Have the Hackers Got Your
Number?
Patrick Collinson
Saturday May 18, 2002
The Guardian
Think your credit card details are confidential? Then think again. Highly personal information is being sold to fraudsters on the internet - and Patrick Collinson discovered just how easy it all is.
I have no idea who Sue Darnell of Pittsburgh, Pennsylvania is - but this week I got her MBNA credit card number, expiry date, telephone number and billing address. I've never been anywhere near Hawaii, but I've also got all the Citibank credit card details for Mr Dewitt White, who lives in Honolulu.
It took me just a few minutes to obtain this information - and a lot more besides. I simply tapped into the thriving cyber-bazaars operated over the internet where
organized criminal "carders" buy and sell your card number and your identity. The chat forums - where card details are sold for 40 cents to $5 (it's always dollars) - are usually operated out of web locations in the former USSR but the victims live predominantly in the US and western Europe.
I won't pretend to have uncovered the really big card traffickers - that's a job for the recently launched National High-Tech Crime Unit - but it is astonishing how a simple search on
Google, the internet's most popular search engine, instantly routed me to message boards where fraudsters were trading credit card information.
The sites are clearly hijacked from legitimate operators and may only survive for a few days before being closed down. The biggest I found was one nominally giving weather satellite information for northern Canada. Others included a temporarily hijacked message board at an educational college in Oklahoma City. Both were impossible to access just a few days later.
One posting on the Canadian site from someone called "Derek" said: "We are now giving 6,000 stolen credit card numbers and the most advanced financial hacking lesson". Even though it was almost certainly a fake offer, it had clearly excited the interest of hundreds of users who had posted follow-ups.
Elsewhere, "Aldi", "Aaron" and "Mick" were trading info in a discussion entitled How to Steal or Hack a Valid Credit Card".
"Joe Black" offered four credit card details and wanted to exchange more. He had found a willing buyer in someone called "J-J".
But these are small scale players. According to computer security expert Dr Neil Barrett, the credit card trading centre of the world is St Petersburg in Russia. It is the site of a number of secret internet marketplaces where card details are offered in bulk, typically costing $1 a card, sold in batches of 500 through to 5,000.
"It's not done through open access websites or newsgroups. These are point-to-point chat sessions between individual groups of hackers on an IRC channel or a side channel off an IRC channel. Junior hackers move up the scale until they are invited into a senior channel with just half a dozen people exchanging tips, tricks and credit cards. Hacking a credit card is the entry requirement for people who want to move up this ladder," says Dr Barrett.
The Russians have adopted the practices of Wall Street, with a virtual stock market in cards, where the prices rise and fall according to daily demand. The buyers tend to be from the Far East, according to Dr Barrett.
The volume of credit card fraud has now spiralled to "horrifying" levels according to Richard Tyson Davies of
APACS, the group representing the payment systems for all the major UK banks and building societies. He says that card fraud last year was £411m compared with just £135m in 1998. By 2005 he predicts that criminals will be illegally extracting £1bn a year from British cards. Britain's biggest credit card issuer, Barclaycard, lost £41m alone to credit card fraud last year.
Testament to the alarming globalisation trend in card fraud is the fact that one-third of fraudulent use of British-registered credit cards happens abroad, as "skimmers" and hackers collect the data in the UK but use it far from the owner's home. "Advances in technology have made it easier for organised criminal gangs to move information around the world," says
APACS.
Internet card fraud is still a relatively small, but fast-growing, part of the total sum stolen. It is centred on Britain and America (it is five times higher in Britain than in France) because that is where the largest volume of card-paid internet transactions take place.
Hackers rarely target the databases of the banks and credit card issuers, or the transmission systems such as Visa or
Mastercard. These are ferociously protected systems which to date have proved impenetrable to criminal gangs.
But there is a much easier way to obtain credit card details. The criminals target the servers of online businesses where the credit card details of customers are held. The insecurity of the internet is not in the transmission of your credit card details over the telephone line, but in how those details are then held at the other end.
Online retailers encourage a sense of security for customers by saying they offer 128-bit encryption technology that prevents your details being intercepted. This is true, and it works. But it doesn't stop a determined hacker from downloading an online retailer's entire customer database after your details have been transmitted on to it.
Dr Barrett says: "Generally, an online shop collects the credit card details which go on to its server. This is then copied in its entirety by a hacker, who picks through for the credit card details. Only in the last few months have people cottoned on to the fact that it is the database, not the connection, where the insecurity lies. Just because something is 128-bit encrypted doesn't say anything about the server."
But how much of this is really going on? A search through the press archives reveals few reports, in Britain at least, of online retailers who have suffered from their systems being hacked and credit card details stolen. Indeed
APACS, while recognising the internet card fraud, says "skimming" of the magnetic strips on credit cards in shops and restaurants, particularly in London, is a far bigger problem.
Dr Barrett chuckles at the suggestion that few retailers have been hacked. He works for Information Risk Management, which helps business fight hackers, and says hacking of credit card details is rife. He is currently aware of a major British online retailer which has recently had all its customers' credit card details stolen.
Dr Barrett also works for the police, and was the prosecution witness at the trial of Welsh teenager Raphael Gray. Working from his bedroom on a £700 PC, Gray hacked e-commerce sites to obtain credit card details of 25,000 internet shoppers. He even obtained the credit card details of Microsoft mogul Bill Gates and used them to have a batch of Viagra sent to his home in California.
But he escaped a jail sentence and was given a three-year rehabilitation sentence instead. After his trial, in July last year, he told reporters: "I did the right thing in exposing how easy it is to get these credit card details. The people concerned were lucky I was not a bandit from Colombia because I could have made a fortune."
So should you not use your credit card over the net? Dr Barrett says: "There is still only a very small number of online merchants' databases that we can't hack through. Even the most reputable on-line stores can be found wanting. If you ask me would I be worried about using my credit card over the net, then the answer is yes."
He recommends that card users should take out a separate credit card which has a low spending limit, so that if the card is stolen in cyberspace, the amount that can be taken off it is limited.
Visa, the biggest credit card payment system, is working hard to improve security at online merchants. "Clearly this is a worldwide problem," says Visa spokeswoman Roz
Barder. "We are very concerned that merchants store the data on customers' credit cards properly, and to this end we launched an account information security program in August last year. A lot of work is also done liaising with law enforcement agencies globally."
APACS has set up a Fraud Intelligence Bureau, a rapid response unit that shares information between the banks and police to combat fraud.
Home secretary Jack Straw chaired the launch in April last year of a £25m initiative to tackle
cybercrime. The money will go to set up a National High-Tech Crime Unit with 40 officers based in a covert location to fight a growing illicit subculture of fraud, extortion and money laundering.
At the launch it emerged that at least four large internet banks in Britain have been attacked by computer hackers, and in each case hundreds of thousands of pounds were stolen.
"When businesses say they are not being hacked they are not telling the truth," said Bill Hughes, director general of the national crime squad.
Web of intrigue
Credit card numbers were laid bare at adult website Playboy.com in November when hackers breached its scantily clad computer security and accessed members' details. The hacker group, operating under the name
"ingreslock 1524" identified customers' names, credit card numbers and card expiry dates in an email sent to each of the victims. It said it had plans to commit a $10m fraud, but later said the hacking was only designed to expose flaws in the site's security.
More than 55,000 credit card numbers were stolen in December 2000 from
Creditcards.com, which processes credit card transactions for other online companies. The hackers, believed to be based in Russia, later posted the card details online when an extortion fee was not paid.
Online music retailer CD Universe lost 300,000 of its customers' credit card details to a hacker who also posted some of them on the net. The retailer refused to pay an extortion fee of $100,000 demanded in exchange for destroying the credit card files.
Western Union closed its website for five days in September last year after a security breach saw hackers access 15,000 records containing credit and debit card details.
Police in Northern Ireland last year raided a home in Belfast, described as "looking like something out of the NASA space station at Cape Canaveral", to arrest a hacker alleged to have taken part in a £17m credit card and phone fraud. His case has yet to reach court.
Guardian Unlimited © Guardian Newspapers Limited 2002
Visit the author's
site for this document and other articles relating Internet social issues.
|
