IP: Credit-card data used for extortion -- a look at it from an expert from Risks

[Dave Farber <farber () cis upenn edu>]

Date: Mon, 10 Jan 2000 14:31:29 -0500
From: "Steven M. Bellovin" <smb () research att com>
Subject: Credit-card data used for extortion

*The New York Times* today reported an extortion attempt involving credit
card numbers stolen from online merchant CD Universe. Someone who called
himself "Maxim" and claimed to be Russian said that he had copied 300,000
credit card numbers from their system, and that he would post them on the
Internet unless he was paid $100,000. The article quoted the chairman of
eUniverse, the company that operates the site, as confirming that Maxim did
indeed have their data. eUniverse declined to pay the $100,000; Maxim
posted 25,000 card numbers to a Web site. Several thousand people
downloaded the file before it was yanked.
What's interesting, though, is not that this can occur. In fact, security
folks have been warning for years about wholesale theft of card numbers. But
most sites can't or won't do anything about it. Consider, for example, the
security statement currently posted on the cduniverse.com Web site (I saw
no mention of the incident):
Security - Is Internet Shopping Safe?
We have all heard a lot of talk about whether shopping on the internet is
safe. The main concern of online shoppers is that their credit card
information will somehow end up in the wrong hands. We use Netscape's
Secure Commerce Server technology, which encrypts your order information,
keeping it private and protected. It's a Netscape technology called "SSL"
(Secure Sockets Layer) and it's used by us and all the other major
commercial shopping sites, including: The Wall Street Journal, Barnes &
Noble Books, FTD Flowers, Microsoft, and Netscape itself. It is actually
safer to transmit your credit card info over the Internet than it is to
use your credit card around town.
By focusing on transport encryption, they miss the point entirely. The
real risk is bulk theft, as has happened here. Consider the following
text from their Web site:
If you have previously placed an order and want to use the same credit
card, you can select the "Use previous credit card info" option. You do
not need to enter your credit card information unless your credit card
expiration date has passed.
By maintaining this information online, they (and many other Web merchants,
of course) are inviting trouble.
It is tempting to say "use SET", which would provide for digitally-signed
payment authorization. Unfortunately, SET may send your credit card number
to the merchant anyway. Many stores use credit card numbers as the database
key for user purchasing patterns; they didn't want to lose the link if SET
ever took off. But this means that card-number data still exists on the
merchant's site somewhere.
The CD Universe security statement concludes with this note:
What most people don't realize is that shopping with your credit card is
actually safer than paying by check. In the event that there is a problem
with your purchase, the credit card company will remove the purchase from
your bill and the on-line merchant is not paid. In the event that your
credit card number is stolen, the credit card companies do not hold you
responsible for any unauthorized purchases.
It is, I believe, accurate, though there may still be $50 liability to the
consumer under U.S. law. (And they don't say anything about credit card
numbers belonging to non-Americans, even though they list shipping charges
for international destinations.) But *someone* is going to have to swallow
the fraudulent charges -- and we won't see an overall improvement in
computer security until the *real* injured parties apply appropriate
pressure.
[The NYT article also noted by Scott Lucero. PGN]