Interesting People mailing list archives
IP: Credit-card data used for extortion -- a look at it from an expert from Risks
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 17 Jan 2000 08:11:29 -0500
Date: Mon, 10 Jan 2000 14:31:29 -0500 From: "Steven M. Bellovin" <smb () research att com> Subject: Credit-card data used for extortion *The New York Times* today reported an extortion attempt involving credit card numbers stolen from online merchant CD Universe. Someone who called himself "Maxim" and claimed to be Russian said that he had copied 300,000 credit card numbers from their system, and that he would post them on the Internet unless he was paid $100,000. The article quoted the chairman of eUniverse, the company that operates the site, as confirming that Maxim did indeed have their data. eUniverse declined to pay the $100,000; Maxim posted 25,000 card numbers to a Web site. Several thousand people downloaded the file before it was yanked. What's interesting, though, is not that this can occur. In fact, security folks have been warning for years about wholesale theft of card numbers. But most sites can't or won't do anything about it. Consider, for example, the security statement currently posted on the cduniverse.com Web site (I saw no mention of the incident): Security - Is Internet Shopping Safe? We have all heard a lot of talk about whether shopping on the internet is safe. The main concern of online shoppers is that their credit card information will somehow end up in the wrong hands. We use Netscape's Secure Commerce Server technology, which encrypts your order information, keeping it private and protected. It's a Netscape technology called "SSL" (Secure Sockets Layer) and it's used by us and all the other major commercial shopping sites, including: The Wall Street Journal, Barnes & Noble Books, FTD Flowers, Microsoft, and Netscape itself. It is actually safer to transmit your credit card info over the Internet than it is to use your credit card around town. By focusing on transport encryption, they miss the point entirely. The real risk is bulk theft, as has happened here. Consider the following text from their Web site: If you have previously placed an order and want to use the same credit card, you can select the "Use previous credit card info" option. You do not need to enter your credit card information unless your credit card expiration date has passed. By maintaining this information online, they (and many other Web merchants, of course) are inviting trouble. It is tempting to say "use SET", which would provide for digitally-signed payment authorization. Unfortunately, SET may send your credit card number to the merchant anyway. Many stores use credit card numbers as the database key for user purchasing patterns; they didn't want to lose the link if SET ever took off. But this means that card-number data still exists on the merchant's site somewhere. The CD Universe security statement concludes with this note: What most people don't realize is that shopping with your credit card is actually safer than paying by check. In the event that there is a problem with your purchase, the credit card company will remove the purchase from your bill and the on-line merchant is not paid. In the event that your credit card number is stolen, the credit card companies do not hold you responsible for any unauthorized purchases. It is, I believe, accurate, though there may still be $50 liability to the consumer under U.S. law. (And they don't say anything about credit card numbers belonging to non-Americans, even though they list shipping charges for international destinations.) But *someone* is going to have to swallow the fraudulent charges -- and we won't see an overall improvement in computer security until the *real* injured parties apply appropriate pressure. [The NYT article also noted by Scott Lucero. PGN]
Current thread:
- IP: Credit-card data used for extortion -- a look at it from an expert from Risks Dave Farber (Jan 17)