Credit Card Database Stolen -- 4 Months Ago

jeffw writes: "Once again a Russian cracker got into a online credit card database and attempted to extort money from the company . MSNBC has the details. Previous incidents were covered on Slashdot here and here. This time it was the appropriately named CreditCards.com, a credit card processing service for merchants. You would probably expect to be notified by one of the processors, the card issuer or the merchant, but in this case victims have to notice the fraudulent charges themselves and contact their card issuer. Hmm, CreditCards.com. I'm sure no cracker would ever think of that as a juicy target. Why not name your company FreeMoneyForCrackers.com instead?"

Re:Not freemoneyforhackers.com

[cynthetik]

You can buy chips at Vegas casinos with credit cards and then return them for cash. That seems like money to me. I know that it works because someone racked up a $20 000 debt on a friends card using that method. She only found out when the FBI called her. But then that was nasty American hackers ripping off poor Australians, so it never got reported ;)

Re:i care

[JeffL]

OK, here is the message in all its glory. I have changed MY information in the header, but have left all sender information as I received it. I also had to change a bit of the formating to get around /.'s lameness junk character filter. The words of the text are untouched.

Return-Path: chad@microsoft.com
Delivery-Date: Mon Dec 11 15:08:14 2000
Return-Path:
Received: from mybigserver.my.domain (mybigserver.my.domain [10.0.0.1])
by mymail.my.domain (8.9.1a/8.9.1/FOO-3.0s) with ESMTP id PAA365001
for ; Mon, 11 Dec 2000 15:08:14 -0700 (MST)
From: chad@microsoft.com
Received: from eb.com ([146.101.3.203])
by mybigserver.my.domain (8.10.1/8.10.1/FooBar+Hesiod (MyConfig)) with SMTP id eBBM8GJ15524
for ; Mon, 11 Dec 2000 15:08:16 -0700 (MST)
Message-Id:
Received: from blu01650-4-1 [127.0.0.1] by eb.com [127.0.0.1] with SMTP (MDaemon.v2.7.SP5.R) for ; Mon, 11 Dec 2000 22:02:44 +0000
Date: Mon, 11 Dec 2000 22:02:44 +0000
Subject: HOT NEWS 11 DECEMBER 2000, HACKERS GOT INTO CREDITCARDS.COM !!!
To: me+myvendorid@my.domain
X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron
X-MDaemon-Deliver-To: me+myvendorid@my.domain
X-Return-Path: chad@microsoft.com

Dear Customers of CREDITCARDS.COM,

Security score rating: -100

Go there to read the STORY about creditcards.com !!!

http://venus.njcc.com/ccs/index.html
http://www.givit.com/content/ccs/index.html
http://203.29.170.11/ccs/index.html

We represent a group of experts trying to save you from companies, which
do not care about their clients. For your attention we have
designed the "Never trust companies" list.

Any simple hacker can get into Creditcards.com where your confident information stored.

We was contacted with President (Michael Butts) of CreditCards.com, and
they was say us " We don't care about information and about customers"

Today is the special time for every Internet user, e-commerce is still growing
and competitors are fighting each other to win your attention, your loyalty
and as the result your money.
But not all the companies are ready to offer their clients best service,
they trying to get you through low prices, quick delivery, etc., while is
it so important for you?

Basically what are you doing when you buy something via Internet?
You let somebody into your personal finances.
Till no completely secure way of transferring the confidential information
invented, the number one priority for each and every online company is
to secure transaction and to hide information about their clients.

Who knows, may be your partner or your online discount shop is one of them.

We are glad to provide you with this information; we want you to use secure
online resources and most important those who care about you.

Kind Regards,

_____

Today TOP Unsecure Company :

Name Specification Security Score*
Name Specification Security Score*

CreditCards.com Credit card Processing network - 100

Security Score:
-100 - no security
1 - simple security
100 - Very good security (firewalls + Crypt of confident information in database.)

Re:This should happen more often, actually.

[Kultamarja]

> "These secure methods have been developed years ago, and are still not being used on a wide scale."

Yeah sure - in the glorious US of A. You again seem to forget that there is a place called "the rest of the world" which is technologically more advanced and actually DOES use these highly secure technologies.

I can do 1024b RSA signatures from all of my various cell phones (or sigs with longer keys for that matter, if needed). And I can pay for things with'em too. All the major banks here use secure payment methods instead of lowsy age old credit cards. I don't have to use one single unsecure method for paying anymore if I don't feel like it.

All I'm saying is that: it's really up to you. If you want things to change in the US, then bloody change them! it's not any more harder than that. YOU are the customer and it's your right to demand things. Start demanding, and keep demanding until they deliver.

.kultis

Yeah honey...

[DanThe1Man]

Yeah honey, it was a Russian Cracker that charged all thouse porn sites on our credit cards, yea...thats it.

Merchants should use common sense

[Huusker]

E-commerce merchants need to use common sense when dealing with credit card transactions.

1. Never, ever, store credit card numbers in the web server. After getting the authorization code from the cc processor, scrub the number from memory. If you absolutely must store cc numbers, put them on a backend server behind a firewall.
2. Hunt down and kill any debug log files in your payment software that may inadvertently record cc numbers. (This is what burned CDUniverse.com)
3. Configure your payment system to do realtime auth so you don't need to batch cc numbers for later capture. Thus the cc number lives on your site for only a few seconds.
4. Always use the Address Verfication System (AVS) to the verify postal address against the cc.
5. Always check ARIN/RIPE for the country of the IP address. Assume that any cc purchase attempts originating from east european countries are suspect. (Especially from St. Petersburg area of Russia, which are almost 100% fraudulent.)
6. Set your site up to automatically ban users who try to spam your order system with bogus cc numbers or failed AVS checks.

In addition to the above, do the usual security procedures that you would do for any secured site (e.g., do anti-virus checks, checksum system files, sweep for trojans, etc.)