60,000 Credit Cards Numbers Stolen Online

← Back to Stories (view on slashdot.org)

60,000 Credit Cards Numbers Stolen Online

Posted by timothy on Saturday September 14, 2002 @07:13AM from the send-your-number-here-to-check dept.

robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."

3 of 219 comments (clear)

Min score:

Reason:

Sort:

extraordinarily weak passwords? by NanoProf · 2002-09-14 07:22 · Score: 4, Insightful

The initial password assigned to the hacked account was OnlneAp16501. I wonder if the merchant before them had password OnlneAp16500? Sigh.

--
Curtains for windows?
Re:Not as brittle as you think by CyberKnet · 2002-09-14 07:41 · Score: 4, Insightful

the hack didn't cause a disaster... yet.
Assuming they re-issie card numbers to the people affected.

People who have to wait for a new card.

People who might not be at liberty to pick it up (ie what if they were overseas, with a now defunct credit card, or worse, have to keep using a compromised credit card?.

People who still have to look for erroneous charges to their old card.

People who would then still have to re-instate any auto-debits they have charging to that card number.

There was annoyance to more than just the card issuers... and it wasn't even the card issuers fault, they shouldn't have had the annoyance any more than the card owner!

It's high time that credit card transaction processors were forced to pay up for the inconveniences as well as the charges they cause when their systems are breached.

--
Video meliora proboque deteriora sequor - Ovidius
Re:Use one-time use numbers by aaarrrgggh · 2002-09-14 08:31 · Score: 5, Insightful

This still doesn't help you with the fact that your primary number is easy enough to guess... a 16-digit credit card number only has a maximum of 11 digits for a given bank (4-digit bank code, and at least one checksum digit).

When a merchant is hacked like this, even brute-force number generation can be done with a little bit of information to yield a good number of valid credit card numbers.

The problem is that the credit card companies are allowed to make their money back (from fraud) on interest, so they have no real incentive to reduce the fraud imposed by the lack of numberspace. The "one-time numbers" are just something to make people feel more comfortable about spending money online.