Slashdot Mirror
Largest Online Credit Card Heist Ever?
Brian writes, "Today InternetNews.com
broke a story about a Russian cracker who claims to
have stolen 300,000 credit cards from CDuniverse.com. After failing in an
attempt to blackmail the company for $100,000 to keep quiet, the cracker
posted the cards at his site."
As a side effect of tracking down spammers and liquidating them, I found many low budget web sites that accepted credit card orders and stored them in globally readable files on the web server. If you read the source for these web pages, you can see how they process the data submitted by their customers. Many just take the data from the form and append it to a file on the web server.
Mea navis aericumbens anguillis abundat
Call your bank. Most likely they will simply issue you a new card.
Since you stated this is a debit card, be aware of a little-known fact:
Debit cards do not have the same protections as credit cards.
While many bank policies are similar to the legal limitations on credit card liability, they are not, repeat not subject to the same laws. Read this recent article explaining the differences. Under certain circumstances, your entire bank account could be cleaned out, and the bank wouldn't have to give you one cent back.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
Here they are (in no particular order):
Of course "Under federal law, the most you'd owe for unauthorized charges to your credit card is $50 per card. You owe nothing if you report the problem before charges are made. " If I was a customer of this company I would call my bank and cancel my card ASAP.
E-Commerce sites have had problems like this from the beginning. Just last week I read a story in the news about someone saying that their credit card got stolen from Amazon.
What is scary about this heist is the fact that the cracker posted the page online and doled out card #'s to anyone in the world that wanted to get one... that is a first. The blackmail thing has been done b4.
However, I believe that the majority of credit card #'s that are stolen or taken advantage off w/out the owners knowledge over the internet are taken by kiddies and their credit card # generators. Most sites are secure and are not broken into by hackers. If (the myth that) most sites were broken into was true... someone with a fair amount of brains would have cracked a college application website and got ssn #'s and addresses and other crap and done a whole lot more damage to a person, or cracked an online banking service by now and screwed over thousands.
Also, the fact that stuff like this gets major news stories shows that it is not common place, if it were the news sites/people would not cover it because viewers want sensationalism.
Personally, I doubt that this guy did what he says he did. Had he done it, Interpol/Russian Cops would have gotten involved right away and tossed him in the chink - or at least payed the blackmail $.
Is it progress if a cannibal uses a fork?
The "server" that companies keep credit card information are are Authorization servers. These are the machines that are connected to point of sale devices, automated tellers, and other methods used to conduct transactions. These servers are not internet servers. They are not hackable the way that internet servers are, simply becuase they serve a completely different purpose and were built on entirely different protocols.
Could they be hacked? Yes. But then again so could an ATM. However the methodology for doing so is quite different, and not discussed on 2600.
Banks, Credit Card processors, and governing bodies, such as Visa and MasterCard take their security very seriously. This is why the weak point has always been the point of sale location, whether it be a mall, gas station, or online store. It is much easier to get a specific credit card number by going through a person's mail than to attempt to attack the authorization servers.
Think of it this way. Visa and MasterCard care about the security of their cardholders. Online and real world merchants however, do not, except as far as it affects the fee they pay.
offtopic note: When a merchant completes a transaction, for say, $10.00, he pays a small percentage, a penny or five, depending on what security measures he uses. A merchant who get's an auth and send in the transaction immediately gets a better rate than a merchant who is using paper tickets. This "fee" is used to cover the cardholder banks losses due to fraud. By accepting a credit card, the merchant makes a little less money on each transaction (this is why gas stations used to charge extra to accept credit cards), but they no longer have to deal with bad checks and counterfit bills.
For anyone to suggest that the authorization servers are as weak as the online stores is pure folly.
No Zen is good zen
Vulnerability found in CyberCash v 2.1.2 has been known for a while. Either these people didn't bother to fix their configuration, CyberCash didn't fix it in subsequent releases (if there have been any), or they continue to not take security seriously. For example, here is a summary of the vulnerability in CyberCash 2.1.2:
CyberCash v. 2.1.2 has a major security flaw that causes all credit card information processed by the server to be logged in a file with world-readable permissions. This security flaw exists in the default CyberCash installation and configuration.
The flaw is a result of not being able to turn off debugging. Setting the "DEBUG" flag to "0" in the configuration files simply has no effect on the operation of the server.
In CyberCash's server, when the "DEBUG" flag is on, the contents of all credit card transactions are written to a log file (named "Debug.log" by default).