Slashdot Mirror
Credit Card Database Stolen -- 4 Months Ago
jeffw writes: "Once again a Russian cracker got into a online credit card database and attempted to extort money from the company . MSNBC has the details. Previous incidents were covered on Slashdot here and here.
This time it was the appropriately named CreditCards.com, a credit card processing service for merchants. You would probably expect to be notified by one of the processors, the card issuer or the merchant, but in this case victims have to notice the fraudulent charges themselves and contact their card issuer.
Hmm, CreditCards.com. I'm sure no cracker would ever think of that as a juicy target. Why not name your company FreeMoneyForCrackers.com instead?"
You wonder why the ones you hear about after they get caught are always seem so dumb? It is because if they were not so dumb, then they would not get caught, and then you would never have heard of them. Often they got caught by bragging about how 31337 they are. You can continue this logic to make the mystical connection with the fact that people who brag about themselves all the time are really idiots, and that in prison you can find many idiots bragging about how smart they are. There are numerous corolaries and converses to this, but they are too obvious to mention.
I don't pretend to know how the cracker got the credit card numbers from CreditCards.com. But judging from the way they've chosen to handle the problem, I'm not surprised they could be ripped off in the first place; they have all the earmarks of a company that still believes security through obscurity is their best approach.
In all honesty, this is a disturbing attitude that we seem to be seeing more and more from companies: the customer is no longer regarded as someone to be served with enlightened self-interest, so as to reap rewards. It's much easier instead to enter into near-conspiratorial relations with other companies; to regard the other company, the one with the large pre-existing legal team, as the entity who has to be kept happy -- and regard the customer with ill-concealed loathing, as the one who makes your 'job' of pleasing your partner company that much harder.
From this perspective, it seems downright logical to let people's credit cards be compromised and not tell them -- it's only important to please the merchants who want to take credit cards, not the people whose credit cards they are! And what are the chances that poor service to cardholders would ever result in them losing those merchant contracts? Not good enough to make them really care, it seems.
If people are to respect the law, perhaps the law should begin by respecting the people.
You can buy chips at Vegas casinos with credit cards and then return them for cash. That seems like money to me. I know that it works because someone racked up a $20 000 debt on a friends card using that method. She only found out when the FBI called her. But then that was nasty American hackers ripping off poor Australians, so it never got reported ;)
.sig
Configure your payment system to do realtime auth so you don't need to batch cc numbers for later capture. Thus the cc number lives on your site for only a few seconds.
If your system is cracked, what's to stop Mr. 1337 hAx0r from putting a sniffer or something like that on your network, then returning in a month to harvest the many credit card numbers? Sure, it's slightly more work for them, in that they have to make two visits instead of one, but any script kiddie can install a root kit to cover his tracks in just a few minutes.
The whole idea of using credit card numbers for online transactions is flawed. Why not have the purchaser write a "digital cheque" and sign it with his private key? The merchant could then present the cheque to a bank to verify that funds were available. Voila! Now, even unscrupulous merchants can't rip you off.
The article even mentions that the company had "test numbers" in the database. Am I the only one who thinks that those were left in there from the days the code was being developed because noone bothered to clean up the database?
Oh yeah, and these numbers are sold for a couple of dollars a piece in Russia. No joke.
--
OK, here is the message in all its glory. I have changed MY information in the header, but have left all sender information as I received it. I also had to change a bit of the formating to get around /.'s lameness junk character filter. The words of the text are untouched.
Return-Path: chad@microsoft.com
Delivery-Date: Mon Dec 11 15:08:14 2000
Return-Path:
Received: from mybigserver.my.domain (mybigserver.my.domain [10.0.0.1])
by mymail.my.domain (8.9.1a/8.9.1/FOO-3.0s) with ESMTP id PAA365001
for ; Mon, 11 Dec 2000 15:08:14 -0700 (MST)
From: chad@microsoft.com
Received: from eb.com ([146.101.3.203])
by mybigserver.my.domain (8.10.1/8.10.1/FooBar+Hesiod (MyConfig)) with SMTP id eBBM8GJ15524
for ; Mon, 11 Dec 2000 15:08:16 -0700 (MST)
Message-Id:
Received: from blu01650-4-1 [127.0.0.1] by eb.com [127.0.0.1] with SMTP (MDaemon.v2.7.SP5.R) for ; Mon, 11 Dec 2000 22:02:44 +0000
Date: Mon, 11 Dec 2000 22:02:44 +0000
Subject: HOT NEWS 11 DECEMBER 2000, HACKERS GOT INTO CREDITCARDS.COM !!!
To: me+myvendorid@my.domain
X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron
X-MDaemon-Deliver-To: me+myvendorid@my.domain
X-Return-Path: chad@microsoft.com
Dear Customers of CREDITCARDS.COM,
Security score rating: -100
Go there to read the STORY about creditcards.com !!!
http://venus.njcc.com/ccs/index.html
http://www.givit.com/content/ccs/index.html
http://203.29.170.11/ccs/index.html
We represent a group of experts trying to save you from companies, which
do not care about their clients. For your attention we have
designed the "Never trust companies" list.
Any simple hacker can get into Creditcards.com where your confident information stored.
We was contacted with President (Michael Butts) of CreditCards.com, and
they was say us " We don't care about information and about customers"
Today is the special time for every Internet user, e-commerce is still growing
and competitors are fighting each other to win your attention, your loyalty
and as the result your money.
But not all the companies are ready to offer their clients best service,
they trying to get you through low prices, quick delivery, etc., while is
it so important for you?
Basically what are you doing when you buy something via Internet?
You let somebody into your personal finances.
Till no completely secure way of transferring the confidential information
invented, the number one priority for each and every online company is
to secure transaction and to hide information about their clients.
Who knows, may be your partner or your online discount shop is one of them.
We are glad to provide you with this information; we want you to use secure
online resources and most important those who care about you.
Kind Regards,
_____
Today TOP Unsecure Company :
Name Specification Security Score*
Name Specification Security Score*
CreditCards.com Credit card Processing network - 100
Security Score:
-100 - no security
1 - simple security
100 - Very good security (firewalls + Crypt of confident information in database.)
Yeah sure - in the glorious US of A. You again seem to forget that there is a place called "the rest of the world" which is technologically more advanced and actually DOES use these highly secure technologies.
I can do 1024b RSA signatures from all of my various cell phones (or sigs with longer keys for that matter, if needed). And I can pay for things with'em too. All the major banks here use secure payment methods instead of lowsy age old credit cards. I don't have to use one single unsecure method for paying anymore if I don't feel like it.
All I'm saying is that: it's really up to you. If you want things to change in the US, then bloody change them! it's not any more harder than that. YOU are the customer and it's your right to demand things. Start demanding, and keep demanding until they deliver.
Yeah honey, it was a Russian Cracker that charged all thouse porn sites on our credit cards, yea...thats it.
No wonder Russians are good at cracking things. The writing has those crazy cryptic backwards letters. They're already 1 step ahead of us.
Silly Russians.
They mention creditcard.com specifically by name and give it a score of -100 for security (no security).
Using my address tracking I could tell they sent me this e-mail using the address I gave to a merchant I used nearly a year ago. Of the 100s of online purchases I make a year, it looks like one of the few places where I made a personal purchase processed their information through creditcards.com. If it had been one of my many corporate purchases I wouldn't have cared too much, but I guess now I will have to go and change the number on the card I used.
If people care, I can post the entire message.
Creditcards are by nature very unsafe, because their security depends on a single "public key" that's printed on the outside, and that's given out and stored by everyone that accepts payment with them. Moreover, they are handled in a very insecure way. Why do some on-line institutions insist on keeping their credit card database on an networked computer. Why do they insist on keeping the number anyway ? I'd rather type it in every time it was used, and then have it thrown away after the transaction. And why do they apparently store them in clear text ? It would be pretty easy to encrypt them using a cookie that's stored on my browser.
It's time to move towards a more cryptographically secure way of making payments. These secure methods have been developed years ago, and are still not being used on a wide scale. As long as the costs associated with the occasional credit card theft isn't too high, the banks will not take action. So, it's good that things like this happen once in a while, since the banks will take most of the damage anyway (their biggest loss is probably loss of confidence by big consumer groups).
E-commerce merchants need to use common sense when dealing with credit card transactions.
In addition to the above, do the usual security procedures that you would do for any secured site (e.g., do anti-virus checks, checksum system files, sweep for trojans, etc.)