that the article concentrated more on the hacker than in the buggy software the hacker had exploited and in the company which was ready to submit to blackmail!
Except numbers were actually stolen in this case, and posted on some 3133+ web site.
"CyberCash Denies Fault in Security Breach Case" By Robert Conlin, E-Commerce Times, January 11, 2000
5 97000/597828.stm "This is called ICVerify, made by CyberCash ...
The following was reported: "A statement from the Reston, Virginia-based CyberCash declared that "ICVERIFY is a PC-based payment system, not a Web-enabled product, and is not being used by CD Universe on its Web site. Therefore, the credit card information cited in recent coverage could not have come from ICVERIFY.""
CDuniverse has admitted that it uses ICVERIFY. http://news.bbc.co.uk/hi/english/sci/tech/newsid_
... CdUniverse confirmed they had not installed the patch"
semantics? CyberCash has a division named ICVERIFY that offers a product named NetVerify that is a Web-enabled product for its ICVERIFY software.
///////////////
Consider the following: "ICVerify Ships Payment Processing Software For Online Stores" by Jeff Sweat http://iweek.com/newsflash/nf668/0209_st6.htm Electronic-payment software vendor ICVerify Inc. today will begin shipping NetVerify, a transaction processing product that focuses exclusively on Web commerce sites. The privately held Oakland, Calif., company already has Internet commerce software, but has focused on creating products for point-of-sale devices and automatic teller machines. NetVerify lets the merchants and Internet service providers running online stores manage transactions and perform administrative functions from a Web browser, regardless of time of day.
///////////////
Also, http://www.icverify.com says: Access NetVERIFY anytime, anywhere from any secure browser. NetVERIFY allows merchants and administrators to remotely access key payment processing capabilities from secure browsers. Merchants can edit transactions, initiate settlement and generate payment reports at anytime of day, form anywhere in the world.
I assume that CDUniverse (http://www.cduniverse.com) was flooded with emails from concerned customers such as myself. I sent them an email on Jan.9 asking about this situation, and on Jan.10, I received a reply. This is the email I received:
--------------------------------
Hello,
CD Universe has experienced a breach in security regarding credit card files. We understand your concern for the safety of your credit card. We are currently working with the credit card companies and contacting the effected individuals. For your safety, we suggest that you moniter your credit cards closely over the next few weeks and report any suspicious activity to your creidt card company and CD Universe as well.
Amy
Customer Service Team
www.cduniverse.com
--------------------------------
-goon (ty)
Who the hell do you think you are, and what makes your screen real estate more valuable than anyone else's? It's people like you that will selfishly bring the internet back to the stone age.
Looks like they got owned quite badly... http://www.thisisnorthscotland.co.uk/scripts/edarc hdisplay.asp?section=Local+news&ID=5583& source=NSCO
ID=5583&source=NSCO
Good work!
story here
Actually, rumor has it that banks are routinely hacked/cracked and ransomed, and they pay the money to shut it up. The last thing they want is to go to the authorities and have their name splashed all over as COMPROMISED.
Law enforcement has actually been complaining about this - the crimes aren't being reported and thus are proliferating.
You will be decrypting it at some point, given conventional O/Ses (not B level etc) if the hacker is in your system the hacker can get to the information.
If you're not going to decrypt it, then don't store it.
In the absence of secure O/Ses it's a good reason to have your webservers separate from your application and database servers.
Yes Linux is NOT secure. There is no easy and secure way to compartmentalise permissions.
Cheerio,
Link.
Time to short cybercash stock!
Do ALL online merchants do this? seems like a big mistake and of no use to the consumer.
Maybe this will open the eyes of the US government to allow for STRONG encryption and not the petty stuff we have now.
Credit card theft is way too easy; why is this such a big deal? Anyone with half a brain can easily steal numbers, so what's so novel about it?
Yes, it's called Microsoft IIS 4.0 :)
Just read an article that asserted 18% of all cell phone charges are fraudulent. Cell phone companies are off to a bad start.
I guess digital fingerprints are about to take off this year, Motorola has a $20 system. Wait until those are stolen. At least you can get a new SS number after much hassle, but once your identity has been stolen through fingerprints, your (credit) life is over.
sigh... to tired to log in...
Your comment is absolute bullshit
make the companies FIX thier crap, not lock up some script kiddie for showing the world how shitty your security is
If you think the current law is to lax, you should educate yourself in the law...
Mitnick was looking at around 108 years for hacking related offences..that's more than 5 times the current "Life" sentence (20 years) that you might get for MURDER...
The goverenment needs no assistance in passing laws.
Tadghe Djin
Banks have had a history of covering up various frauds. They don't want to attract attention that might be more damaging then the fraud itself.
No, if you put $10 on each of those cards you'd have 300,000 things worth $10 (not including shipping & handling). You'd have trouble dealing with 300,000 deliveries without attracting attention, much less converting to cash.
I want to be a 1337 h4X0r. I use AOL and Windows 98. My email is M4z73r_h4X0r@aol.com. Someone send me some w4r3z programs.
Storing Customer Credit Cards in a Database should not be necessary. What Visa/Mastercard/Amex should do is offer a secure service on the net. Send it a credit card and a merchant number, and it returns a unique number that can only be used to place charges on the given credit card for the given merchant. You could publicly make available this merchant authorization number since it wouldn't do anyone else any good. Whenever the customer orders something, submit this unique number instead of the credit card number to your bank.
I have had pressure by management (evil!) to store credit card details in my database.
Amazon's One Click Shopping came to mind. Is this what they do? Store your credit card information?
Wheeeeeeeeeeeeeeeeeee!!!
The hacker term is already evil. Get over it.
i love it how people who wouldn't know a packet sniffer it it smacked them in the head are always proposing how you can do anything by just using a packet sniffer.
dude, put the issue of WebTechniques down before you hurt yourself.
At the risk of sounding like a total dick (hence the AC...) I would say that those companies with better security would be able to provide lower prices, and then attract customers turned off by the hich cost associated with the companies who can't watch the henhouse better.
And in the case large of corporations I really don't feel too bad for them. In this case the guy offered to fix it first then threatened to publish...If he had offered to charge reasonably I would have at least wrote back asking for proof, then paid the price for the fix, which is at least a legitimate business transaction. What really makes me wonder is whether the price he was asking ($100,000) is less or more than the amount of damage done to the company by actually publishing this info.
I think the real problem for the banks was and is the setup and operation of the global trust hierarchy associated with SET. The world is not prepared for this. To how many Joe Averages could you explain the necessary steps to get a consumer SET certificate? And how do you convince him to use it?
This article did a suprisingly good job of correctly using the term "cracker".
Wrong!!
The article again made the serious error of giving a bad name to crackers. A cracker is somebody who for fun defeats the copy protection in copy-protected games and other software.
We must do something to stop this improper use of the term. Send mail to ESR and various other people who advocate the misuse of the term 'cracker.'
Ricardo.
WRONG!
A cracker is somebody who for fun defeats the copy protection on copy-protected games and other software. It's an old term that goes way back, nearly as far back as the term "hacker."
Stop cheering on the slander of the cracker community.
SSL only secures the transmission channel. If you then store the information you collected thru a SSL channel in a newspaper... To me it seems to be more a problem of securing their database. Have they setup proper firewall and other common protection schemes to secure their operational data. I believe its to simple minded just to blame the OS or products they used. In most cases its poor security administration.
Well maybe this post isn't as redundant as it seems. What was the weakness in the said server? Was it because the server wasn't using encryption? Maybe they weren't using SSH. If *everything* was strongly encrypted (like, low level ipv6 packet encryption) then breakins due to sniffed passwords wouldn't happen.
;) ).
Security is as strong as the weakest link (the admin commonly being that link) but can be made stronger through the broad use of crypto (and the mass beating of dumb admins
I think it's time that self-proclaimed "hackers" quit misusing the term "cracker." A cracker is someone who makes it his/her hobby to defeat copy-protection on games and other copy-protected software. You people are giving "crackers" a bad name with your blatant misappropriation of the word. Don't bother to check Air-Sick Raymond's "Rambler File," either, as he is one of the worst offenders.
Get it right people. This story is about a thief, not a cracker.
Y IZ EVERY1 MAKIN FUN OF AOL???? JUS BECUZ THEIR POPULAR DUZENT MEEN THAT THEY SUK! I USE AOL AND ITZ GR8! UR PROLLY DUM OR SUMTHING LOL ROFL
Be a good boy and put that issue down like the man said.
Just wash them before you try to play them, most look like they have been licked by a dog.
PS. To whomever scratched the John Henry CD - you suck.
sure, he shared ;). he was selling 100 ccs for 20$ just for fun. ehhe.
man. i know him very well. we're not russians. and we don't like our goverment. it has nice laws for us, but we don't like it anyway. it sucks.
So that's why ROB isn't releasing the /. source???!!!!!!
Beleive it or not, the crackers do add some value (namely excersizing the system - assuming they get caught and the exploits are publicized, which is probably kinda rare) and outlawing hacking would be a real bad idea. Discouraging the explorative mentality by introducing more law would set us all back. We have security professionals. Pay 'em :)
I disagree with the OP that increasing jail time would help prevent this, I disagree even more that technology will do anything. There's no such thing as absolute security, and all you're doing by creating better security is creating better criminals.
I don't think explicitly ignoring something really counts as "ignoring" it.
Of course I'm not kidding. Are you seriously trying to claim that homosexuality is not responsible for violent crime? Just last year two gay men were arrested in Tennessee or someplace for killing somebody. The connection is obvious.
The connection between homosexuality and communism is obvious as well. Homosexuals have, by definition, rejected God and embraced liberal politics. There is not a single widely-accepted gay member of the Republican Party. Therefore, they all must be liberals. This leftism inevitably becomes more and more extreme as time passes, leading ultimately to Communism. Then, of course, we have the Homosexual Agenda: They demand that the law not stigmatize them as deviants and criminals. Of course, if the law declares that they are "acceptable", this will lead to widespread acceptance. If the law does not dissapprove, it must necessarily approve, right? It's one or the other, because it certainly can't be both. To approve is to encourage. To encourage is, effectively, to force, when we're dealing with the impressionable minds of young people. If healthy, heterosexual young men are not strongly encouraged in the right direction, they will never develop any interest in girls at all. Therefore, to legalize homosexuality is to coerce young people into practicing it. My logic is meretricious and my conclusions are undeniably indefensible. You may draw your own conclusions as you see fit, but if you are a Loyal American you will agree with me.
If healthy, heterosexual young men are not strongly encouraged in the right direction, they will never develop any interest in girls at all.
Absolutely hilarious! I say we just let Nature take it's course and let women fight for what's left over :-)
They're still valid tho' mumbo
They're sniffing packets for CC#
That's where the rest came from
Nuff Said.
404 File Not Found The requested
To quote John Cooper Clarke:
What kind of creature bore you?
Was it some kind of bat?
They can't think of a good word for you,
But I can...
Twat.
shit like this happens everyday, except you dont hear about it until you see unauthorized charges on your credit card bill.
A couple of paragraphs from the article: ... Maxus appears to move about online using stolen accounts and relays his email through other sites to conceal the originating Internet protocol address, said Smith.
Apprehending Maxus will not be easy, said Richard M. Smith
"It's possible he could have slipped up somewhere along the way, but I think he's pretty free and clear and it's near zero that they will catch him," Smith said.
I would think that this guy would be able to be tracked down. Check out his writing style, scan newsgroups relevant to security and see if there's familiar styles. Also, there was an mp3 file on there. I didn't check it out, but if it is an actual song, that gives insight into what types of music he listens to, and irc and the newsgroups again can be watched in these areas. Plus, the article mentions that he's 18 years old and from russia. That narrows it down a helluva lot. Talk to the ISP's that the ip's were from, and see if they have ANY logs... Caller ID, whatever. Also it appears that he goes by this nick often. Don't know if any of you know of +fravia and +ORC but they had many teachings on stalking on the internet...
So the question is: is there a good possiblility that this guy can be tracked down?
You betcha there is an incentive ... the banks have to eat the charge if they authorized it and the merchant followed procedures .... Banks most definitely do call customers to check on activity they suspect is fraudulent. Not all banks do this. The algorithms they run on accounts look at past and current purchasing patterns, velocity, which merchant is used, and so on. Sometimes instead of calling they just slap a stop code on the account so the next time an authorization request comes in the vendor gets the code meaning "call the charge in, we want to talk to you".
They have external read access on their database... it could (maybe it did?) just as well store creditcard numbers for bog standard phone/mail orders cant it?
I would if lots of sites used it and thought the same. What I would really like to see is a small A1 Orange Book (formally proven) open source operating system. Forget about all the US Gov stuff for A1, just do proofs. It should have process level security such that a CGI which is compromised with a buffer overflow (stuff too big to formally prove) has no access to even other spawned CGI's.
If it's so difficult then maybe there is a need for a third party site that specializes in online transactions. Online vendors would place a link on their page that takes the user to a trusted site. Here they can authorise a payment to the vendor with some confidence (perhaps), and pay one bill at the end of the month by post.
Umm, what exactly does cracking a server to access their database have to do with encryption of data. This was not an issue of weak encryption at all, more an issue of weak security on a server. That is not to say i dont totally agree that strong encryption is necessary, but someone sniffing and decrypting communications would be a better case for that argument to be made, not a server breakin.
Well, the only reason this is possible is that the credit card comanies don't care. Introducting strong cryptography, challange-response protocols and real online banking will make such frauds nearly impossible. All these technologies exist, but why aren't they implemented? Apparently the losses of the credit card companies are not enough to justify the move towards stronger verification schemes. This is also fine with everybody - the card ownerers are not liable for more than $50 of losses and the hackers have an easy source of income.
Do a web search for "digital bearer certificates" and "Robert Hettinga" for some interesting ideas on the future of electronic payment.
do waitresses have palm pilots in your area ?? way cool :)
Although I really do hate your negative way of giving feedback, after reading more interesting comments, I retrieve my comment for it was misinformed and outdated.
On the other hand, your comment almost pissed me off, no wonder you post as AC..
Well, one could always packet sniff to get sensible information, but it must be really long to get a reasonnable quantity of information. But that doesn't mean people aren't doing it, and from my point of view, one could write log parsers to extract CC# from packet sniffing logs very easily.
;)
What really scares me about this news, is that I don't understand why would a company how my CC# in a database? Do you give your CC# to your drugstore just because you shop there once a month?
Aren't there some sort of PGP systems to use CC# information, with the help of CC companies like VISA and MasterCard? If people are ready to invest $billions in online commerce, why can't CC companies (who are right anyways) develop useful open standards to protect consumers? (buzzwords rock
Who said _just_ using a packet sniffer? You're over-simplifying the issue. The way I understood the original message was 'packet sniffing' as a _method_, and not as a simple act. Anyways, most things in life are very complicated, we just like to explain them in simple terms.
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
That looks an awful lot like Redhat -- while The Matrix runs on FreeBSD ;-)
Contrary to the popular belief, there indeed is no God.
> Linus doesn't steal, so why do you think it's Ok for you to?
Ahem. DO you do everything Linux does? Gimme a break. This has _nothing_ to do with Linux or Alan or Stephen or whoever. It's just a question of morlity.
Well, the $50 max liability rule isn't made by the credit card companies. It's Federal law.
Recently similar Federal laws were passed giving similar protection to debit card holders. According to this site, there's a$50 or $500 limit depending on when you report the theft.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Domain names ending in - are illegal. Sorry.
:)
Yes, Amazon stores your cc#. But they also make a BIG deal about the security. I remember that they used to have a blurb on their web site about how the machine that stored the numbers was connected via a one-way gateway to the net, so it could not be hacked into.
Actually, that's not true. He's only making available the ones w/ old dates. These are the ones that will be useless soon unless they are used. He has the other ones, but he's holding onto them. These are the ones with expiration dates that are years away -- there is no urgency to use them, and it will be much safer to use them when some time has passed from this news story.
Oh yes, there's an idea - pay him off to shut up about it, allowing the consumer to be lulled into a false sense of security. They haven't fixed the problem yet - if they haven't yet, and the problem has now been widely publicized, who's to say that even if they HAD paid off the cracker, they'd ever have fixed the problem? Then you have the potential for yet ANOTHER cracker to come along and repeat the same song-and-dance!
Poor idea. Poor, poor idea.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Umm. You seem to not be aware that the majority of credit-card information transfers of the Internet (all, if you count the places where the site builders aren't head cases) are done via SSL. That certainly helps decrease the chances of someone in between snagging your CC info. I don't trust companies that keep your complete CC info for later purchases - for this very reason.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Let me ask Slashdot readers a question. Suppose you could get a version of Linux that ran 25% slower, but was highly secure, secure enough to run trusted applications in a leakproof environment and untrusted applications in a "sandbox". Would you run it? Would you buy it?
Would it even HAVE to be pay-ware? But that's beside the point - I for one, if I were developing an electronic commerce system and wanted it to run on Linux, certainly would consider such a thing. It's just the right way to do such things.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
HELLO? McFly? This isn't an issue of encryption - it's an issue of an Internet-based purveyor of a service storing the credit-card numbers of their patrons in an insecure fashion, in the name of convenience. You could have had 1024-bit encryption end-to-end, but in this case it wouldn't have mattered at all.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Just because it's been done before (and even done frequently) doesn't make it a good idea. It's still a poor idea - just a poor idea that's been carried through on for the sake of keeping one's good name intact.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Why? Personally, I don't feel the need to boycott Slashdot, but I still filter out all banner ads from all sites I visit. I own my bandwith and computer monitor and I don't let anybody use my property for purposes I don't approve of. If they want to advertise on my computer screen, they have to offer me a good price for my screen real estate and bandwidth. Short of that, no dice.
--
--
Alot of E-commerce companies put big efforts in making the "shopping experience" as easy and interresting for the user. Wonderful, the company stored your credit card number, you wont have to type it in again when you shop later!
This particularly irritating since both IE5 and Mozilla (soon to be NS5) offer to fill in forms at the click of a button. Also, if the company wants to store anything in their database it should be a one-way hash (MD5 or equiv) of the card number, _not_ the number itself.
--
odds of being killed by lighning and
Odds of being killed by lightning and winning the lottery in the same day: 1 in 2^55
The root of this problem is that credit card companies are being negligent. No credit card transaction should be considered valid without a signature. For meatspace purchases, this could be done with pen and paper. On the Internet, it could be done with public key encryption - the cardholder would put a public key on file with the credit card company that would be used to verify signatures on charge requests. Charge requests with bogus signatures would get denied. Charge requests submitted twice would be denied. Modifying a charge request would invalidate its signature.
Secure, anonymous digital cash is also a solution. It would be nice to see a Free digital cash standard emerge. Digital cash would also eliminate many of the privacy and fraud problems inherant in today's credit card transactions.
However, maybe in the long run this event is good. I think the best way for companies to learn how important security is is to have lots of really irate customers like CDUniverse will have. Also, maybe other companies will look at this and say, "hey...let's make sure our security is beefed up so this doesn't happen to us."
Hopefully people will start realizing that transfer encryption is only a small part of security. Once it arrives, protecting confidential data is a continual process.
--
Mankind has always dreamed of destroying the sun.
I understand that, but 40-bit SSL encryption is nothing to get happy about. It's still an insecure medium allowing a man in the middle attack. This is still less secure than a properly implemented username/password scheme.
The reason that on-line merchants store credit cards on the server is mostly convinience, but partly to prevent the customer from repeatedly sending their credit card number through the insecure medium of the internet.
My electric company works in a similar way. I call them up and agree to pay this month's bill. I don't give them my credit card (which I only provided to them once). The service representative does not have access to my credit card number, they just enter the amount into the system and let it verify with the credit card company. Now granted, someone else might be able pose as me, but they're just paying my electric bill for the next few months.
The idea behind storing the number on a server is to transmit your number once, then send a username/password after that. A man in the middle looking for credit card numbers doesn't see yours, and at least presents him the challange of having to figure out where the username/password was headed and provides some way to track the person who stole it, since he can only buy from that vendor.
In that respect, I'd prefer to use vendors who store my credit information on the server and issue me a password. Of course, that's provided that they don't do something stupid like make the database server internet accessible.
You do not understand. If he is Russian, he, of course, works with blessing of the Goverment. If he were American, he, certainly, would be an individual.
Incidentally, how exectly they figured out this guy is Russian? His own claim or what?
The cards must be entered through a ssl encrypted form. Anyone who would enter their credit card info in an insecure form deserves to be ripped off.
The point of my post is that once they are encrypted properly, you can damn near store the encrypted card numbers in your .sig file - ain't no one gonna decrypt them.
There are several reasons for storing the credit card number on the server. Monthly billing, future purchases, etc. etc.
As for the processor, I can't disclose (under NDA)
--
--
It is stories like this that make people think about the issue.
--
(Off-topic rant - I've had this building up for a long time.) I have decided to join the Amazon boycott. This has resulted in me not buying books at all. I now go to the library instead. I tried Barnes and Noble, and I tried a few web stores.
Barnes and Noble pissed me off the most. It is no wonder people don't shop on their site. It fails to render properly in anything but the latest versions of IE and Netscape. I don't see why a site I go to to buy stuff has to use 15 layers of nested tables. Use anything else, like Opera, which I prefer, and it has all kinds of glitches and table fuckups. That's besides being just plain ugly and using NT.
Boycott Amazon.com! Take a trip to your nearest library.
--
--
Everyone encrypts CC numbers on the way to the server. But are they encrypting them once they get there? Storing CC numbers is OK if it's done right.
The REAL losses are covered by the big corporations, and I couldn't care less about them. Don't bitch about the lack of security - it doesn't harm any REAL people, only corporations.
That's quite a myopic vision of finance. If the "corporations" lose money, where do you think they make their shortfall from? They increase your bank charges/card charges. Your goods cost more, as the prices are hiked up a few percent to cover fraud. Same for advertising - part of the cost of any 'brand' product you buy is fed back into advertising and making people buy more of that product!
When oh when will people wake up and realise these basic things?
-Exasperatedatron
Actually, I prefer the current situation. Since the system is known to be flawed, I'm only liable for $50 if someone steals my CC number, and in many cases, not even that.
If a secret, proprietary and "secure" system will be put in place, shortly afterwards customers will be liable for all transactions carried out in their name. Once someone figures out how to hack into this newfangled system, we're all in trouble. Good luck explaining to the courts exactly why a complex security system is insecure, and how someone could have presented themselves as you online, and bought those 3 Ferrari's.
Either that, or I'm just paranoid.
The story calls the thief a "cracker". Excellent! :-)
TomG
The difference between online credit card theft, and someone stealing your card at a local store, is the numbers involved. In one day, this guy compromised 25,000 credit cards, and claims to have a few hundred thousand more. There's every reason to believe he does, too, and that next he will post them all to an IRC channel somewhere, and he probably has already shared them with his friends.
Now, if you are Mastercard, Visa, or AMEX--what do you do now?
It's going to cost a LOT of money to replace 300,000 credit card numbers--especially when you can only identify 25,000 off the bat!
If some guy was stealing cards at a store, he would get caught. The CC security guys run complicated statistics to figure out what the common link is between a group of credit card thefts. They'd find out it was this store, put it under surveillance, and arrest the guy.
In the case of the website--they might be able to find this guy, but even if they do he's in Russia, which probably hasn't got a lot of good internet laws on the books they can use to get at him. He'll probably wind up serving a year in jail, or maybe with all these CC's he can come up with the cash to bribe his way out.
As an individual all you can do is take precautions. The biggest one being you should probably have a CC with a low credit limit just for the purpose of internet shopping.
I agree with the previous poster--a scheme which securely transfers money would be preferable to sending CC's over the internet. The risk on the internet is that a breakin compromises hundreds of thousands of CC's at at time, costing the CC companies BIG money, which they will ultimately pass on to you in the form of extra charges.
--
--
"Insert witty quote here."
--
--
"Insert witty quote here."
Judging from the number and content of the comments in Russian, I will bet a lot of that credit card holders will be surprised to see their bills soon. Most shops in Russia do not do a good job verifying cards, and it would be kinda hard to get to them to reimburse the charges. Oh, well, not that I will cry for US credit card companies..
<^>_<(ô ô)>_<^>
But you'd still need a Credit Card database somewheres. So, all you've introduced is more hassle. What they should do, is beef up security, and not be so stupid as they were this time.
--
Insert Witty Sig Here
Whats the point of having a secure connection, and a secure Credit Card database? Those idiots should've made sure the server was secure.
--
Insert Witty Sig Here
I used to be a big supporter of e-commerce, until I found out someone put $400 dollers worth of net material (moslty porn) on my card.( I got it back by the way with the exception of a charge for a bounced check, which my bank (fleet sucks) wouldn't take responcibility for. The problem is these huge handleling companies like the ones shareware and porn ppl use that accept Credit cards without question. When I followed the paper trail the company had my info wrong and a bogus e-mail. when asked if they were going to try tocatch the perp, they said it is a commom occurance and wouldn't be feasable. needless to say I reported them to my local police, and every customer protection agency I could find. Since I purchase all my computer stuff online, and I am an amazon hound (O'Rielly rules) I decided to get a card just for CC transactions which I monitor like a hawk, this is in colaboration with my cC company. I banned all porn handling Companies from it, and changed all my other card numbers on a regular basis. yea I am parranoid, for good reason I think.
yea yea ye aI never copy pasted to word to spell check, so sue me, tacho why don't you code a spell checker into this thing.
I hate this and i'm mad. Credit card protection is crap. whats teh use of absorbing the cost if it all goes back to high intrest rates. Credit card companies should be responcible for coming up with more secure methods. I can purchase anything on say QVC with a valid name CC # and experation date and have it shipped where ever I want. WHY !!!! WHY !!!! WHY !!!! this is crazy. there needs to be a better form of authentication that requires live autherization from the owner and only the owner. Not just a signiture but a unique ID. yea yea big brother, but you kno it's a necessary evil
well yeah, but you'd also need to pay the electric bill :(
;)
So you just get another card to pay the bill
If fraud did not exist, VISA would find itself under competitive pressures to lower its fees and interest rates. The credit industry is cut-throat.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
if you have a decent relationship with your bank, and they're not a bunch of twinks, you should be able to work something out with them should this particular wave of fraud affect you - even if you have a debit card.
Sure, but how many people are that lucky? The point I'm making is that there is no such legal protection, but many people assume that there is because they're familiar with credit cards. Debit cards may look like credit cards, and use the same sale procedures, but legally, they're not the same.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
This article did a suprisingly good job of correctly using the term "cracker". I for one would like to congratulate InternetNews.com for NOT includeing the word hacker in their story. Good job.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
This guy's got it exactly right. WTF designs a system that stores sensitive data on a net accessable host? At least offload the data to a separate system that's a bit more difficult to access. And if you let some company store all the credit card info needed to charge a purchase to your card, you are a fool. You don't trust some guy in a restaurant? Well, somebody has to have privs to read that CC database...and that DB sticks arround for a looooong time....not a day or two like a paper slip.
Blar.
Well, it can't be happening that often for them. Reason I say this? The most you are liable for on a creditcard is $50, anything larger than this is their loss. So, unless we are being nickel-and-dimed in a cunning low key way (which would take a long time to return a profit and thus be vulnerable to audits) the risk/loss would be too great for the credit companies. They would be upping the amount we are liable for considerably. Perhaps I'm just naive. Why is the liability so high? ;)
So. What kind of dipshit e-commerce company keeps their customer database ONLINE? Gee. That takes a REAL BIG CRANIUM.
Card numbers should either be removed as soon as the transaction is complete, or at least logged to a secure system. The machines performing transactions should be highly isolated.
Something like this should NEVER happen.
Then it's a good thing i keep my bank account already cleaned out before somebody breaks into it... ;-)
C.
C.
(Sorry for the shouting. I just had to get it out.)
Could anyone tell me why that company would put 300'000 credit card numbers on an online server, connected to the Internet, probably in plaintext? That's kind of tempting a little too much Murphy's laws.
Just imagine if a country/state placed its power grid controls on a server on the Net? Would that be reasonable? However secure a sysadmin thinks his machine is, that's his first responsibility to warn that new holes are discovered every day on every OS...
CDuniverse.com is totally irresponsible [i.e. should be held VERY liable for any damage that insues]: if you think of it, they were not only toying with a couple of credit card numbers; they were toying with a value of 900M$ (if you give a - very pessimistic - 3000$ mean value to each credit card number). Or 9M$ if only 1% of the credit limits are used.
I seriously think someone should look into that seriously, and hold CDuniverse.com responsible for damages that would ensue. Unfortunately, there is so many blunders (and avoidable) mistakes done in the IT field that I would not be able to recommend holding them 100% responsible for the damages. Not before a couple of years pass, at least...
C.
C.
One can't help but the wonder how the pick pocket was able to get a cash advance. Did your mother in law have the pin printed on the card or something? If so, that's dumb, dumb, dumb.
This is the first of what will me many similar stories.
It is important to note, that no credit card customer had to pay a single cent for their stolen cards. Without a signature, all charged transactions could have
been reversed.
The thing that gets me, is that this will separate the smart companies from the dumb.
Or, perhaps the forward thinking, from the offended.
Here is an 18 year old russian. (perhaps)
He is likely unemployed, and has since learned more skills than any single person at CDuniverse.com. He knows how to check security systems, and
make systems secure, as well as hide his idenitity. Skilled and experienced beyond 99% of the tech population.
All he is asking for is $100,000. why? just a random number.. that sounds like a lot of money.
What CDuniverse.com did -- nothing.. then call the feds when they called his bluff. -- stupid.
What they should have done -- OFFERED HIM A JOB !!!
i am not kidding. this is a good kid. if he was bad, he would have used them for himself.
he would have given them out on IRC without telling anyone.
if he was bad, or dumb, he would not have gone through the trouble of contacting CDuniverse.com several times to ask them to allow him to fix the hole.
He simply wanted regcongintion of his greatness, and to be paid for it.
CDuniverse.com however was offended... and didn't think some 18 year old russian could hurt their bussiness. Now it is out all over the news, and i'll bet
their sales are down.
They likely could have paid him $40k a year to work on contract.. but no, they would rather loose.
Companies are afraid of the internet because 18 year old freaks know WAY more than they do... but instead of hiring them, they choose to ignore them...
bad decision in my books.
your opinion?
what do you expect to happen ?
they have a huge database just sitting there.
its just waiting to be hacked and
I love the panic that comes from credit card number theft in an on-line context. To the worrisome masses that own and use credit cards but don't use them to purchase stuff online:
Have you ever used your card to pay for a meal at a restaurant and the server walks away with your card and comes back a couple minutes later? It is the same risk, you don't know if you card number is being copied down by someone whilst out of your possession.
Any decent credit card company offers protection against fraud anyway - some specific to online transactions like Amer ican Express for example. I'm an AMEX card owner have unfortunately taken advantage of this benefit in the past and they took care of EVERYTHING.
Perhaps I'm oversimplifying the situation, but I see it no different than in the off-line world of financial transactions - no more less risky. Buy freaking gold bullion of you can't handle it.
Speak truth to power.
(transfer the money, not the card number)----- With the new smart cards comming out (like the American Express Blue card), that's exactly what will be done. No card numbers will be sent. The money will be transfered from the card through AMEX to the site.
The two most common things in the Universe are hydrogen and stupidity. -- Harlan Ellison
They could charge the cards to *themselves*. Also, I know someone who used CC numbers he got off IRC to create Xpics acount with his referal numbers. He only did it a couple times though, we convinced him it was a "bad" idea...
"Suble Mind control? why do html buttons say submit?",
ReadThe ReflectionEngine, a cyberpunk style n
My mother-in-law had her wallet lifted by a female pick-pocket (who, incidentally, looks NOTHING like my mother-in-law) who ran up a $5000 tab on it in about two hours. This was through a combination of cash advances and purchases. When my mother-in-law realized her wallet had been stolen she called the card companies and had her accounts frozen.
For the past four months she's been fighting the card companies with police reports, video (from the ATM where the cash advances were made), and the obviously forged signatures. They claim the entire $5000 is her responsibility, despite overwhelming evidence to the contrary.
DON'T believe it when you hear that you're only responsible for $50--the CC companies are in the business of making MONEY, and they'd rather get their $5000 and lose you as a customer (and they can afford much better lawyers than you can, so forget lawsuits) than eat the $4950 worth of theft. They can always find more suckers to sign up.
-----------------------
To understand recursion, one must first understand recursion.
If you must give in to the you elitest flaming side, could you at least list a refrence to either an individual example of such a book or a more complete listing of books in that vein?
Thanks...
--
Gellor
And 300000 numbers were stolen? Either the story has a bug, or this help page is out of date...
Are there any links online to records of credit card fraud online? How do those figures compare with real world fraud?
Micah
Take some time next month to learn what "open source" actually means.
I have seen the future, and it is inconvenient.
Borders.com and, of course, ora.com
Although it'd be nice if O'Reilly could tell you whether something was on backorder when you ordered it, rather than via email at an unspcified later time...
itachi
Your assumption being that without fraud, Visa would lower our bills. HAH! Fat Chance of *THAT* happening!
peace
Mike
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
IMHO, the easiest way to avoid problems like this is to simply not have a credit card. Of course, I'm not referring to simply this situation, in which the database was stolen, but in general, in the physical world and in the world of the internet. However, as we all know, that wouldn't be so fun because if you want to order something online, you have to have a credit card. Hence, risk. If you want to charge something in a store/restaurant/hotel/etc. that you are physically at, you have to have a credit card. Hence, risk. oh well
I know we all knew that, but.. the thing is, like you said, if you're going to have a card, just go ahead and use it online and off. you have the same risk either way, no?
Insert mind here.
The cc companies don't wear the burdun of credit card fraud. Merchants are responsible for paying back the card holder. Even if you have no evidence, you only need to state that you did not make the purchase and the merchant must return any payment it has received from the credit card issuer. It is then up to them to try to track down where the goods were delivered and retreive them.
How we know is more important than what we know.
This suggestion is also totally useless.. To retreive a credit card number you need to do a manual insert/removal of the key which is probably kept in a locked box in a safe, with an alarm system on it, right? Well if I want to manually retreive a credit card number, all I have to do is ring my banking representative, give the reference code on the transaction and my bank issued authorization password and they will give me all the information about the transaction. The only legitimate reason that merchants have to keeping credit cards is so they can do reversals. When someone buys something the merchant charges the card instantly. If by some freak occurance the merchant doesnt have enough stock (they should not be charging the card unless they know they have enough stock), the merchant needs to be able to give a refund. The merchant is going to have to contact the customer and tell them that there isn't enough stock, so at that point they can get the customer's credit card number and do a manual charge back.. without us having to store the credit card details. Alternatively they could just send a cheque to the customer. Which is probably a better idea because if a merchant does more than 5 to 10 chargebacks a week they go onto a merchant fraud hotlist at the bank. More than 20 and they are likely to have their merchant account suspended.
How we know is more important than what we know.
Well the key won't be stored on a server, usually an employee PC... finding on which PC, and in which directory, if any, is the private key is a tedious task. Plus, the key could be stored on a removable media that is not always in the drive (floppy/CD). Plus, you still need a password to open the private key, so even with the private key file the hacker still has to "unlock" it (at least that's how GnuPG and PGP work). IMHO this is still ultra-high security overall.
Whats the point of having a secure connection, and a secure Credit Card database? Those idiots should've made sure the server was secure.
I agree on that, but since no system is 100% secure, having an encrypted database provide a last and ultimate security, should the system be cracked someday.
Process the CC# thru PGP before storing it... the hackers may get the encrypted CC#, but won't be able to do anything with it.
But how do they store their CC# in their database ? In plain text, it seems... the weak point.
And how are the CC# stored ? Plain text ? Encrypted ? If this is plain text then your security is null, as this is a really weak point. Encrypting the database is the ultimate protection, one that protects you even if your whole system is cracked.
SSL 3.0, RC4 with 40 bit encryption (Low); RSA with 512 bit exchange
.{redmist}.
-------------------------------------------------
-------------------------------------------------
just turn off javascript in your preferences.
the autorefresh is a javascript line.
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
heres my semi-informed answer
when you get the cc number, proccess it immediately, and don't keep it anywhere on your system
of course then your proccessor could always be hacked, but thats a different story isn't it?
Need a Catering Connection
hmmm why would you pay interest on your credit card? is an aweful big waste of money
same goes for an annual fee, i recently got my first credit card, no annual fee, and no way i'm going to pay interest
Need a Catering Connection
hmmm, which credit card proccessor that will process cards like that for a cost that the people who use the service i set up (not that i set it up well or anything, but i get $7.50/hr and only work part time....) will be willing to pay, and i'll take a look at it.
also re storing credit cards on the server, as far as i know, there is _no_ reason to do that for a one time purchase thing anyhow, which is what a lot of the customers are selling
Need a Catering Connection
ok point taken
Need a Catering Connection
If you wanted to put $10 on each of those credit cards you'd be $3M ahead. That's no small job.; }return(0);}
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
OFTC: By the community, for the community
hehe it's funny that with all our security thingies and 128 RSA encryptions, a simple contract proves to be safer than al lthat :)
mvg,
Kris "dJOEK" Vandecruys
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
Security improvements, and fixing exploits aside, it is the law that needs to be changed. I would like to see the introduction of higher penalties for this sort of crime, and the law has to be international.
Already in Australia it is a penalty of 2 years imprisonment for obtaining access to data without authority, and 10 years of imprisonment to damage, insert or delete data without authority.
However, I believe that the majority of credit card #'s that are stolen or taken advantage off w/out the owners knowledge over the internet are taken by kiddies and their credit card # generators. Most sites are secure and are not broken into by hackers. If (the myth that) most sites were broken into was true... someone with a fair amount of brains would have cracked a college application website and got ssn #'s and addresses and other crap and done a whole lot more damage to a person, or cracked an online banking service by now and screwed over thousands.
The intent of the people stealing credit card numbers is usually not to damage people, but is for personal gain. Simply, they want the money. They won't get a free Rio, or whatever else they want by getting someone's address, hunting them down and killing them. As well, college application information is usually not stored online, but rather sent via secure form and stored locally at the college.
Personally, I doubt that this guy did what he says he did. Had he done it, Interpol/Russian Cops would have gotten involved right away and tossed him in the chink - or at least payed the blackmail $.
Apparently, you do not understand much about the current state of Russia. If you, for example, were to send $5 to Russian relatives, it would make it maybe as far as the main post office in Moscow, not sure if they check all the mail before that or after it. The Mob has an amazingly large pull over that country now, and of every $1 that America sends in foreign Aid, I believe the mob gets about 60 cents of it.... They really are in no state to waste their time paying $100,000 dollars to some Hacker, or trying to apprehend him.
---------------
Yes! That guy!
From the original message:
:-/
then buy one box per credit card
That is stealing, as this would be using other people's credit card numbers. "you could," sure, but I don't really want the Linux community to be associated with a band of thieves in a public forum
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The only way people are going to learn that they need better security (encrypted credit databases, certificate based 'internet' cards) is for stuff like this to happen. While I feel bad for the people who had their credit cards ripped by lame people who saw the site, I do think this was very cool of the hacker to do. He could've dumped the database and sold it to God knows who, but instead he put it out for the whole internet to see. Doing this draws attention to the problem and obviously gets the hole fixed.
While there is some merit to this, it also all depends on your bank.
A couple months ago, my car insurance company read a $197 check as $797, which bounced and caused an overdraft in my account. They said, "oops, sorry" and sent the check through again, and it cleared. In the midst of all these colossal screw-ups, my bank recalled the extra $600 to my account, and refunded me my overdraft fees.
My point in all this is that if you have a decent relationship with your bank, and they're not a bunch of twinks, you should be able to work something out with them should this particular wave of fraud affect you - even if you have a debit card.
"During your times of trial and suffering, when you see only one set of footprints, it was then that I was riding the pogostick."
A good traveller has no fixed plans and is not intent on arriving.
They'll never sell another CD again.
Whats to blame? Was there a gaping hole?
-Oy Vey
Why would they charge more to offset losses due to fraud? If the goal of the business is to maximize profits, they are going to charge the amount that makes them the most money. Businesses just don't decide "oh, we need to make more money, well, let's raise prices". It will either lose them enough customers to make it not worth it, or it won't, in which case they should have done it in the first place.
This is especially disgusting when banks claim that they need to charge 21% interest on credit cards due to fraud losses. If they were truly concerned about fraud, they would implement at least a moderately secure system.
"The REAL losses are covered by the big corporations, and I couldn't care less about them. Don't bitch about the lack of security - it doesn't harm any REAL people, only corporations." This doesn't affect any REAL people? Who pays those "big corporations" bills? The REAL people who use the cards pay them. Sure, some of it is offset by the small fees that merchants pay for the "privledge" of being able to offer Visa, Mastercard, etc services, but the vast majority of the cost is paid by the customers. Its neatly wrapped up in the interest rates you pay, the yearly charge for the card (if any), and the REAL first $50 you pay in liability charges if someone ab/uses your card. Sure, they dont put a monthly "$5 of your interest payment went towards credit card theft losses for the company" but.. its in there. Anyone thinking that credit card abuse doesn't affect their bottom line is sadly mistaken. Nothing in life is free.
(Shameless plug): ProcessTree - Put your idletime to use.
At least maybe we can get rid of the weaker implementations. If this media attention causes the online merchants to start looking for more secure systems, maybe we can get some better standards.
Since the Mom and Pop online merchants are archiving credit card information for customer convenience we need to get them encrypted quickly before they hit the hard drive.
Personally I would not mind entering my credit card information fresh each time I made a transaction if I thought that would reduce the risk of it getting it stolen. I said reduce since unless the server is using a devoted crypto card you could still lose your credit card numbers real time.
The guestbook is pretty funny too, what's up of it. Looks like our AC's been hanging out there :)
mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.
I really don't know enough about what steps companies take to try and protect credit cards and other info (well, other than SSL) to post an intelligent commentary, therefore I will post a mini Ask Slashdot:
emmons asks: "A friend of mine is setting up an e-.com site and wants to know how he can make sure the customer's data is as safe as possible. He knows that SSL is a must, but what can he do server side to protect the data from crackers? What do other sites do (if anything), and if what they do is not enough, how can it be improved upon?"
-----
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
In all fairness, ransom is the word in question here.
Personally I reckon CD universe should be boycotted and driven
off the net,
and little bas*ards like Maxis too.
I would almost lay bets that if they
did pay the ransom, the numbers would
still be made public anyway.
--
WorldServe Consulting
The ones who do this can :-)
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
Greetings,
I recently read about the violation of CDuniverses security in regards regarding the credit card theft. I am displeased, as a customer of CDuniverse, to have heard about this from an online media source rather than your company. I would like to know if my billing information has been compromised.
My order was placed under the address druid@phreebyrd.com, and my full name is Daniel C. Bennett.
Sincerely, Dan Bennett
Why don't the banks care ? Well, it doesn't cost them any money, now does it ? The merchant and the consumer always lose. (Mostly the merchant)
Unless of course they cannot re-coup the damages directly, then it cuts into profits, or there being able to pay a bill, etc. Either way they dont take the damages, they pass the losses onto the consumer through increased prices, less discounts and coupons etc. Thats one of the reasons credit cards are so expensive (besides the fact that they can get away with it), what do you think banks do when you call to have an item taken off your bill? They pass those losses straight back to the consumer through interest and monthly fees. Either way the consumer loses, and business is right where it was before, as though it never happened.
Does anyone else think that storing credit card numbers *at all* is just a bad idea, except for the credit card company itself?
Information like this that needs to be secure for a particular person should *belong* to that person and only be used for the duration of a transaction. There are far too many ways to get unfair and/or deceitful charges on an account later if everyone is holding on to your credit card information. There's really no fair reason to hold on to credit card information after the transaction is complete. The risks far outweigh the benefits of any such reasons.
Put up a firewall and don't allow it to happen. Only allow access from the host that is serving up these pages and then, require a encrypted channel. This seems ridiculous in this day and age that the 5 year old M$ professional fuck heads can't get it right.
that's fire under their asses.....
What? Where have you been? It's not stealing, it's ok to copy linux. It would be larcenous to download it over and over, 100,000 times, stealing all that bandwidth.
It would be grand larceny, conspiracy, and crossing state lines if one were to buy a copy of NT for each of those machines, and it would teach you the lesson that there is no honor among theives, when you discovered that you couldn't cluster them, and your co-conspirator walked away with all the booty.
P.S. BTW, I didn't say it was ok for me to do it. What I said was, "you could."
You could download linux, then buy one box per credit card, and build one huge beowulf cluster :)
now the hacker term will turn evil..
what a great day
'Mullethead. A hairstyle that's a way of life'
i think we shouldn't use the term cracker to someone who steals credit card numbers.
instead, we should call them 'criminals' or 'theives' or something that suits them well instead of a deviation of the respectable term 'hacker'.
i, for one would like to see that, since 'cracker' is used to label people that crack copy protection algorithms and the like. that takes skill, and they get respect. the people that made DeCSS are crackers.
wake up dammit.
'Mullethead. A hairstyle that's a way of life'
In the first case, any security system can be overcome and the concepts of diminishing returns apply. You can throw a great deal of money at the problem which you pass along to your customers in the form of higher prices or you can suck up the risk and pass the theft losses along to the customers.
What it seems is that it is more cost effective for companies to do the latter than the former. Part of the reason is that a lot of the costs are don't ever hit their balance sheets (the costs due to the impacts on individual customers) though they may see it indirectly because of the loss of that customer base.
You correct in your statement that they are going to charge the amount that makes them the most money. But how do they arrive at those prices? They find out how much it costs to produce (which includes costs due to fraud -- they are real, quatifiable costs) and add a profit. Assuming a reasonably uniform distribution of fraud, everybody has the same hit so all prices reflect the same inflation due to fraud.
Remember, a lot of these costs are going to be passed along (a) to an insurance company who passes along to everyone they insure, or (b) the government, as a loss on their profit/loss statements, which mean reduced taxes which get passed along, sooner or later, to everyone.
Further, price is not the only driver in determining who you are going to shop with or what brand you will buy. You may pay 0.1% more for an item from a particular vendor because he is more responsive, is better organized online, has a larger selection, etc. So, you're support for these reasons are funding his lack of security.
Don't get me wrong - I'm not saying this is not a boneheaded thing on the part of the vendor nor am I implying the vendor will go through this unscathed. However, IT IS FACT that the theft costs get spread across the entire economy. We'll be paying for it eventually.
The little guy just ain't getting it, is he?
Right - except the big companies don't eat the cost. They just pass it off to their customers by charging higher prices for their goods. Basically, every consumer, regardless of whether they have a credit card or not, pays for the stuff ripped off by using a stolen card number.
The little guy just ain't getting it, is he?
I hope you win.
I would much rather type my credit card number in every stinking time I buy something than trust somebody else's code to keep my info safe (don't know that I'd trust my own, for that matter).
It's a whole lot more hassle to deal with an unauthorized purchase than typing in 16 numbers.
The little guy just ain't getting it, is he?
Definitely call your bank and cancel the card! The rules for loss and fraud are different for debit cards than for actual credit cards. They don't have the same $50 rule! It's actually a lot safer to do your transactions with a credit card than with a debit. I came close to finding out the hard way.
"The truth will set you free, but first it will piss you off"
Love 'em all and let God sort 'em out...
The pos systems we use where i work dial into the authorization servers over pots modems. That is why it takes so long to authorize a card, you are waiting for a modem to dial out. AFAIK all pos systems work this way.
What a pussy way to boycott. If you are going to boycott Slashdot, do it. Don't filter out the banner ads.
Well the original poster was specifically trying to hurt Slashdot by a "boycott" of the ads. If he wants to boycott Slashdot, he should boycott Slashdot all the way. Filtering out the ads is saying that he likes Slashdot. Slashdot contains value to him, but he's going to filter out the ads to "show them"
I can understand that you don't want to see banner ads. I wonder if Slashdot would have been able to afford their servers and bandwidth without advertisers. I wonder how many advertisements Slashdot would have sold if everyone blocked banner ads like you do.
I visit a decent number of smaller websites that probably wouldn't exist if everyone blocked filter ads. They work hard and give me lots of valuable information, why not let them place their banner ads on my screen?
if what you say is true, then, out of curiosity, I must ask -- are you purchasing these goods for personal use, or for resale? If resale, what's your market -- black, consumer gray, what?
I am, therefore you think.
Do you really think 'it doesn't harm any REAL people'? Ultimately the costs/losses are passed on to the consumer - that means you & I - directly via increased charges, or indirectly via insurance cover which leads to higher REAL people premiums.
I think it would be totally inappropriate for me to even contemplate what I am thinking about. - Don Mazankowski
Paket sniffing is way too much work for most script kiddies, yet they have access to exploits, to exploit servers and get databases. Then it's right there in plain text. Which one do you think is more appealing to script kiddies? I am not saying that this person was a script kiddie, but since he did find the database on an obviously insecure server... It makes you think. If he made his own exploit, how long till it is released? Needless to say, this is scary.
Its not true that only big corps. I used to run an online comic shop and when a charge was fraudulant, *we* had to pay the full amount of the charge to the bank (even though we already paid the bank their cut of the original transaction). So, the merchant loses and the banks actually profit! You should know better than to think the big corps would allow themselves to lose.
/to email, remove the naughty symbol.
It won't help because the credit card companies keep your credit card info in their servers. So if you are going to have a credit card, you might as well use it on line.
I used to consult for a web hosting site and not *1*, that's right NONE of the companies whose web stores they hosted wanted their transactions excrypted -- the time I spent setting up pgp, etc was totally wasted, they all insisted on clear-text e-mail of transactions. And as you know, the customer is always right...
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
So when I go into a resturaunt and get food and pay with my CC and sign the slip that is a valid transaction, if I try to dispute it they say "look you signed it, now pay up!"
:)
If I order from amazon.com and they send my books by fedex/ups and I sign for them, that signature proves that I accepted merchandise. Unless I return that merchandise, I am bound by 'Good Faith' to follow through with payment.
If I order from amazon.com and they send my books by the USPS and I don't sign for them... they can't prove that I recieved anything, so if I were to 'theoretically' dispute a charge by them... well that one click thing probably broke
-- "My dad used to play sports with me... I don't like sports" -Tim
I've very suprised they did not pay him. They probably could have negotiated down the 100K figure to something more reasonable, and would have avoided this terrible embarrasment. Of course, the would need some kind of assurance that the CC numbers would not be released even if he was paid, but if you have a reputable lawyer approach the company for you, usually a deal can be worked out. I know a someone who turned a similar exploit into a very high paying job. This does not mean the kid is in anyway excused of his criminal acts, but a business which relies on consumer trust does not need this kind of publicity.
It all depends on the company. My friend works for a company that takes E-Commerce security very seriously. They use excellent passwords, never write down the info and destroy all written info of transactions. They have high encryption and only store the info (for record information) on servers not connected to an outside network. There is always a way but making it difficult deters most people from trying. The reason people do not rob banks is because of the level of difficulty. A person has to hold everyone up, or kil them, break the vault get away and hope the police do not catch you. Good Luck!! On the internet it is much easier. If you happen upon the name and password of just one company it can be devastating. I do not know if the hacker bypassed the security or luckily came upon the information. But all it takes is one company to be insecure to have terrible consequences on the public at large.
I still don't understand why the companies feel it neccessary to store all that information on it server. Well i would be worried but, im too broke to even have companies offer me creditcards, so i guess im safe for now!
Got to admit though, I still feel better using cards over the net (on trusted sites) than I do giving my MC or VISA to some pimple faced kid when we go out to eat.
More race stuff in one place,
than any one place on the net.
Look a the troubles Providian has had over the last year. They didn't lose anyones money, but they had a wide scope ethics problem and the stocks down by 70% in '99. It's hurt the whole financial sector.
More race stuff in one place,
than any one place on the net.
This is no surprise. You knew it was going to happen eventually. However, this is not the crisis situation that it's been made out to be. These victims will not be responsible for paying any fees incurred on their credit cards. All banks and credit card companies insure that customers won't have to pay for fraud. On a side note, this could have been avoided had law permitted better/higher encryption on the CDUniverse site.
Ummm.. You are not really putting your real info into netscape or IE, are you? Or into windows itself?
Hidden Win2K Menu
They get a cut.
Hidden Win2K Menu
WELL YOU YOUNG SCRIPT KIDDIE BUTTPLUGS SHOULD THANK US OLD FARTS. That's right Sparky... just cause you can take some packet sniffer program and log some crap comiing over a network connection doesn't mean crap.
CAN YOU SAY SCRIPT KIDDIE.....REPEAT AFTER ME..SCRIPT KIDDIE SCRIPT KIDDIE SCRIPT KIDDIE.
What happened to the old days when you had to friggin know something....aw hell
FRANK RIZZO WAS HACKING HEX CODE WHEN YOU WERE STILL SPITTING UP COCOA PUFFS IN YOUR MOMMAS LAP.
A genius writes code an idiot can understand, while an idiot writes code the compiler can't understand.
Okay, substitute the word "older" for "old". The point is, that there weren't recent credit cards (otherwise, there would have been expiration dates further in the future.)
And how does the store verify that your certificate is valid? There must be a way for them to verify it. Hence a database of valid certificates. Now we're back at the same place where we started.
Merchant needs to keep the credit card numbers around for a short period of time after the transaction and dispose of it when they are no longer needed. Some sites even allow you to click a check box so that you can store your number in the store so that you can login and buy stuff on-line without a credit card on hand. What buyers in the right mind would do that? But they do...
Also, why allow remote online access of the database in the first place.... There is no technological solution for stupidity, none, nada, zip...
- Etam
Yeah, I'll bet this dudes are using Micro$oft web servers, too. Do you even have a Firewall
or packet filtered router? Doubt it!
Honestly, who ever heard of CD Universe? They're not worth a crap.
octaene@yahoo.com
It's not surprising. Law is, after all, a system designed to protect people from the inadequacies of other systems.
--llb
--llb
Support peer pressure - kick a lemming off a cliff.
Happens all the time.
Here's the scenario:
1) Person uses social engineering to find out choice pieces of info about, say, a bank. Stuff the bank believes no one outside the bank knows
2) Same person uses same social engineering skills to determine, again, some choice info about the structure of the computer systems at the bank
3) Tha bank is contacted, told their systems have been compromised with suitable threats included in the "blackmail". Bad guy asks for money wired into an offshore bank account.
4) Bank assumes that the system have in fact been compromised. Not knowing the extent of the compromise, and being unable to take their systems offline, the bank makes the payment.
5) Bank may or may not contact the authorities about the situation. Contacting authorities increases dramatically the chance that the public will be aware of the "compromise"
6) Bad guys walk off with a few hundred grand without having broken into any system with the knowledge that their actions will likely not be reported anyway.
It happens all the time, cduniverse.com just happened to have the whole thing fall apart in their face, and this bad PR is the result.
That's true. People are dumb as hell!
Look at this... People go shopping (online). Cool. They order something, they checkout, they get "CC authorized", and they're happy. They receive their item, and they are even more happy. But now, they want to buy something again, and... they need to input the information again.
LAZY PEOPLE ARE GUILTY FOR SECURITY PROBLEMS!
It's that simple. Because people are lazy, merchants (not PROCESSORS - processors are only a 'gateway' betweek a bank and a merchant) are storing the cc numbers on a server. And when sh*t happens - merchant is guilty, and those SAME lazy people are yelling around "how bad this company is". But they are the same ones who were sending complaints to support@your.favourite.shop.com about "I want my cc to be remembered!".
It just CAN'T be done securely (at least, not until bank gets REALLY involved, meaning - merchant/processor stores MD5 sigs of CC, and bank maintains the database, and compares; however, bank will do this only for HUGE client, since bank doesn't want to get involved into 'e-commerce' - they just want to authorize the cards) at this time.
Just look at computer systems... No matter what people think, most of the tests (talking about intrusion tests, not lame script kiddies defacing web pages) are at the end successful as a result of *weak* authentication schemes at some point. You get a FW-1 w/ VPN (and you don't have a budget to get SecurID or similar thing), but your 'CEO' is too lazy to remember password like '$!*C&*E', so he orders you to let him use 'john/john123'. And there goes your security... [I'm talking from experience]
And NOBODY is going to sniff you SSL connection and to crack it in order to get a cc number. Get real. It's not worth the time. Chances are that you'll randomly generate valid cc/expiry date before you manage to crack the key. At the end, it's not the 'connection' that you will attack, it's the site that hosts the cc information. I'm so tired of those 'packet sniffing' gurus that have started sniffit on local LAN and think how they've discovered the fire...
Yes, I've been involved in creation of 'payment gateways' for real-time cc authorization, so I *know* how painful it is, and how LAZY/STUPID customers are. As long as customer won't listen to techies just 'because customer is always right', there will be no security. When customers realize that techies don't suggest things because they like to bother other people, but because they want to do the things 'right way' - we'll have a progress.
It's pathetic to see how many companies expect their people to maintain perfect security, in all areas, but yet they limit IT budget to some silly amounts (that can't cover the costs of hardware needed, not to talk about other infrastructure, or software), don't want to employ more people to do security work, don't want to LISTEN to people who are in charge of security (no, we don't want CEO to have a modem connected to his PC, so that he can dial in whenever he wants, bla, bla, bla...), etc.
If there is no mgmt involved, everything would be much better. But right now, you have deadlines, you have marketing dept that always announces something you didn't have clue about (like, you make a payment gw, and you find out from the newspapers that your payment pw can easily be integrated with every shopping cart - yet you know that integration wasn't ever mentioned during the development, it was supposed to be 'ongoing process' after the gw is running 'live'). Bla, bla, bla... You should get a picture now, I hope.
That's what it says to me, anyway...
--
Xenu loves you!
I work for a major hotel in Las Vegas and I can't believe some of the stuff I hear when I happen to be in the Room Reservations Department.
Many times I have heard a clerk spend a minute or more explaining to a returning customer that they can't magically pull up the credit card number from their last visit on the computer system. Sure we have the number archived for accounting and legal reasons, but it is in no way linked to the customer database.
I bet these same customers are the ones that are worried about packet sniffers on the Internet. They would probably have a fit if you mentioned how easy it is to intercept their number when they use that $19.95 cordless phone while giving out their CC number. But they expect that person on the other side of the line that they will never meet in person to have access to a database with the customer's CC number bundled with their name and address?
"Mommy, stupid consumers make my head hurt."
"I know dear. Just ignore them and they might go away."
You obviously know little to nothing about what A1 security really means. Please try to find a good security book. Read it. Once you realize what a truly "secure" system entails, you might think again.
;)
They aren't a dime a dozen for a reason.
Fine then, here's some information:
a sp?theisbn=0471019070
1 70,00.html
n quiry.asp?userid=686GAUD2CA&mscssid=9BBLV0 W1RRS12NQU001PQJ9WMNQ2B225&srefer=&isbn=188413355X
"Computer Security Basics" by Deborah Russell & G.T. Gangemi, Sr.
http://www.oreilly.com/catalog/csb/
"Computer Security Handbook" By Hutt, Arthur E. / Hoyt, Douglas B. / Bosworth, Seymour
http://www1.fatbrain.com/asp/bookinfo/bookinfo.
"Cryptography and Network Security: Principles and Practice, 2/e" by William Stallings
http://vig.prenhall.com/acadbook/0,2581,0138690
"Hacker Proof: The Ultimate Guide to Network Security" By Lars Klander and Edward J. Renehan
Renehan
http://shop.barnesandnoble.com/booksearch/isbnI
(This book really isn't that good, though. Some errors and tends to be too general)
Of course, you could always find an electronic copy of the Orange book itself online. It's out there, I just don't have a URL handy.
--
One way to avoind storing card numbers is to have the client reenter them at each purchase. Unfortunately, people don't like that. They like the convenience of one-click buying.
Another possibility is for the credit card verification company to issue a unique token which can be used only for billing to the same merchant. This data is stored in the merchant's databases and should be quite useless to anyone else.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Since it has long since been obvious that banks and businesses will pay the blackmail rather than alert law enforcement, in order to preserve their own reputations and customer base (CitiBank was a notable exception and paid dearly for doing the "right thing"), the best way to make blackmail unworkable, and to put these creeps out of business for good, is to put the fear of the law into the person being blackmailed if they go along with it.
If paying the blackmailer were to come with sufficient legal ramifications (huge fines, jail time, etc.), and actively prosecuted, companies and individuals will be more likely to cooperate with law enforcement rather than criminals. In a contest of jail vs. embarressment, or fine+public knowledge vs. public knowledge alone, the blackmailer will almost always lose. Without victims willing to pay, the blackmailer must fine another line of work if they don't have the human decency to simply starve instead.
BTW -- keep up the boycott. Financial pressure is a reasonable tool to discourage this sort of behavior as well.
The Future of Human Evolution: Autonomy
One way to do this is to put a gatekeeper in between the order entry system and the secure database. The gatekeeper system is responsible for checking and forwarding all messages to/from the secure database. The gatekeeper has its own database of message types and message templates. Each incoming message is checked for a valid message type and the contents are compared to the message template for that message type. Only messages that pass all tests are forwarded. All others are logged and printed for analysis by the security office.
Mea navis aericumbens anguillis abundat
Sorry, but I have to throw this problem at the website developers themselves. When we develop Web Server sites that contain credit-cards, we make sure that the database server cannot be accessed from the outside world. And we make sure that credit card information travels one way only, from client to database. Only internal networks can see the credit card information. We trust physical hardware limitations, not software limitations...
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Cool down. There's no evidence they actually intended to pay; indeed, the fact that they didn't suggests they were trying to lure him into doing something they could use to identify him. Ultimately, the story relies on the word of a criminal.
Certainly, though, you could write them off as a vendor after their poor attention to security issues.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
slashdot-terminal wrote:
...
I could believe that this guy is just working alone without the help of his government the day pigs fly!
I find it much more plausible that he is an individual than that there is a vast Russian government conspiracy to shake down American dot-coms. But I wouldn't put it past the Russian mafia. (Most likely he did have help setting up that bank account.)
I don't see this as a government operation because it's just too small. There's more money in shaking down the US for space station funding, many times more money
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
But these thefts have nothign to do with all of this.. they have to do simply with the company keeping it's customer databse, including credit card numbers, online, where it should never be.
And seriously, why should card owners be liable for *ANYTHING*? The card is just a symbol of the credit granted to the individual, not the credit itself.
I came late to the conversation, but I hope someone has an answer for this question. I've bought from CDuniverse.com before... so what should I do? What are the chances that my card has actually been stolen? I suppose I could just watch my balance carefully (it's a debit card), but I'd rather know quickly whether this is a scam or my number really is loose.
And I love how the old, crotchety types assume that nobody can do anything without their help...
Packet sniffing is trivial, if you're inbetween the people who are communicating, and if you know what you're looking for.
I've personally seen a lot of people snag a lot of interesting stuff from the sniffing.
A friend in university wrote a program to watch for IRC traffic, it was pretty stupid, just grabbing things to the default ports, 6667 or whatever, and scanning for keywords. Found some funny stuff that way.
A guy I work with ran a small business which required net access, so they dropped the machine off at an ISP instead of getting dedicated bandwidth. Turns out all third-party machines were on the same 100mbps hub (the service was for T1-equivalent of bandwidth, so the ten or fifteen machines didn't saturate this)... They could remotely put the second network card (no idea why it had two cards.) into promiscuous mode, and by sniffing, they were able to watch all transactions from the other machines... Mostly mail servers, but a few web servers, at least one of which was taking orders. Mostly PO stuff, but still...
As long as you're inbetween the two ends, or on a hub with either end, you can see what they send, and if it's unencrypted, you can read it. Many ordering forms are still unencrypted, and if you watched for traffic to those sites, you'd probably get a few hits here and there. Not enough perhaps to justify it, compared to hacking into something to just grab a list, but...
Sniffing IS easy, and with some luck and skill, it's not hard to get stuff you shouldn't have access to.
Just think of how much fun those things could be. I'd by 10,000 twinkies :D
In case of Emergency, Curl up in the Fetal position, and lick a Bible for comfort!
It's common practice in the financial industry to pay off h/cracker blackmailers.
Quite likely, almost every major financial institution has done it.
Not that this is a good thing, just common practice.
LetterRip
This may seem scary, but the same thing happens almost daily in the real world. Hell, the same thing happened to me - a company I had had problems with in the past decided that they wanted me to have e 300 dollar DVD player, so they charged my card. Problem was, I neither wanted or needed it, and they couldn't/wouldn't cancel the order. Took me two months of wrangling to get it sorted out.
And I never touched a computer while making my original order with said Giant_Bastard_Company. It was all done over the phone.
I tend to worry more about the company on the other end than anyone in the middle or hacking.
My opinion is that 1200 baud connections are very very sniffable and consider that all this encryption is closed source, unverifiably secure. Ok, big deal. You'd expect banks to be closed source. Next we started to deal with a few other "gateway" companies like First Data Resources (of whom we havn't dealt with, but apparently are very good.. I'm still waiting for my programmers documentation). One particular gateway company has an exclusive arrangement with a local bank that a few of our merchants were interested in using. We went and spoke to them. They gave us lots of development information and talked to us for a few hours. After about 2 hours of talking about security, they showed us the reporting mechanism of their gateway. I casually asked: "So where is all this data stored?".. their reply: "Oh.. we maintain an access database on the local harddrive". A few minutes pass.. I ask: "So what exactly is stored in that database?", the reply: "Well, everything about the transaction", "Including credit card details?", "Of course!".. After informing them about the total insecurity of that I asked what else their NT based gateway had installed on it other than their closed source processing/report generating software. "PC Anywhere".. "oh, why is that on there?", "We like to dial up and do maintainence on the gateway", "Dial up using what?", "The tran$end modem".. so they want to dial up a box on my secure network using a 1200 baud connection over the private banking network to use PC Anywhere to access a database that includes credit card information. These people virtually represent the bank! Yawn. I took their programming docs and quitely told the manager with me that we would wait until we did our FDR development before we offered service to that bank.
How we know is more important than what we know.
If they had stored the CC# in encrypted form in their database, no hacker could have stolen the number. They could have downloaded 300000 encoded # by hacking into the system, but would have been stuck with unusable datas (cracking a PGP key is more difficult than hacking NT, you see)
I have my credit card company by my side. My credit card agreement/contract protects me from any unauthorized charges and the credit card company will investigate any such charges. Of course, there is the problem of going through phone calls and other communication to get the matter straightened out, but not a single unauthorized/fradulent charge makes it past one statement!
So, if you are/were a customer of cduniverse.com, don't get too worried. You're protected.
On a more serious note exactly who is this guy. I could believe that this guy is just working alone without the help of his government the day pigs fly!
It's actually a pretty slick thing. Just unofficially get someone to crack a site and then blame him and you can just walk away.
Slashdot social engineering at it's finest
People basically have no choice if I want to get something online: anything at all I need a credit card to process it. This allows for easy and convient transfer of funds and allows for all those nice little savings that people now have. Unfortunately screws anyone that dosn't have a credit card as well.
Slashdot social engineering at it's finest
Interest paid on a loan is free money. It's a part of the chain of how the economy grows:
The more interest the Bank can charge on a loan, the faster they get rich. They can afford to pay all the other incidental costs of the mistakes: bad loan risks, stolen merchandise on stolen cards, etc.
One late payment, and that "Low APR For A Limited Time" card of yours balloons to a ridiculous loan-shark rate of 19, 20, even 25% APR.
The large corporations don't pay the costs. If they did, they wouldn't be large corporations.
[
--
--
E2 IN2 IE?
To get off our collective duffs and develop a secure internet monetary system. Hell, even if visa/amex/etc just implemented a system wherein you could get a "internet secure" credit card, that would refuse internet transactions unless the buyer presented a valid certificate that only the cardholder has. Then a database of these things would be useless unless you could somehow also obtain the person's personal certificate.
The idea that the printed information on a card is enough to verify it is IMHO plain outrageous. It doesn't matter if a villain got my credit card number by cracking a site or from simply looking at the card. Paying for stuff giving only the cc number (and date) is as stupid as logging on using only a uid.
All opinions are my own - until criticized
It seems like the e comerce sites need to isolate the credit card numbers. How hard would it be for the web server to take the number, not cache it, and submit it to a secure machine for proccessing and storage. Now while secure may be impossible, we can get close.
Put it behind a firewall (or even just shutoff all services on a UNIX machine) and only have a system to procces credit cards, and have it setup so it is only accessable from the web server, and then only accepts credit card numbers, and NEVER puts them back out. If the store wanted to store numbers for quick access by customers (I like this, although the security is definatly a problem), the system can a assign a unique reference to that card number that can be stored on the web server.
If this program is written carefully, and doesn't have buffer overflows, there would be no way to get the credit card numbers from it without access to that machine. How the admin wants to keep it secure could vary, the ultimate would be using a dedicated connection to the credit card company (I am not sure how all these work, but it would be the same as any POS system), and even console only admin access, although the admin may choose to trust some form of remote access such as ssh or ssl telnet, etc, and of course if that is compromised the whole above system is insecure, but I think it would be secure enough if the sysadmin stayed on top of things.
I am more afraid someone at Olive Garden will snitch my CC num than someone at Amazon.com. A lot more people interaction occurs at some place like a resteraunt(sp). They get to see what kind of person you are and possible what kind of CC you have. Titanium.. yep this is one I want to steal. That scares me a HELL of a lot more than any online site. I have a 500 Dollar unsecured VISA thats all I will ever have. Just for emergencies. I have a debit card on a checking account with no more than 2000USD EVER. The BANK does assume the risk and I am only liable for 50 bucks of it if any of its stolen. Its just like a VISA in every respect except for the fact the money comes straight from my bank account. Bleh. Keep on using them CC's online :-)
Jeremy Allen
jallen@idminc.com
Well, the only reason this is possible is that the credit card comanies don't care. Introducting strong cryptography, challange-response protocols and real online banking will make such frauds nearly impossible. All these technologies exist, but why aren't they implemented?
Apparently the losses of the credit card companies are not enough to justify the move towards stronger verification schemes. This is also fine with everybody - the card ownerers are not liable for more than $50 of losses and the hackers have an easy source of income.
The REAL losses are covered by the big corporations, and I couldn't care less about them. Don't bitch about the lack of security - it doesn't harm any REAL people, only corporations.
Combine this fact with this part of the "FAQ" on Maxus' site (mirrored here)
In other words, all he got were rather old credit cards. One might surmise that CDUniverse updated their CyberCash software, but failed to delete the log file you mention.
As have I. All the encryption on the world will not help you if you store the credit card info on the server! Especially if the server is IIS 4.0, which it is in this case. You can hack it with a fsckin' web browser!
Maybe SET was a bad standard, I don't really know. But the idea (transfer the money, not the card number) was highly sound.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
It's not hard to get a visa card. I have a free checking account that gives me a visa card. You don't nedd to have credit to have a visa or mastercard. The minimum balance is zero to answer that one right away.
Nerd rage is the funniest rage.
So you are saying there is some conspiricy of the Russian government & hackers to steal credit card numbers and post them on the 'net.
Why?
I find it is much more likely that he is an individual - like most hackers are.
Not everything is a conspiricy, you know.
This is how credit card theft REALLY happens on-line, not by packet sniffing.
This was the case until a few years ago, but now the branded debit cards have changed their policy to match those of credit cards, at least in the US.
HOWEVER, if you use a debit card you should still maintain multiple accounts, since there is usually a significant delay before your funds are returned. The people who get bounced checks might be understanding when you contact them, but they are not legally required to be so. I've known more than a few landlords who would not hesitate to assess substantial penalties, even start the eviction process, if your check bounces for *any* reason.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
'cause it is not the customer who has to wear the rap when someone cracks your database server and steals their credit card. The point of my refusal is that I cannot store credit card information securely. It is not possible. No matter how many firewalls you put up, eventually you have to expose services to the world (in this case a web server) and that is a weak link. Some zero day cr4x0rin' d00d will always be able to get into your web server some time in the future. When he does, you want to have the smallest possible bounty waiting for him. You want him to have to hang around for 3 days to get more than a few pages worth of credit card numbers.. all that time exposing himself to detection. This would not be a major issue if we were any old credit card gateway. The worst anyone can do with a credit card is make you pay $50. Big deal, but we claim to be the securest thing under the sun.. which is what our customers (merchants) and their customers expect.
How we know is more important than what we know.
Ah, but 1) He only posted about available 25,000 of the 300,000 cards.
2) He is still selling them for $1 / card, minimum of 1000. (See entry in his guestbook)
So, the person you are admiring is not the moralistic crusader you think he is, instead he is someone who used a known exploit to read the log file of a website that didn't bother upgrading the software they were using to fix a known security hole.
There is no-one in this incident to admire, that's including posters who are using this to push their own agenda (encryption, server OS software etc).
How many people encrypt their log files ? And how many people just make that subdir non-global readable ?
Instead, there are 300,000 people who are going to get put through a lot of trouble over the next year as these credit cards are doled out by this 'hacker' to his other teenage friends for phonesex lines and other wonderfully mature pursuits.
What most people don't realize is that shopping with your credit card is actually safer than paying by check. In the event that there is a problem with your purchase, the credit card company will remove the purchase from your bill and the on-line merchant is not paid. In the event that your credit card number is stolen, the credit card companies do not hold you responsible for any unauthorized purchases.
So go ahead and join the six million other people that are experiencing the pleasure of on-line shopping.
So thats OK then! (well, I found it amusing anyway)
From what I have done in research about things like this there is a better chance for fraud at a local store using in person methods of using credit cards than online.
If you ever looked at that little "educational" thing called the anarchists cookbook you will notice that they have a fairly detailed scheme that demonostrates how to commit credit card/mail fraud using carbons taken from retail stores in their rubbish bins.
Slashdot social engineering at it's finest
should probably contact BizRate and CDUniverse itself to express your concern. I'm not sure whether I was more disturbed by the fact that the cards were stolen and customers were not notified immediately, or the fact that CDUniverse was about to pay the thief without contacting authorities.
"In individuals, insanity is rare, but in groups, parties, nations, and epochs it is the rule." -Nietzsche
Uh, it's probably a conspiracy created by the US government in cooperation with the russian mafia in order to discredit the kgb, all for the sake of getting the story linked on slashdot, america's number one e-conspiracy resource.
Amazing magic tricks
Alot of E-commerce companies put big efforts in making the "shopping experience" as easy and interresting for the user. Wonderful, the company stored your credit card number, you wont have to type it in again when you shop later!
Security seems to come second for alot of those companies, and it shows. No one with some sense of security would store credit card numbers with expiration dates of all its clients in a database!
Companies need to be educated about security, and users as well. We just had the proof that some companies who try to get users' trust are definitely not trustworthy.
"I remember Y1K, every abacus had to get another bead"
Someone was saying just the other day (week?): It will take a major fraud before common everyday people begin to demand strong encryption.
Perhaps now the time has come? A few more heists like this, and if some reporter would just have the balls to "leak" how strong public/private key encryption could provide decent security... Maybe things would improve?
Maxus claims the company agreed to the payment last month, but subsequently balked at initiating a wire transfer to a secret bank account because it might be noticed by auditors.
I can't freakin' believe this, that the people CDUniverse were actually going to pay the blackmail instead of trying to either fix the hole, or alert law enforcement/credit card companies to what happened!
This disgusts me, it's not that CDUniverse didn't pay because they might have though he was bluffing, but they didn't pay because their were worried that they might get into legal trouble for that! What about the customers with the comprimised credit card numbers in the first place, don't they mean anything to CDUniverse? Bastards.
I don't think I'll ever be doing business with CDUniverse. I think I'll be dropping a line to manager@cduniverse.com and telling them why, too!
SET is completely unworkable. It requires an infrastructure (PKI) that somebody has to provide and that infrastructure is costly. The other issue was that it required the processing performed at the merchant site (real world, not electronic). This is also unworkable because most merchants don't have the capacity to run the technology required.
I was involved in investigating SET for operation in the "real world" not some mickey-mouse VISA/BANK setup that "prooved" it worked. Ack!
What the banks should be doing is enforcing their TOS which (in Australia) state that credit card numbers cannot be recorded for any purpose other than for the duration of the transaction. So, you can take down the CC# and use it to process the transaction, and then it must not be kept for any other reason. None at all. As for the USA ? YMMV.
As you state, transfer the money, not the card. That's pretty much how it should be. If you encrypt the card details and the decrypted card details is only used to approve the availability of funds, the "window of opportunity" can be kept to a minimum. With appropriate encryption, the decryption of the CC# can be done at the bank, and the cc# is never, ever in the clear outside the banking network. That's how it should be done. Oh, did I forget to mention that's why we did when I was involved in developing a credit card authorisation system. ;-)
Why don't the banks care ? Well, it doesn't cost them any money, now does it ? The merchant and the consumer always lose. (Mostly the merchant) Cheers,
I have found a vulnerability in CyberCash 3 where local users can do Bad Things.
I have tried many times to get an adequate response from then over the last two or three months. They do seem to be fairly clueless about security issues.
I will be submitting the details to BugTraq tomorrow. They have been warned.
I work for a company producing a credit card processing gateway. I have had pressure by management (evil!) to store credit card details in my database. I refused. The bank stores credit card details.. and they do it securely, in semi-stand-alone computers that are protected by guards with guns. There is no reason to keep a customer's credit card number in a database and stories like this are another reason I can show to management to get them off my back.
How we know is more important than what we know.
No digits, of course :) HERE
Incidentally you have to hit <esc> to get it not to autorefresh to a 404'd page...
mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.
But that's not the problem this time. This cracker reportedly found a bug in ICVERIFY, which is a completely separate program. ICVERIFY is an old, clunky program that emulates a credit card terminal, dialing and all. There's a free version; I got a copy once on a CD-ROM in an early book on Internet commerce. It's slow; when you see a site that says "It may take minutes to verify your transaction", it's probably an ICVERIFY site. CyberCash resells the thing, and has some improved versions.
CyberCash itself is a different system. A site using CyberCash on its servers runs the CyberCash CashRegister program, which sends transactions over the Internet (encrypted) to CyberCash HQ, which in turn has servers connected both to the Internet and to the interbank networks. This works much better than using ICVERIFY; you get address verification and proper error codes, and turnaround is about a second. CyberCash 2.x no longer works; it's not Y2K compliant. The current minimum version is 3.x. So that bug should be fixed for all sites.
Let me ask Slashdot readers a question. Suppose you could get a version of Linux that ran 25% slower, but was highly secure, secure enough to run trusted applications in a leakproof environment and untrusted applications in a "sandbox". Would you run it? Would you buy it?
Most "high" end banking institutions DO have their revenue processing systems directly connected to the other areas of their environment.
If a cracker had the right tool and a little social engineering skill, it would not be difficult at all.
Simple scenerio is to gain access to a less secure DB and then spoof the card DB's into thinking your session is just another R/W from an trusted DB.P.Actually this sort of thing happens all too frequently and the card companies just right it off as bad debt. It's unfortunate, but in the long run, they would much rather keep the fraud FUD down, it is much more dammaging than having a high bad debt number. Most issuing comanies run between 4-8% written off as bad debt.
More race stuff in one place,
than any one place on the net.
I hate to be right, but when people would talk about the risks of using credit cards online, I would tell them that no h/c(racker) is going to intercept a communication and break the encryption for one credit card number when they can simply steal the entire database after breaking into one server, guess this guy proved me right.
-- "The higher we soar, the smaller we appear to those who can not fly" -Frederick Nietzsche
As a side effect of tracking down spammers and liquidating them, I found many low budget web sites that accepted credit card orders and stored them in globally readable files on the web server. If you read the source for these web pages, you can see how they process the data submitted by their customers. Many just take the data from the form and append it to a file on the web server.
Mea navis aericumbens anguillis abundat
Call your bank. Most likely they will simply issue you a new card.
Since you stated this is a debit card, be aware of a little-known fact:
Debit cards do not have the same protections as credit cards.
While many bank policies are similar to the legal limitations on credit card liability, they are not, repeat not subject to the same laws. Read this recent article explaining the differences. Under certain circumstances, your entire bank account could be cleaned out, and the bank wouldn't have to give you one cent back.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
Here they are (in no particular order):
Of course "Under federal law, the most you'd owe for unauthorized charges to your credit card is $50 per card. You owe nothing if you report the problem before charges are made. " If I was a customer of this company I would call my bank and cancel my card ASAP.
E-Commerce sites have had problems like this from the beginning. Just last week I read a story in the news about someone saying that their credit card got stolen from Amazon.
What is scary about this heist is the fact that the cracker posted the page online and doled out card #'s to anyone in the world that wanted to get one... that is a first. The blackmail thing has been done b4.
However, I believe that the majority of credit card #'s that are stolen or taken advantage off w/out the owners knowledge over the internet are taken by kiddies and their credit card # generators. Most sites are secure and are not broken into by hackers. If (the myth that) most sites were broken into was true... someone with a fair amount of brains would have cracked a college application website and got ssn #'s and addresses and other crap and done a whole lot more damage to a person, or cracked an online banking service by now and screwed over thousands.
Also, the fact that stuff like this gets major news stories shows that it is not common place, if it were the news sites/people would not cover it because viewers want sensationalism.
Personally, I doubt that this guy did what he says he did. Had he done it, Interpol/Russian Cops would have gotten involved right away and tossed him in the chink - or at least payed the blackmail $.
Is it progress if a cannibal uses a fork?
Vulnerability found in CyberCash v 2.1.2 has been known for a while. Either these people didn't bother to fix their configuration, CyberCash didn't fix it in subsequent releases (if there have been any), or they continue to not take security seriously. For example, here is a summary of the vulnerability in CyberCash 2.1.2:
CyberCash v. 2.1.2 has a major security flaw that causes all credit card information processed by the server to be logged in a file with world-readable permissions. This security flaw exists in the default CyberCash installation and configuration.
The flaw is a result of not being able to turn off debugging. Setting the "DEBUG" flag to "0" in the configuration files simply has no effect on the operation of the server.
In CyberCash's server, when the "DEBUG" flag is on, the contents of all credit card transactions are written to a log file (named "Debug.log" by default).