Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Almighty Buck

Credit Card Database Stolen -- 4 Months Ago 156

jeffw writes: "Once again a Russian cracker got into a online credit card database and attempted to extort money from the company . MSNBC has the details. Previous incidents were covered on Slashdot here and here. This time it was the appropriately named CreditCards.com, a credit card processing service for merchants. You would probably expect to be notified by one of the processors, the card issuer or the merchant, but in this case victims have to notice the fraudulent charges themselves and contact their card issuer. Hmm, CreditCards.com. I'm sure no cracker would ever think of that as a juicy target. Why not name your company FreeMoneyForCrackers.com instead?"
This discussion has been archived. No new comments can be posted.

Credit Card Database Stolen -- 4 Months Ago

Comments Filter:
  • ...has now become creditcards.rus

  • I wonder what would happen if you used some of the stolen credit card numbers to send large amounts of stuff to someone that you didn't like.
    Would they get arrested?
    Or would they just get a whole bunch of free stuff. Of course, I'm sure that someone could have fun with this. Lets see, what could you send; live animals? pornographic material? software that forces all sorts of horrible binding conditions on the user as soon as he breaks the shrinkwrap liscense. The possibilities are endless.

  • I found this press release by CreditCards.com from earlier this year. To summarize, "CreditCards.com is pleased to partner with CueCat to provide security to our database. We have been deeply impressed with CueCat's unbreakable Base64 encoding scheme. Rest assured that your financial information is now secure."
  • "... use all the good security practices you read about on slashdot..."

    How many times has slashdot been cracked now?

  • Yeah, check your wallet. If your wallet is present, breathe a sign of relief, they didn't haXor your pants.
  • Ok, your credit card number is supposed to be secret, they tell you. But then they print it in clear text on the very card that you are supposed to present to countless people every day. What the fuck? And then they complain about high fraud rates?

    Furthermore, well known algorithms exist to guess valid CC numbers, which can then be used for online or phone purchases. All the resulting fraud has to be absorbed by the merchants, meaning higher prices for everybody.

    The only fair solution is this: credit card customers should have to pay higher prices; those of us who use safer payment schemes shouldn't be penalized.

    Short of that, boycott merchants who accept credit cards, so that you are not forced to pay for the results of an ill-designed system.


  • Even if there really are that many extortion attempts, the problem is allways to find evidence of the break-in. While I understand this can be tough, a creditcard company might be expected to have serious security measures, with enough software and hardware installed to keep an eye on things. The fact that they couldn't even recognise that they had been visited without authority (not even after 4 months even) makes you wonder if this kind of e-business is possible at all (I'm supposing here that creditcards.com did everything in their power to have the most secure systems possible). The risk of your cardinfo getting hacked is not as low as we might hope. Considering the Pentagon gets hundreds of thousands of hacks a year, with the occasional 300 slipping in and about 10 % of that getting into the real deal, chances are sooner or later your cardnumber is going to get hacked.. heck.. maybe my cardnumber is allready on that list, I don't even have a clue!

    Ok, this is all pure speculation on my account, and I don't want to sound bitter, but you catch my drift. Unless news like this keeps popping up, how can I convince my family that this is what they should try to get accustomed to because it's simply a new, smarter, easier, and still safe way to spend their money..

    In the meantime, not knowing what goes on with our money kinda seems totally unfair to me, allthough in many cases this can be experienced more as a convenience .. but then usually our money is not at jeopardy either..

  • Woo! Thanks. I know that there's also an HTML tag out there that you can apply so that a browser won't process the enclosed tags, but my HTML is extremely rusty, and I can't for the life of me remember what it is. I never thought of doing it your way, though...

    Although, now that I look at the "Allowed HTML" codes, I don't exactly recognize any codes as being the HTML code I'm looking for, so...


  • now wait... the title of the story is

    credit card database stolen -- 4 months ago

    am i to believe that slashdot is making some reference to the untimeliness of someone else? that's just funny. reeeeally funny.

  • They seem to have taken down their list of affiliates. Perhaps too many people were complaining to their customers. Another bold security step by Creditcards.com.

    If nobody knows who the original merchant is responsible for leaking their credit card, nobody can complain (except to creditcards.com, who doesn't do business with the individual customer anyway). Of course, no one can check to see if they did business with on of Creditcard.com's customers and therefore might have a compromised number.

    Not only were they careless with the data and refused to notify people after their info was compromised, they are actively trying to prevent people from finding out if they were victimised by Creditcard.com's incompetence. How slimy can they get?
  • Didn't Visa just institute a relatively strong policy on e-commerce, that yanks the ability to take Visa if not followed? I would tend to doubt that they were following those tenets when they got hacked.
  • Won't work. You need the name of the card holder, as it appears on the card.

    I do agree that a more secure way of credit payment is sorely needed, though. If one time tokens can be used for logging into computers I don't see why the same technology couldn't be extended to making credit card payments.

  • From Netcraft: The site creditcards.com runs Microsoft-IIS/4.0 on NT4/Windows 98 [netcraft.com].

    I wonder if their CTO (aka their MCSE) threw all the CC#s into an Access database on their one big server (also running Exchange)? Just kidding... I hope.

  • How is this comment a troll comment? I would really like to know that. The post is 100% true. We do use them to process all our online orders.

  • I'm waiting to hear someones cracked into Paymentech. They are one of the largest payment processors out there, including billing for AOL.

    And it's bound to happen. They're ripe for the pickings, really. Nearly all of the credit card processors are so insecure it's mind boggling.
  • Which would be useful if anyone did that.

    I've been doing e-commerce consulting for seven years now, and with many companies you just can't get them to use decent security -- one of the first ISPs I setup with CC processing is a good example, we got everything setup to deliver orders to the merchants via encrypted e-mail, but guess what: every single one of them refused, they wanted cleartext e-mail.

    Pretty darn depressing.

  • Actually, the "4159" indicates the bank that issued the card. Only the 4 signifies a Visa. The only card (that I know of) that uses all four digits to show what type of card it is is Discover, because they only have one bank issuing that card, as opposed to Visa/Mastercard, which each have many thousands of bank issuers.

  • I'd rather have Stephenson devoting his time to novels than a bi-weekly weblog column...
  • by elenchos ( 237104 ) on Tuesday December 12, 2000 @09:51PM (#563381)
    You wonder why the ones you hear about after they get caught are always seem so dumb? It is because if they were not so dumb, then they would not get caught, and then you would never have heard of them. Often they got caught by bragging about how 31337 they are. You can continue this logic to make the mystical connection with the fact that people who brag about themselves all the time are really idiots, and that in prison you can find many idiots bragging about how smart they are. There are numerous corolaries and converses to this, but they are too obvious to mention.

  • by Antaeus Feldspar ( 118374 ) on Tuesday December 12, 2000 @09:51PM (#563382) Homepage

    I don't pretend to know how the cracker got the credit card numbers from CreditCards.com. But judging from the way they've chosen to handle the problem, I'm not surprised they could be ripped off in the first place; they have all the earmarks of a company that still believes security through obscurity is their best approach.

    In all honesty, this is a disturbing attitude that we seem to be seeing more and more from companies: the customer is no longer regarded as someone to be served with enlightened self-interest, so as to reap rewards. It's much easier instead to enter into near-conspiratorial relations with other companies; to regard the other company, the one with the large pre-existing legal team, as the entity who has to be kept happy -- and regard the customer with ill-concealed loathing, as the one who makes your 'job' of pleasing your partner company that much harder.

    From this perspective, it seems downright logical to let people's credit cards be compromised and not tell them -- it's only important to please the merchants who want to take credit cards, not the people whose credit cards they are! And what are the chances that poor service to cardholders would ever result in them losing those merchant contracts? Not good enough to make them really care, it seems.

  • by cynthetik ( 97316 ) on Tuesday December 12, 2000 @09:54PM (#563383)
    You can buy chips at Vegas casinos with credit cards and then return them for cash. That seems like money to me. I know that it works because someone racked up a $20 000 debt on a friends card using that method. She only found out when the FBI called her. But then that was nasty American hackers ripping off poor Australians, so it never got reported ;)
  • Do you think "secure-windows-server.com" is available?
  • a guy i know had his credit card number stolen. the thief charged a lot of office furniture and office supplies on it and had it all shipped to his (the thief's) new home office (he wasn't too bright, huh?). my friend called the credit card company when he got the charges and got them reversed. he then did a little research and got the address the furniture was sent to. he went to the location and saw the new stuff, verified that at least some of what was there was charged on his card, and then called the CC company to tell them he found the guy who did this. he was told that it wasn't worth the trouble of going after the guy so they weren't going to do anything. no charges were filed. the stuff wasn't recovered.

    at least my friend didn't end up paying for it, but i wonder, if they did prosecute more often on even little things (when they have proof of course), would this lower the amount of this type of fraud? and would i be living in a dream world to hope that this might lower those pesky interest rates and/or fees we all love to see?

    "Leave the gun, take the canoli."
  • I checked WHOIS, and it's available. Better register it and put a Linux box up serving a page stating that a secure windows server is only a dream.
  • by tbo ( 35008 ) on Tuesday December 12, 2000 @10:01PM (#563387) Journal
    Configure your payment system to do realtime auth so you don't need to batch cc numbers for later capture. Thus the cc number lives on your site for only a few seconds.

    If your system is cracked, what's to stop Mr. 1337 hAx0r from putting a sniffer or something like that on your network, then returning in a month to harvest the many credit card numbers? Sure, it's slightly more work for them, in that they have to make two visits instead of one, but any script kiddie can install a root kit to cover his tracks in just a few minutes.

    The whole idea of using credit card numbers for online transactions is flawed. Why not have the purchaser write a "digital cheque" and sign it with his private key? The merchant could then present the cheque to a bank to verify that funds were available. Voila! Now, even unscrupulous merchants can't rip you off.
  • >You're living in a fantasy world.

    Or the UK, possibly. 3 people I know have been offered jobs by Demon Internet after hacking their servers. One took it up, another is now working for another company he hacked into in New Zealand.

    Apparently, this is Demon's standard policy. They believe that an ex-burgalar makes the best security guard, to coin a phrase.


  • Don't worry, that's only about 0.5 pence.

    However, with Visa's currency exchange fees on top, I'm guessing it'll be around $50 in total.

  • You didn't think that people use SSL encryption to send their CC# to the website, only to have it travel in the clear to the payment service, did you?
    Wow, you say that like it's unthinkable that anyone would do something that stupid.
  • You do need to store the CC# if you do periodic billing (think subscription).

    Not all online sites are just a catalog.
  • Are supposed to be printed on the back of the card. The vendor is supposed to store them only as long as needed to authorize the purchase, then discard, regardless of what they do with the rest of the number. Use is voluntary on the vendor's part, and I doubt there's any formal process in place to make sure they aren't being saved, negating their usefulness.

    In countless online transactions in the past year or two, I've only been asked for those digits once, by a company that only produces accounting software, a huge fraud target, I am sure!

  • During that time, its stored *somewhere*, right?

    Wrong. It's sent directly to the CC company... but even if you (incorrectly) decided to store it anyway:

    1. Sale is approved. You inform the customer and delete the CC#.
    2. Sale is declined. You inform the customer and delete the CC#.

    In either case, you gained nothing by deciding to store the CC# (even temporarily)

    when you go later to settle on the card and collect your $, you will need the CC# along with the authorization # to transmit to the clearinghouse.

    No, all you need is the authorization number to settle. If you haven't settled within a week (because you haven't shipped the goods), the authorization is cancelled by the bank.

    It doesn't matter if you keep the records around for minutes or years, someone with the right skills and opportunity (ie. your underpaid DBA) can get through.

    Huh?!?!?!? You're saying that you can't trust your employees, so you should just throw all security precautions to the wind? That would fly really well..

    "Well, John, we can't trust our employees, so let's not spend the money on the safe, let's just keep all our money in the filing cabinet."

    Having criminals as employees is completely irrelevant to your arguments. (Or, perhaps you could explain how keeping credit card numbers will somehow negate the fact that employees can't be trusted?)

    I repeat again: You do not NEED to store credit card numbers.
  • ;) Even without CueCat's "unbreakable Base 64 encoding scheme", insecure database, and penchant for emailing their entire database of email addresses to each of their customers, CreditCards.com *is* using Microsoft server products. And we all know how secure Microsoft servers are! ;)

    Even the four months figure is perfect. "Russian" crackers only had access to MS's servers for three months (later whittled down to "five seconds and they only downloaded a virus we designed to stop intruders" by MS's crack PR/damage control team). We have to assume that MS is slightly more expert in the non application of patches than the rest of the world is when it comes to their own products.

    Last year about this time, the world was awaiting doom as Y2K approached. Now it's evil crackers and internet piracy of precious IP that are to blame for the world's ills. Why can't these idiot companies see where the real problem lies, fix their internal security, and come up with business models that work? Actually caring about their customers (and in this case, their customers' customers) wouldn't hurt either.
  • Wrong. Debit cards that sport the Visa or MC logo have the exact same protection as do "regular" credit cards.

    Why do people use them? Because it's a hell of a lot better to give someone your card to pay $9.00 for something, and only spend that $9, then to take a $20 out at the ATM every time, and blow it simply for the fact that there's extra cash in your pocket.

    Plus, it's a great way to track where you've been spending your money, since you get an itemized statement every month. You don't get that with cash.

    My bank immediatly put a freeze on the charge I was disputing, and within 2 weeks, reversed the charge, just like any credit card compnay would do.
  • I don't want someone to be "Mr. Used Car Salesman." Those aren't the type of leadership abilities I'm talking about. I'm more interested in the "effective communication" types of things, which means that you need to be able to squarely face off against your "rivals" in the sales and marketing departments. I'm talking about team leaders being able to display poise and confidence and being able to communicate their issues up front and honestly, rather than just letting others take control.

    All I'm saying is that IT people need to develop some skills to make sure that they are heard in their environments. They don't need to kiss people's butts. They just need to be able to talk to them and to have the courage to stand up for their ideals. Oftentimes, IT people would rather not do that, and we end up with people who don't know what they're talking about making the decisions.


  • A lot of posts have been saying "Why store the number in the first place?" Well, the number can be scrapped in only the best of cases where the item actually ships when it is ordered. Often, however, the item won't ship immediately (real time) or it becomes backordered. In each of these cases (where the initial authorization expires) the online merchant would have to call the customer back to have them read their card number back to them so that they can do a new authorization (and phone calls are MUCH more expensive than email.)

    So in most cases the card needs to be stored in order to meet customer expectations. Yes, the thing HAS to be encrypted, and yes, the whole friggin database needs to be behind another firewall so that only the webservers and call center can touch it. However, contacting the customer at every point in the transaction (pre-auth, auth, ship, return) is out of the question.

    There is also the matter of reporting. Many online merchants are applying a few rules to prefilter out troublesome accounts (such as accounts that have too many chargebacks) because online retailers (unlike brick and mortar) are charged higher premiums for such things by banks. In these cases they run a script against the report that the bank provides and the only real way to match that up with an account is by card number.

    I agree though, that after a couple of months the number can be scrubbed. This would keep the number of vulnerable card numbers down to a minimum. I don't work for a .com anymore so some other keyboard jockey is gonna have to do this :)

  • Having worked for an e-commerce company that's been on the receiving end of this sort of thing, I have to tell you that if you wanted a notification every time your data "might" be compromised, your inbox would be overflowing on a daily basis. Far more extortion attempts are made than successful cracks. Any moron can (and does) drop you a line saying "I aM 34337, y0u aR3 0wn3d, 53nD m3 $$$!" without any proof at all that they actually have your database. Some subscribe for a few accounts opened with previously stolen numbers and send you those as their proof. You aren't always sure if they're bluffing or not.

    So a lot of companies won't notify you because they're not sure, and people make these threats all the time. When someone calls their bluff, you get fried. But at the same time, if they sent e-mail to their customer base every time someone made the threat, they wouldn't have any customer base left pretty soon. It's like bomb-threats. I don't know what the answer is, myself, but the motivations are pretty understandable.
  • well how do you know he/she didn't already use/sell some of it already? just a thought (c;
  • Things are not going to change as long as Visa and Mastercard can profit from fraudulent transactions.

    Most people think that when Joe Sixpack goes to the credit card company to report fraudulent transaction(s) on his statement that Visa/MC is liable for the total amount charged less $50. The fact is that the merchant is required to reimburse for the total amount charged plus fees related to the chargeback, for transactions taken by phone or Internet. Visa threatened me with $25,000/month fines if fraudulent transactions exceeded 1% of my sales volume. So let's see here ... why would Visa/MC give a flying squirrel about fraud when not only are they not liable for it, but actually profit by it at the expense of the merchants?

    The fact that anyone can spend your money by simply knowing your account number is mind blowing. That's about as ludicrous as being able to access the Pentagon's servers by simply knowing someone's login name. The credit card processing system is inherently flawed and Visa/MC certainly doesn't seem to care.

    The problem is that merchants are generally at the mercy of the banks (of which Visa and MC are consortiums of). Merchants can't survive without credit card processing, and with banks, it's always "you need us more than we need you."

    If there's a class-action possible against Visa/MC, then sign me up. You can bet if Visa/MC were liable for the fraudulent transactions then things would get fixed real quick.

  • I took that to mean that the only reason he found out about the crime was due to actions on the part of the criminal. If the thief hadn't used his card number, it's not as if the company itself appeared likely to ever notify its customers of the incident.

    My two cents concerning these things:

    • I am a hacker: I find a sense of creative purpose in making machines do neat stuff.
    • I am a cracker: I'm a 'po' white guy from the Deep South.
    • The incontinent, quasi-intelligent, spectacularly emasculate nadir of de-evolutionary genetic pollution that took these credit card numbers is a criminal: He broke the law.
    • He is also a worthless asshole: He caused unneccesary harm to others.
    To call him anything else seems only to glorify his persona beyond the base nature of his actions.


  • what a load...

    yeah, i didn't have any ill intent, i just grabbed your cc#s to see if i could. Here's how to protect yourself in the future and i'll just destroy this info I grabbed.

    Oh, thank you, Mr. Benevolent Hacker! What would we do without you?! Would you like a job? We can pay you ridiculous amounts of cash to keep hackers who aren't as good tempered and considerate as you away from our sensitive information!

    This is the real world. Why employ a security risk when you can have him thrown in prison and gang-raped by all the cro-magnon jock types that drove them into computers in the first place? You're living in a fantasy world.

  • I had a credit card with one of their affiliates (a list of partners is linked from the MSNBC article). Is there any way of finding out whether my card was taken?
  • by CritterNYC ( 190163 ) on Tuesday December 12, 2000 @10:03PM (#563405) Homepage
    I just read a good article on this online... I knew I should have bookmarked it. Anyway, the problem with credit cards flying around is huge. Expedia lost about US$5 million [webtravelnews.com] to fraud this year... knocking out 1/3 of their profits. The credit card companies have had NO real incentive to stop it. Whether the charge goes through or not, VisaMastercard (the duopoly) gets their cut. They make a percentage on a successful sale, and they get a $40 chargeback fee from the merchant on a contested one. The merchants are screwed, where else can they go? They need to let people pay online, right?

    American Express has extra numbers on the card... Visa and Mastercard are going to start using them [cnn.com], too... so what? 3 extra numbers for hackers to pluck out of ripe databases. And our current smart cards?? HA. All they do, so far, is enter your billing information for you. Real secure.

    The bottom line is... this problem won't go away until we change the way credit cards work... most likely to a true smart card, like many of us have used with external corporate accounts. Then knowing a credit card number won't get you anything.
  • by Socializing Agent ( 262655 ) on Tuesday December 12, 2000 @10:05PM (#563406)
    Most /. readers need not fear -- the list of creditcards.com affiliates reads like a veritable "Who's not who" of "e-tailing". (The full list is available at their site [creditcards.com].)

    The list includes such e-nobodies as "iKnowledge", "eCashier", "SpyGate", and the "Christian Concert Authority." And those are the more plausible-sounding of the bunch...

  • The credit card company took the charges off, but beyond that, they didn't care about prosecuting the individual. The merchants had to foot the bill.

    Correct me if I'm wrong here, but the merchants didn't foot the bill, the credit card company did. Credit card companies routinely write off fraud losses of up to 10% of the total purchases (of course, you and I pay for this through higher prices...).

    In fact, the situation is even worse than this. My stepdad told me a few weeks ago that if he went into his bank, and told them that he didn't place a charge on his credit card, they would take off the charge no questions asked. That's right, the first time, they just eat the loss without looking into it any further. Obviously, if you try to get away with this many times, they'll look into it, but I found it pretty amazing that they wouldn't even look into it...

  • Yeah, that's right. In fact: Mir was just an abandend alien warehouse in space, which the Russians cracked too.
  • The general level of security-awareness in this industry is frightening -- both for its paucity and for its endurance.

    These companies simply aren't sufficiently motivated to clean up their acts. The bad press lasts less than fifteen minutes, and usually never makes it off the internet. The average e-tail customer doesn't get his/her news from internet sources. Security breaches are considered to be the norm; there's no shock felt when a new one is discovered.

    Eventually, perhaps, victimized customers will band together and file a class-action lawsuit against these credit companies. It's going to take something that drastic for these folks to sit up and apply the optimal remedies. Unfortunately, it's up to the customers to make it "cost-effective" for the company to do so.

  • "Christian Concert Authority."

    I knew I shouldn't have bought those Amy Grant tickets online. Damn you, God, damn yoooooouuuuuuuu!


  • ::Their old slogan from the site

    We make your business go -- Ka-Chingg!
    ::Their new slogan for the site

    We make crackers go -- Ka-Chingg!

  • This "Russian" cracker is going to be another case of bad press for the hacking/kracking masses. This kind of stunt is going to be nothing but more kindling for the fire of the wonderfully ignorant controlling powers (i.e. the gov'ment) to try to put more pressure on people who are smarter than them and actually know how to use a computer for more than e-mail and pr0n browsing and mp3 filching. This is also a low blow because now the rest of us are going to be viewed as greedy, avaricous, blackmailing pud pullers. For one, they are probably going to catch them eventually because this type of stunt smells of an ego. This cracker(jack-off) is going to do something like this again. And keep doing it until they get caught or someone else gets patsied for the crime. This makes a lot of people (consumers with credit cards who use e-commerce) very scared. They are then afraid to purchase over the internet, then that causes a lot of the smaller e-commerce sites and companies to lose revenue, the economy slumps (even more than it already is starting to) and we get another wonderful recession. Go idoits. Lets mess with other people because we can't find something constructive to do with our abilities. Also, what's with the attacking consumers? Last time I checked it was of a general consensus to steal from the rich (i.e. corporations themselves, not thier customers) and make off with the loot stealing into the night and laughing all the way to the Swiss bank account, not encourage criminal credit fraud and make other peoples lives difficult who have no effect of you or your kind. War is one thing, blatant disregard for the results of your actions is just being an a**holio of the nth degree. It just doesn't make sense to destroy something that could ultimately be of much more advantage if ot stays up and standing. Pulling the roof down on top of you just seems like something Wile E. Coyote would do rather than a nice and smart h@cker/Kr@cker would do and make a little moolah on the side (wink, wink, nudge, nudge). Oh, I'm sorry, some people, even smart ones seldom have common sense and the ability to have a little foresite. And posting it on the web, great, now someones going to get the bright idea to try using one of those card #'s and get busted for fraud and who are they going to blame? Kr@ckers. Not thier own stupidity, but us. Makes me want to chew on something.
  • I don't think I ever claimed that slashdot actually used the practices mentioned on their site :)
  • No, all you need is the authorization number to settle. If you haven't settled within a week (because you haven't shipped the goods), the authorization is cancelled by the bank.

    I just checked the documentation for two major CC transports, Vital Technologies (former VISANet) and Novus. For the methods that I looked up, both required CC# and authorization # on settlement. Therefore you are responsible for storing these somewhere safe in between.

    You're saying that you can't trust your employees, so you should just throw all security precautions to the wind? That would fly really well..

    I'm not saying that at all -- only pointing out that there is a very strong flaw in the whole system. I agree with what other people have mentioned, that putting all of our faith into a 15-17 digit number maybe isn't the best method available.

    "Criminals as employees" is completely relevant, if you're considering as an option storing the CC# somewhere for a very short time and then destroying it -- as in "its only in the order database for 5 minutes, so its unlikely that somebody will steal it." A secure system shouldn't be built around the premise that the users are beyond reproach, its bad for the systems and bad for the user. I mention this only because its usually the first idea I hear from a client when considering this problem.

    Slashdot is not the real world.
  • I did get one of these charges on my card this month.

    The charge was from INET in Moscow, RU for 217.17 rubles and I had to send in the little form on the back of the statement to get the charge removed.

    If this guy claims that I bought something at his web site, then my credit card company definitely will give him cash.
  • you IT "cerebral" types are a real pain in the ass. let me ask you something, have you ever tried marketing? have you ever tried to get an MBA?

    here's a clue for you: Marketing is not a joke. it's actually real work, it's not trivial, and it's required to sell a product or service. at a technical company, the lines of communication between Engineering and Marketing must be open, and trusting. your IT superiority complex doesn't help things either, and it has been my experience (having worked in both Engineering and Marketing) that it's usually the Engineering or IT side of the equation that doesn't put in the effort to try.

    Marketing people are instantly labeled "clueless" or "afraid of technology" or "phoney" but the IT staff. they make no effort to try to understand why Marketing is important and why it's essential to communicate with Marketing. in most cases, bad Marketing is a direct result of IT or Engineering personel's inability to communicate effectively. sometime's that's due to the inadequacies of the people in Engineering (ie, they're not good communicators) but more often it's a result of silly and childish attitudes such as the one you've displayed on the part of IT.

    grab a clue: you need Marketing just as much as you need IT and Engineering!

    there are always bad Marketers, just as ther are bad Engineers, but in my experience "bad Marketers" are usually a result of "immature Engineers."

    but back on topic: what makes you think that this cracking was a result of Marketing not conveying IT's security interests to upper management? did you think for just one second that it might just be the clueless IT worker who's running an insecure Windows NT webserver?

    - j

  • When you (the merchant) authorizes a credit card purchase, you need to retain the CC# for the duration of the authorization. During that time, its stored *somewhere*, right?

    Also, when you go later to settle on the card and collect your $, you will need the CC# along with the authorization # to transmit to the clearinghouse. You are not allowed to settle until the goods have clearly shipped, for some types of businesses this could be several days.

    So you still have to store the CC# for some period of time. I, as a master RDBMS hacker, am so godlike in my power that i set up a trigger on your highly volatile, temporary CC table to copy each new row into a hidden secret table. Then I go pick that up later.

    It doesn't matter if you keep the records around for minutes or years, someone with the right skills and opportunity (ie. your underpaid DBA) can get through.

    Slashdot is not the real world.
  • Client-side cookie.
  • Some vendors do billing address verification now, methinks -- so you have to guess the card number, usually expiration date, *and* billing address all correct. That's a much greater number of bits in the combination.
  • Heck, a simple socket that takes in a request and returns a success or failure isn't all THAT hard. neither is a quick java-based twofish implimentation (i'm assuming the cc were in cleartext).

    If the cc exist in a database, then anyone who can query the database can get the cards, meaning if the system is compromised, all bets are off.

    blowfish (or any other symetric algorithm, for that matter) is absolutely useless in this case, as the key (which is used for both encryption and decryption) must be stored on the machine hosting the database. If the machine is compromised, the cracker can easily get the key, making the crypto as useful as storing the cc numbers plaintext. The only way to do this properly is to use ElGamel or RSA, along with padding generated by a PRNG to prevent known-plaintext attacks.

    Using an asymetric algorithm, if the database is compromised, you have sucessfully protected all previous cards (that is, if the private key does not exist on the system; all plaintext cc processing should occur offline). You do have to worry about future cards being snarfed, but you address this with other security measures, not crypto.

    When dealing with credit cards, allways assume that the machine that the database is on CAN be cracked, then work hard to prevent this from happening.

  • one of the first ISPs I setup with CC processing is a good example, we got everything setup to deliver orders to the merchants via encrypted e-mail, but guess what: every single one of them refused, they wanted cleartext e-mail.

    Perhaps this is a question for ask slashdot, but are there any easy to use email programs that will encrypt and decrypt automatically, ala Novus Ordo? That would solve this particular problem.

  • by pen ( 7191 ) on Tuesday December 12, 2000 @10:28PM (#563422)
    The real question here is what the hell was the company doing storing a database of these cards in the first place? Isn't their job only to check if it is valid and then charge it? I can understand keeping the cards for a short time until payment is recieved and confirmed, but after then...

    The article even mentions that the company had "test numbers" in the database. Am I the only one who thinks that those were left in there from the days the code was being developed because noone bothered to clean up the database?

    Oh yeah, and these numbers are sold for a couple of dollars a piece in Russia. No joke.


  • It's a tiny QBASIC game shipped together in DOS 5.0 created by MICROS~1. Two gorillas were throwing each other with bananas. You can play human vs computer or human vs human.
  • "Why not name your company FreeMoneyForCrackers.com instead?"
    Because everyone knows that crackers crack sites for fun and intellectual enlightnement, not money. (Likewise, people who encrypt their data have nothing to hide, they just want the extra security. And people who use Napster are trying to spread music from new artists, not trade copywrighted music.)

  • We could also go back to using that crazy alternative OS...

    Unix, I think it is...

  • Butts said his company contacted the FBI immediately on receiving an extortion demand from the hacker, but it did not contact any customers.

    "They weren't compromised," Butts said

    Um, I'm going to have to go ahead and, uh, disagree with you there, Micheal.
  • Ya, your right. I just hate JonKatz's stories. I'll remove that .sig.

    (Posting as AC to protect Karma -1 offtopic)

  • yo... great... just got my balance...
  • :-(
    unfortunately that's still theft, and it would be even if the furniture was stolen from your house to begin with.

    Falls under vigilateism, and is generally frowned upon by the forces that be.
  • So how did he get the card numbers? What kind of server was storing the CC numbers?
  • We only hear about problems. We don't hear when things work correctly. We also don't know how many people do actually rattle doorknobs at Amazon, much less how many Amazon stomps on while it continues working.
  • by JeffL ( 5070 ) on Tuesday December 12, 2000 @10:58PM (#563436) Homepage
    OK, here is the message in all its glory. I have changed MY information in the header, but have left all sender information as I received it. I also had to change a bit of the formating to get around /.'s lameness junk character filter. The words of the text are untouched.

    Return-Path: chad@microsoft.com
    Delivery-Date: Mon Dec 11 15:08:14 2000
    Received: from mybigserver.my.domain (mybigserver.my.domain [])
    by mymail.my.domain (8.9.1a/8.9.1/FOO-3.0s) with ESMTP id PAA365001
    for ; Mon, 11 Dec 2000 15:08:14 -0700 (MST)
    From: chad@microsoft.com
    Received: from eb.com ([])
    by mybigserver.my.domain (8.10.1/8.10.1/FooBar+Hesiod (MyConfig)) with SMTP id eBBM8GJ15524
    for ; Mon, 11 Dec 2000 15:08:16 -0700 (MST)
    Received: from blu01650-4-1 [] by eb.com [] with SMTP (MDaemon.v2.7.SP5.R) for ; Mon, 11 Dec 2000 22:02:44 +0000
    Date: Mon, 11 Dec 2000 22:02:44 +0000
    To: me+myvendorid@my.domain
    X-Mailer: WinNT's Blat ver 1.8.2b http://www.interlog.com/~tcharron
    X-MDaemon-Deliver-To: me+myvendorid@my.domain
    X-Return-Path: chad@microsoft.com

    Dear Customers of CREDITCARDS.COM,

    Security score rating: -100

    Go there to read the STORY about creditcards.com !!!


    We represent a group of experts trying to save you from companies, which
    do not care about their clients. For your attention we have
    designed the "Never trust companies" list.

    Any simple hacker can get into Creditcards.com where your confident information stored.

    We was contacted with President (Michael Butts) of CreditCards.com, and
    they was say us " We don't care about information and about customers"

    Today is the special time for every Internet user, e-commerce is still growing
    and competitors are fighting each other to win your attention, your loyalty
    and as the result your money.
    But not all the companies are ready to offer their clients best service,
    they trying to get you through low prices, quick delivery, etc., while is
    it so important for you?

    Basically what are you doing when you buy something via Internet?
    You let somebody into your personal finances.
    Till no completely secure way of transferring the confidential information
    invented, the number one priority for each and every online company is
    to secure transaction and to hide information about their clients.

    Who knows, may be your partner or your online discount shop is one of them.

    We are glad to provide you with this information; we want you to use secure
    online resources and most important those who care about you.

    Kind Regards,


    Today TOP Unsecure Company :

    Name Specification Security Score*
    Name Specification Security Score*

    CreditCards.com Credit card Processing network - 100

    Security Score:
    -100 - no security
    1 - simple security
    100 - Very good security (firewalls + Crypt of confident information in database.)
  • by Barbarian ( 9467 ) on Tuesday December 12, 2000 @11:17PM (#563437)
    It could be creditcardz.com.
  • by Kultamarja ( 226210 ) on Tuesday December 12, 2000 @11:22PM (#563439)
    > "These secure methods have been developed years ago, and are still not being used on a wide scale."

    Yeah sure - in the glorious US of A. You again seem to forget that there is a place called "the rest of the world" which is technologically more advanced and actually DOES use these highly secure technologies.

    I can do 1024b RSA signatures from all of my various cell phones (or sigs with longer keys for that matter, if needed). And I can pay for things with'em too. All the major banks here use secure payment methods instead of lowsy age old credit cards. I don't have to use one single unsecure method for paying anymore if I don't feel like it.

    All I'm saying is that: it's really up to you. If you want things to change in the US, then bloody change them! it's not any more harder than that. YOU are the customer and it's your right to demand things. Start demanding, and keep demanding until they deliver.


  • But seriously, there needs to be more analysis of what causes companies to make such obvious mistakes when it comes to security. It's very easy for all of us to sit back and say. "well, what kind of idiot would keep credit card numbers in a networked database?" Indeed. But take a look at the typical business model, which is even more screwed up where it comes to .com startups:
    you've got youre IT professionals, some of whom may or may not know what they're doing, but who are mostly competent. But, nine times out of ten, they are not the people who run the show. Instead, marketers make big decisions side-by-side with accountants. Not to say that it's not a good idea to promote your business, or keep on top of the books, but look at the typical scenario - the IT or IS manager comes forward and says something to the effect of, "Look, we have a serious security situation here, and if we don't spend the money it takes to fix it right now, we MIGHT get hacked." Now the marketer, who is generally insecure around the IT person (who, after all, can connect all those scary looking wires and make the computers go), is thinking that the money would be better spent on a big campaign to attract investors. Since these cracking incidents are really flash-in-the-pan news events, the marketer doesn't have a clear sense that the risk is real. The accountant is more impressed by the charismatic marketer than by the somewhat cerebral IT person, and is further swayed by some financial need or another. Thus, the decision is all too often a pat on the head to the IT department, and some paternalistic garbage about "all of us doing the best we can under the circumstances," while the crackers gleefully move on.

    While I can't claim to be familiar with the corporate perspective within creditcard.com, I personally find it very hard to believe that anybody who can write more than two lines of code would have been happy with the security situation that must have existed for the crackhead to get all those credit card numbers. More likely, it was a situation of all the money going to fancy-looking animated gifs(Ka Ching!), while the IT department was starved to a point of needing to scramble just to keep the servers running. A brief look around the creditcard.com website tends to bear this out: a lot of pretty pictures, but not much substance.
  • by pen ( 7191 ) on Wednesday December 13, 2000 @03:22AM (#563442)
    There is an even better solution to this problem, which doesn't any changes on the part of the merchant. American Express is already implementing it, AFAIK. What is this wonderful system? Disposable credit card numbers.

    Everything is already computerized, so this merely adds a few more DB queries. You phone (or go to their website) AmEx and ask for one. They issue a disposable credit card number with a set credit limit that will become invalid after the first use.


  • if Mr 1337 h4x0r!#$ got in, putting a sniffer on your network should mean nothing, because all your transaction should be encrypted. If he is smart enough to perform man in the middle attack to ssl and your other transactions, then your F'd.

    digital cheque is overrated, how many slashdoters use pgp, gpg? try to tell my mother to use that, credit card numbers for online trasnactions is not flawed, it is the weak implementations of infastructures and security around them that is flawed.

  • lie, you no write that message, your english not broken like mine, i am the real slim^H^H^H^H h4x0r4!#$

  • Well, you could encrypt the CCs on one machine and just pass the encrypted string to the DB server... There's no reason why the DB server needs to know what the real CC # is, it just needs to keep it with the order info long enough to do all the proper processing.

    And, not as a reply directly to you...

    CC.com didn't need to keep the credit cards, they only do verification, the merchant can send a new transaction each time they need (to check during ordering, and to charge at shipping). This way there isn't one big master DB with all the numbers, CC.com would hang onto the #s only long enough to process the order. The CC never needs to get stored on a HD at any point, if CC.com crashes and they lose the numbers they're processing, the merchant just resends the transaction after the timeout.

    The means you have to trust your merchant, but I'd prefer this. It means smaller DBs (less temping for crackers) and a well defined chain of trust. If I shop at Amazon, I should only need to trust Amazon, not three or four back-end companies that I've never heard of.
  • "The customer is no longer regarded as someone to be served with enlightened self-interest, so as to reap rewards. It's much easier instead to enter into near-conspiratorial relations with other companies"

    This is not only credit card processors. This is almost everybody. For example, UUNET, back before they were bought out, used to have a status page at 'nic.uu.net' where you could see the status of service outages. A few years ago they removed that page unless you're a UUNET customer. Problem: My ISP is a UUNET customer, and they have a service outage. Easiest thing to do is (from another Internet provider) go to the UUNET site and see whether it's a UUNET problem or a local ISP problem, and if it's a UUNET problem, when it'll be fixed. Noooo... UUNET no longer allows mere mortals to view such information. Even from my ISP, UUNET says "you gotta be a direct UUNET customer to view this page". Fuck the consumer. Fuck the poor slob sysadmin trying to figure out why his packets aren't getting from point A to point B (it'd sure be nice to see that the route C between point A and point B is flapping and that UUNET knows about it). The marketdroids rule, and the marketdroids say that ordinary people don't need to see that kind of data because ordinary people don't pay the bills.

    That's just one example. The world is full of them.


  • What is being discussed here is part of the Truth in Lending act. Chargebacks were set up as a protection for the consumer. Without them, credit cards might never have caught on. No one could forsee the problems which would eventually surface with online transactions because the internet didn't exist then. Get rid of chargebacks and people will not want to use credit cards.
  • With disposable credit cards, you have to go to the bank/AmEx, get the number, then go back to the store... Too much trouble. Also, the store can still rip you off for the difference between the cost of the item, and the credit limit.

    If Digital Cheques were integrated into browsers, it would be as easy or easier for customers than credit cards are now.
  • My problem is when I know more about the product and its market and how to target that market than the Marketing Department does. *THAT* is when I start grumbling about "clueless marketing".

    Lazy marketing types are quick to grumble about mumbling engineers etc. But some of us engineers *DO* know marketing -- and get rather infuriated when the marketing types decide to go golfing rather than learn about their product, competing products, the marketplace that their product is to be sold into, and how to reach that marketplace given the product that they have. For some reason, ex-used-car-salesmen who've been jumped up to Marketing seem to think they can sell a complex piece of computer software the same way they sell soap -- i.e., with hype, sex, and tv commercials. And they get upset when us engineers start talking to them about marketing stuff, "go teach grandma to suck eggs" being a typical response.

    Not my current company's marketing department -- they're quite eager to hear anything I have to say about the marketplace and how our product line fits into it (though as a perfectionist I sometimes get frustrated with the follow-through, but that's life). Prior to one presentation I was advised by both co-workers and by the project manager to eliminate some of the marketing materials ("they know this stuff", "they'll be insulted by an engineer trying to tell them about marketing stuff", etc). I didn't. Marketing ate it up. But that's very much an exception.

    Regarding IT considerations and marketing: I've received pressure in the past to cut corners due to marketing reasons. My general response is, "Having that software for Comdex will do us no good if it gets us a poor reputation for having buggy software," then talk about goodwill and how valuable it is (especially on our balance sheet!). But undoubtedly there are many IT types who do not have that kind of clout.


  • DiscoverCard has started this as well. It uses Java (or maybe it was JavaScript) which I would rather it didn't, but I like the idea. I would rather log into a web site and be able to pull a number and credit limit.

    I've got a problem with all of these solutions though. They don't address the underlying problems. Creditcards.com showed a complete lack of competence and even a complete lack of accountability. It took FOUR MONTHS for them to go public and they had the audacity to say that customers credit cards weren't compromised.

    Let me get this straight, an unknown third party might have my credit card information but it isn't compromised? I'm sorry, but at this point the COO, Michael Butts, should be brought up on charges of criminal negligence and if he maintains this stance in court, purgery and contempt of court as well.

    This company deserves to go under, nothing less. They were in a position where due dilligence said they should operate in a certain manner (such as having no physical connection between the database of credit card numbers and the internet at all - or better yet - no database of credit card numbers) and they didn't.

    I'm not excusing the cracker, he should be punished as well, but this company (and the bank that owns it) should go under. They aren't competent to operate in the banking industry.

  • by DanThe1Man ( 46872 ) on Tuesday December 12, 2000 @09:24PM (#563465)
    Yeah honey, it was a Russian Cracker that charged all thouse porn sites on our credit cards, yea...thats it.
  • "you're definitely qualified to tell other people how to do their jobs because hey, you're the magical IT" being the response I receive from most Marketing types.

    A few hints: we may be in IT, but that doesn't mean we're clueless about Marketing. Some of us have 10 or more years experience in this industry, second degrees in Business Administration or even (gasp!) MBA's, etc., and choose to do IT because we like building stuff rather than selling stuff. That doesn't make us automatically unqualified to comment upon market focus and appropriate venues for reaching sub-markets and so forth!


  • by clinko ( 232501 ) on Tuesday December 12, 2000 @09:24PM (#563467) Journal
    No wonder Russians are good at cracking things. The writing has those crazy cryptic backwards letters. They're already 1 step ahead of us.

    Silly Russians.
  • by www.sorehands.com ( 142825 ) on Tuesday December 12, 2000 @09:25PM (#563471) Homepage
    You don't get free money from stolen credit cards.

    If you get stolen credit card information, you get free stuff sent to you. You might be able to get people to pay you for the free stuff, but it's not directly cash.

    For those who wonder how I know: Someone got my card number, from paper. I found out, when I got a call from Home Shopping Club trying to sell me an extended warranty for my new radar detector. My response was, "What new radar detector?"

    The credit card company took the charges off, but beyond that, they didn't care about prosecuting the individual. The merchants had to foot the bill.

  • From the article:

    "The victim who originally contacted MSNBC, Michael Sayres, called the company this week to complain and was surprised that it had no
    intention of contacting customers.
    "It was explained to me that I would need to contact my credit card company and cancel my card," Sayres said. "It appears they have no responsibility with this problem."
    Sayres received the e-mail from the hacker on Monday afternoon and spent Tuesday on the phone with CreditCard.com and American Express, complaining about the way the situation has been handled. "What's amazing is I didn't hear about it from CreditCard.com. I heard about it from the hacker," he said.

    The hacker was trying to extort and notify at the same time? Maybe s/he called the customers in order to prove to Creditcard.com that they were serious. Or is there more than 1 person at work?

    On another note, paypal.com insures your deposits to 100K just like FDIC (tho it is a money market account, not FDIC). Is there some plan for an anti-hacker "insurance" scheme for b2b and consumer credit card users online?
  • Note that it's impossible for people to change how their brain is wired. I am quite capable of communicating complex ideas in a clear manner. I will never, however, be the kind of butt-licking schmoozer ex-used-car-salesman who ends up with upper management twisted around my little pinkie giving me everything I want or need for my job. That's incompatible with how I'm wired. That's also why I can be a good project or team leader, but would not accept a job as CIO or IT director -- it's incompatible with my wiring, and I'm not going to put myself into that kind of situation again.

    This has very little to do with "leadership abilities", by the way. There are many different styles of leadership, and not all of them require that you be Mr. Used Car Salesman. They do, however, all require goal setting, effective communication of goals, and a meeting of minds with those you work with, as well as (gasp) initiative and drive (you can't lead from the rear!).


  • >If you're leaving the window of your car rolled down on a busy street and someone keeps on stealing your stereo, do you think your insurance company will keep paying out forever?

    they won't pay in the first place. Not the first time, let alone the next ones.


  • It would be pretty easy to encrypt them using a cookie that's stored on my browser. [...] It's time to move towards a more cryptographically secure way of making payments.

    Well, just as long as you're not the one designing the system...

    Having strong crypto or good technology is only one part of the equation when it comes to a payments system. The organisational aspect has to be addressed as well, along with issues of liability, non-repudiation, infrastructure, etc.

    Take PayPal as an example. I've heard (well, read) PayPal's praises sung by Americans I communicate with on the 'Net, some of whom (who really should know better) even said that it's safer than using a credit card online. From the technical point of view, that might be the case, but as an overall payments system, it's not perfect [msnbc.com].

    The main problem is that most techies know fuck all about the realities of doing business, and most business people know fuck all about the realities of implementing technology.

    Anyone can have a good idea. It's making it happen that counts. That's the difference between boo.com and Amazon.com

    Financial stuff isn't easy or straightforward and I can say this with authority, because I work for one of the biggest banks in the world, doing ecommerce stuff. But, if you don't believe me, take a look at what happened to Digicash and First Virtual.


  • by The Dodger ( 10689 ) on Wednesday December 13, 2000 @05:05AM (#563489) Homepage

    he went to the location and saw the new stuff, verified that at least some of what was there was charged on his card

    If I were him, I'd have taken the furniture. What's the guy gonna do - call the police? "Sorry officer, but this furniture belongs to me - look, here's the entry on my credit card bill." Hell, he could probably get a copy of the receipt from the company.

    Relatively pointless, but enjoyable. Also less likely to land you in jail than taking a baseball bat to the fucker.:-)


  • The design should be to accept all information about charging a card (card number, name, merchant id, etc.. ) and only data coming out should be a success or a failure. How the database was made accessible is a mystery to me, but allowing the database records to be pulled en masse is just a flaw in design.

    Repeat after me. DB's and their backend processes should be firewalled and limited. Heck, a simple socket that takes in a request and returns a success or failure isn't all THAT hard.


  • OK, I've got a question. Why do these relatively low-level sites get hit while sites like Amazon go virtually untested? Better security through better paid employees (or software)?
  • Check your credit card bills. Talk to the bank, and most importantly creditcards.com. If you're lucky, they might actually tell you.

    My 94 paisa

  • by Adam Wiggins ( 349 ) on Wednesday December 13, 2000 @01:05PM (#563505) Homepage
    Excellent advice. The most important thing, though, is just "ordinary" security - get a well-administered hosting service, or if you admin your own box, use all the good security practices you read about on slashdot, Security Focus, and so forth.

    I would also recommend a payment gateway that makes security a top priority. Obviously the merchants weren't at fault in the creditcards.com case; they could have all the security they wanted, and the database would still have been stolen from their payment processor.

    If I may be so bold, I can recommend a payment processor [trustcommerce.com] who makes security a top priority...
  • According to current (US) laws, the business has to keep a record of the cards, in the event of the charge being challanged, or fraud investigation. (At least, this is what was explained to me at work). If this is, in fact, the case, then the business has to hold onto the cc numbers (for 7 years, I believe, but I could be wrong.)

  • If you absolutely must store cc numbers, put them on a backend server behind a firewall.

    Nope, this part is wrong - it should read like this:

    "If someone in your company thinks you absolutely must store cc numbers, fire them. You absolutely do not, ever need to store credit card numbers."

    There is no reason (at all, EVER) for a merchant to store CC numbers. You don't need them to do returns, you don't need them for "one-click shopping" (if you think you do, you don't need to do one-click shopping) you don't need them.

    I don't care how much security you have (or think you have) if the data isn't there, you don't need to worry about it.
  • by JeffL ( 5070 ) on Tuesday December 12, 2000 @09:40PM (#563515) Homepage
    I got a (well) forged e-mail originating from Psinet UK, which in broken English informed me that it was from people looking out for my well being. They claimed to be targeting companies which "do not care about their clients."

    They mention creditcard.com specifically by name and give it a score of -100 for security (no security).

    Using my address tracking I could tell they sent me this e-mail using the address I gave to a merchant I used nearly a year ago. Of the 100s of online purchases I make a year, it looks like one of the few places where I made a personal purchase processed their information through creditcards.com. If it had been one of my many corporate purchases I wouldn't have cared too much, but I guess now I will have to go and change the number on the card I used.

    If people care, I can post the entire message.

  • by Arlet ( 29997 ) on Tuesday December 12, 2000 @09:40PM (#563516)
    Creditcards are by nature very unsafe, because their security depends on a single "public key" that's printed on the outside, and that's given out and stored by everyone that accepts payment with them. Moreover, they are handled in a very insecure way. Why do some on-line institutions insist on keeping their credit card database on an networked computer. Why do they insist on keeping the number anyway ? I'd rather type it in every time it was used, and then have it thrown away after the transaction. And why do they apparently store them in clear text ? It would be pretty easy to encrypt them using a cookie that's stored on my browser.

    It's time to move towards a more cryptographically secure way of making payments. These secure methods have been developed years ago, and are still not being used on a wide scale. As long as the costs associated with the occasional credit card theft isn't too high, the banks will not take action. So, it's good that things like this happen once in a while, since the banks will take most of the damage anyway (their biggest loss is probably loss of confidence by big consumer groups).

  • by Huusker ( 99397 ) on Tuesday December 12, 2000 @09:40PM (#563517) Homepage

    E-commerce merchants need to use common sense when dealing with credit card transactions.

    1. Never, ever, store credit card numbers in the web server. After getting the authorization code from the cc processor, scrub the number from memory. If you absolutely must store cc numbers, put them on a backend server behind a firewall.
    2. Hunt down and kill any debug log files in your payment software that may inadvertently record cc numbers. (This is what burned CDUniverse.com)
    3. Configure your payment system to do realtime auth so you don't need to batch cc numbers for later capture. Thus the cc number lives on your site for only a few seconds.
    4. Always use the Address Verfication System (AVS) to the verify postal address against the cc.
    5. Always check ARIN/RIPE for the country of the IP address. Assume that any cc purchase attempts originating from east european countries are suspect. (Especially from St. Petersburg area of Russia, which are almost 100% fraudulent.)
    6. Set your site up to automatically ban users who try to spam your order system with bogus cc numbers or failed AVS checks.

    In addition to the above, do the usual security procedures that you would do for any secured site (e.g., do anti-virus checks, checksum system files, sweep for trojans, etc.)

"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982