|CD UNIVERSE CASE SUGGESTS A GANG OF 'CARDERS' DEDICATED
TO STEALING CREDIT CARD NUMBERS
apparent theft of 350,000 credit card numbers from CD Universe's
Web site by a Russian teenager has sent several companies scrambling
to repair the damage, and set off a worldwide manhunt by the Federal
Bureau of Investigation.
After stealing the card numbers,
"Maxus," the alleged perpetrator, told CD Universe he would not
post them on a Web site if the firm paid him $100,000. When CD Universe
refused, Maxus posted the numbers in early January. Several CD Universe
customers already have said their credit cards were used for unauthorized
charges. Before the Maxus site was shut down, a traffic counter
indicated that several thousand visitors had downloaded more than
25,000 credit-card numbers between Dec. 25 and January 7.
American Express announced it was
replacing compromised cards of the Web site's customers. Discover
said it reissued about 10,000 cards. Discover's Cathy Edwards said
although it wasn't yet clear if card numbers were misused, it was
the only time she remembers the company recalling its cards, CNET
reported. CD Universe was expected to announce a beefed-up security
program. In the days following the Maxus caper, CD Universe's Web
350,000 had made purchases without a problem.
Perhaps most significant was that
the affair opened a window, albeit briefly, into a world of hackers
dedicated to stealing credit card numbers, who call themselves "carders."
On an Internet chat site, one carder said, "Maxus, you're da man!
:) AMAZING site. how about adding a page with suggestions of things
you can do with cards? that can be really useful. i'm sure many
will agree with me :) keep on with the great work!"
Another said: "Hey MAN really great
IDEA. I'm from Argentina Here the Credit Card Numbers are sold for
about 15 dolars (sic). Hehehehe Is South America or what?" Another
had this suggestion: "Max, Can you try adding the phone number of
the CC Holder and the Bank's phone, Issuing bank :) thank you thank
you thank you." Finally, a fourth carder asked, "When will there
be fresh credit cards again Max?" (Naturally, no identities were
Privacy Times sent an e-mail to
one carder, asking for more information. His only reply: "hmmmm
hackers... they dont harm.. they are forced to harm :) the word
exploit is not only for computers... some human exploit other humans
to :) thats why .."
In one e-mail, Maxus said he'd been
involved in the illegal use of credit cards since 1997. He said
he tried to create a legal online company that would take payments
with a credit card processing system. But then he found he could
subvert ICVerify, Cybercash's credit card verification software
program, which is widely used by e-commerce merchants.
"In 1998," he wrote, "I hacked in
to a chain of shops and got ICVerify program with necessary configuration
files for transferring money." Using ICVerify, he was able to make
a charge on a credit card and then give a chargeback refund to a
second credit card, a system he said gave him an "almost anonymous"
offshore credit card account, he claimed. He also claimed that he
obtained cash form an automatic teller machine using this account
after performing unspecified "tricks" with ICVerify.
While it's possible that Maxus cracked
an encrypted file, experts said it's more likely that CD Universe's
online log files stored the credit-card data in "plain text," making
it readable to anyone who could hack the site. Some experts said
ICVerify software logs each transaction, and, at the end of each
day, saves the log file, credit card numbers and all, in a plain-text
archive, MSNBC reported. Up to nine years of data can be saved,
said one ICVerify reseller.
Maxus claimed that both CyberCash
(ICVerify's owner) and Microsft were "lame because I can view their
files in plain text," MSNBC reported.
"The real issue is, why are merchants
storing the credit cards at all?" asked Jim Cannavinno, CEO of Cybersafe,
which is promoting a new online transaction scheme that eliminates
credit card numbers entirely.
This probably wasn't the first extortion
attempt by a hacker. One MSNBC source said he once helped broker
a deal where a London bank paid $1 million to destroy stolen data.
One CD Universe customer Joe Maloney
of Boston, said there were 13 unauthorized charges of $250 on his
Visa card, between Dec. 26 and Jan. 4. "I wasn't so upset about
what happened as I was upset that CD Universe had not contacted
me. They still haven't," Maloney told MSNBC Jan. 11. "I don't know
if I'll be ordering anything from them for a while -- if ever."
In a follow up, MSNBC was able to
view some 2,500 credit card numbers at seven e-commerce Web sites
within about 20 minutes using elementary instructions provided by
a source. Then MSNB turned its attention to GlobalHealthtrax, which
sells health products using the multilevel marketing method. The
site allows customers to pay for their monthly subscription of products
by automatically deducting from bank accounts or through automatic
charges to a credit card.
An unnamed source provided a link
which, by merely clicking on, brought up a plain text file of customers,
their home phone numbers, and in about 1,000 cases, bank account
information - including account numbers, routing numbers, and even
bank names. The records date from Nov. 19, 1998, through this month,
though there are only a handful of new entries dated after May of
1999. GlobalHealthtrax immediately moved to fix the problem and
blamed the incident on a disgruntled former employee. (http://www.msnbc.com/news/358952.asp?cp1=1)