Hacking credit cards is preposterously easy
Better sit down for this one
Recent headlines exposing vast credit card heists from retail Web sites have prompted a media frenzy around issues of Internet security. Most recently, MSNBC broke the story of one semi-malicious hacker who gathered the details of nearly a half-million credit cards which he tauntingly stored on a US government computer. Meanwhile, a hacker named 'Curador' claimed to have gathered 23,000 credit card numbers, many of which he published on Web sites across the Net. And now The Register is here to tell you that the situation is a good deal worse than even the normally twitchy mainstream press imagine. Child's Play One computer enthusiast well known to The Register, who goes by the alias 'Ksoze' (as in Kayser Soze), shows particular contempt for the security of the popular CGI log-in forms which enable consumers to enter their credit details when making a purchase on line. These Perl scripts are ripe for exploitation -- the real low-hanging fruit of the IP jungle. Some of the worst on-line credit card payment processors, Ksoze says, are those that cater to sites with adult content, where credit fraud rates are so high that most billing service providers won't handle their accounts. ICVerify, a popular billing software product for online credit-card transactions marketed by Cybercash, was exploited for the 300,000-account score at CD Universe. Ksoze's pet hate is CCBill, a similar product. "I cracked over fifty passwords using their weak CGI recently. [An associate] got in [there as well] and found a lot of credit card numbers," Ksoze told us. It's all too easy: "Just hit 'update account' and you get the form as filled in by customers," he says. Much of the weakness comes from the site administrators, who often know little about Web security and must therefore rely on the product to protect their data and that of their customers. "Defaults are also a great inherent weakness," Ksoze says. "Site administrators don't care or don't understand, so they leave CGI scripts in default locations. It's quite dangerous." "CCBill are thieves, OK, but they're morons too," he said. "They supply a CGI script to their customers named ccbill-local.cgi by default. Site administrators need that CGI to add users, update accounts, and so on; but CCBill supplies the CGI chmoded as world-readable, in a world-readable directory! Aren't they totally lame?" Indeed, they must be. Such a setup requires no hacking skills whatever to exploit. No UNIX box, no knowledge of Internet architecture, no stealth except perhaps an http proxy. A Web browser and a modem are all anyone would need. The problem here is that smaller commercial Web sites lack the resources to hire a security specialist, and, being innocent, will most likely trust the company's default settings. Even worse, "the first CCBill local.cgi version allows anyone to add their own login pass file," Ksoze notes. This has been fixed in later versions; but even there, only a single wordlist is needed to crack an administrator's password to gain access. Combination passes, which take longer to crack, are not required. Ksoze is far from sympathetic. "The problem is, CCBill are morons, so they fuck whoever trusts them. I wonder....how can an experienced company supply a CGI which is world readable and which allows anyone to add any login to the pass file?" Industry Backpedaling We thought that a good question, so we asked. CCBill spokesman Craig Tant assured us that the company has one of the highest security ratings in the industry. If they were easy to hack, he says, they would have been already. Tant suggested that we arrange for Ksoze to attempt to penetrate the site, so that he could learn for himself how difficult it really is. We were arranging to introduce Tant and Ksoze on line, but first we e-mailed to CCBill security specialist and UNIX co-developer Peter Mountain an exploit which Ksoze had written to make hacking the company's admin CGI form a more convenient procedure. The Register hasn't heard from CCBill since. It would be unfair to single out CCBill as a unique example. The entire on-line retail industry is in denial of credit, privacy and other security threats. Consumer confidence in on-line shopping is very shaky, and merchants and their billing service providers face a dilemma: worrying in public risks unfairly stigmatising one company as less secure than another, while keeping silent about a threat which everyone suspects is bigger than reported compromises their credibility. Internet Fraud Prevention Advisory Council (IFPAC) co-founder Joe Barrett calls on-line losses to credit fraud the "dirty little secret" of the retail industry. Whereas the fraud rate in face-to-face credit card transactions is in the range of two or three tenths of one percent, the rate in on-line sales is in the range of one to two percent, in spite of the card issuers' constant insistence that the rates are roughly equivalent. A rate below one percent is considered good for a commercial Web site; the rate for adult Web sites is in the range of eight to twelve percent, Barrett told The Register. But the true losses are concealed from the public, he maintains, because even when a site or a billing service provider can claim a charge-back rate of only one percent, the number of sales declined in order to achieve such an exemplary record is high. "How much business are you willing to throw away?" Barrett asks rhetorically. "If you turn away five percent of revenues to keep your charge-back rate below one percent, are you really doing yourself any favours?" Managing Risk Numerous proposals for easing the on-line security problem are circulating. Government law-enforcement agencies are especially eager to take matters into their own heavy hands, but at a significant cost to civil liberties and national treasuries. Internet security firms pitch their own solutions, but the problem there is that very good security is very expensive security. Most small merchants simply can't afford the sophisticated security tactics that large corporations and banks use. The real solution to on-line fraud, Barrett says, is risk management, such as that which his company, Vitessa, offers. Such services enable merchants to select the level of fraud protection that makes the most business sense in their market. The trick is to configure the software to flag a sale as suspicious based on the actual needs of the individual merchant, and his likelihood of encountering fraudulent purchases. Vitessa partner HNC Software VP Allen Jost agrees. "Merchants need to manage fraud to a cost that makes business sense to them," he told The Register. There is no point spending more on fraud prevention than the potential losses would represent. "If fraud losses would cost you X, and it would cost Y prevent them, then you had better make sure that Y is less than X," he says. HNC has a fraud-detection service for small on-line merchants called e-HNC, which is modelled on its more expensive, corporate-oriented Falcon service. Merchants can buy into it at a per-transaction cost of only a few pennies, Jost said. The Web makes it extremely easy for fraudsters to make use of stolen credit data, where a card number, a name and an expiry date are all that's needed. But Jost says that the card numbers themselves are still gathered in the more traditional fashion, most often by a technique called skimming. A simple scanner, small enough to fit in a pocket or a waitress' apron, which can read and write to the cards' magnetic strips is readily available. The fraudster, presumably in a position to handle a card unobserved for a few seconds, swipes it through the scanner, which records all the necessary information, such as the card holder's name, address and account details. Later, the device can be used to write to the strips of out-dated or cancelled cards, converting them to working copies of the originals. Apparently, hackers, who seem able to gather hundreds of thousands of credit accounts with ease, are reluctant to misuse the data. We note that in the grand heist reported by MSNBC, none of the accounts was used. We note as well that in the CD Universe case, and in Curador's case, none of the cards appears to have been used either, though some of the data has been posted on the Web for months now. And the French whiz who cracked the smart cards also refrained from committing fraud with what he had learned. The hacking underground is generally motivated by curiosity and a desire for bragging rights, not larceny. But that could change. 'Market pressures' from organised crime syndicates may well corrupt enough skilled hackers to make them a potential threat in future, Jost predicts. At US $5 a pop, which seems to us a very reasonable cost to a criminal outfit, a hacker with a half-million card numbers could pocket a cool $2.5 million for a few hours' risky business. Hardly chump change, we must allow. ® Related Coverage Biggest online credit card heist leaked to MSNBC Chinese hackers turn to identity theft Credit card fraudsters cost Expedia $6 million French credit card hacker convicted Chinese Govt. loosely implicated in credit info heist Online store security holes let hackers buy at cut price Net credit card fraud pushes up crime figures Popular online billing software hacked Credit card details published on Web after hack attack
Sponsored: RAID: End of an era?