Feeds

Hacking credit cards is preposterously easy

Better sit down for this one

  • alert
  • submit to reddit

3 Big data security analytics techniques

Recent headlines exposing vast credit card heists from retail Web sites have prompted a media frenzy around issues of Internet security. Most recently, MSNBC broke the story of one semi-malicious hacker who gathered the details of nearly a half-million credit cards which he tauntingly stored on a US government computer. Meanwhile, a hacker named 'Curador' claimed to have gathered 23,000 credit card numbers, many of which he published on Web sites across the Net. And now The Register is here to tell you that the situation is a good deal worse than even the normally twitchy mainstream press imagine. Child's Play One computer enthusiast well known to The Register, who goes by the alias 'Ksoze' (as in Kayser Soze), shows particular contempt for the security of the popular CGI log-in forms which enable consumers to enter their credit details when making a purchase on line. These Perl scripts are ripe for exploitation -- the real low-hanging fruit of the IP jungle. Some of the worst on-line credit card payment processors, Ksoze says, are those that cater to sites with adult content, where credit fraud rates are so high that most billing service providers won't handle their accounts. ICVerify, a popular billing software product for online credit-card transactions marketed by Cybercash, was exploited for the 300,000-account score at CD Universe. Ksoze's pet hate is CCBill, a similar product. "I cracked over fifty passwords using their weak CGI recently. [An associate] got in [there as well] and found a lot of credit card numbers," Ksoze told us. It's all too easy: "Just hit 'update account' and you get the form as filled in by customers," he says. Much of the weakness comes from the site administrators, who often know little about Web security and must therefore rely on the product to protect their data and that of their customers. "Defaults are also a great inherent weakness," Ksoze says. "Site administrators don't care or don't understand, so they leave CGI scripts in default locations. It's quite dangerous." "CCBill are thieves, OK, but they're morons too," he said. "They supply a CGI script to their customers named ccbill-local.cgi by default. Site administrators need that CGI to add users, update accounts, and so on; but CCBill supplies the CGI chmoded as world-readable, in a world-readable directory! Aren't they totally lame?" Indeed, they must be. Such a setup requires no hacking skills whatever to exploit. No UNIX box, no knowledge of Internet architecture, no stealth except perhaps an http proxy. A Web browser and a modem are all anyone would need. The problem here is that smaller commercial Web sites lack the resources to hire a security specialist, and, being innocent, will most likely trust the company's default settings. Even worse, "the first CCBill local.cgi version allows anyone to add their own login pass file," Ksoze notes. This has been fixed in later versions; but even there, only a single wordlist is needed to crack an administrator's password to gain access. Combination passes, which take longer to crack, are not required. Ksoze is far from sympathetic. "The problem is, CCBill are morons, so they fuck whoever trusts them. I wonder....how can an experienced company supply a CGI which is world readable and which allows anyone to add any login to the pass file?" Industry Backpedaling We thought that a good question, so we asked. CCBill spokesman Craig Tant assured us that the company has one of the highest security ratings in the industry. If they were easy to hack, he says, they would have been already. Tant suggested that we arrange for Ksoze to attempt to penetrate the site, so that he could learn for himself how difficult it really is. We were arranging to introduce Tant and Ksoze on line, but first we e-mailed to CCBill security specialist and UNIX co-developer Peter Mountain an exploit which Ksoze had written to make hacking the company's admin CGI form a more convenient procedure. The Register hasn't heard from CCBill since. It would be unfair to single out CCBill as a unique example. The entire on-line retail industry is in denial of credit, privacy and other security threats. Consumer confidence in on-line shopping is very shaky, and merchants and their billing service providers face a dilemma: worrying in public risks unfairly stigmatising one company as less secure than another, while keeping silent about a threat which everyone suspects is bigger than reported compromises their credibility. Internet Fraud Prevention Advisory Council (IFPAC) co-founder Joe Barrett calls on-line losses to credit fraud the "dirty little secret" of the retail industry. Whereas the fraud rate in face-to-face credit card transactions is in the range of two or three tenths of one percent, the rate in on-line sales is in the range of one to two percent, in spite of the card issuers' constant insistence that the rates are roughly equivalent. A rate below one percent is considered good for a commercial Web site; the rate for adult Web sites is in the range of eight to twelve percent, Barrett told The Register. But the true losses are concealed from the public, he maintains, because even when a site or a billing service provider can claim a charge-back rate of only one percent, the number of sales declined in order to achieve such an exemplary record is high. "How much business are you willing to throw away?" Barrett asks rhetorically. "If you turn away five percent of revenues to keep your charge-back rate below one percent, are you really doing yourself any favours?" Managing Risk Numerous proposals for easing the on-line security problem are circulating. Government law-enforcement agencies are especially eager to take matters into their own heavy hands, but at a significant cost to civil liberties and national treasuries. Internet security firms pitch their own solutions, but the problem there is that very good security is very expensive security. Most small merchants simply can't afford the sophisticated security tactics that large corporations and banks use. The real solution to on-line fraud, Barrett says, is risk management, such as that which his company, Vitessa, offers. Such services enable merchants to select the level of fraud protection that makes the most business sense in their market. The trick is to configure the software to flag a sale as suspicious based on the actual needs of the individual merchant, and his likelihood of encountering fraudulent purchases. Vitessa partner HNC Software VP Allen Jost agrees. "Merchants need to manage fraud to a cost that makes business sense to them," he told The Register. There is no point spending more on fraud prevention than the potential losses would represent. "If fraud losses would cost you X, and it would cost Y prevent them, then you had better make sure that Y is less than X," he says. HNC has a fraud-detection service for small on-line merchants called e-HNC, which is modelled on its more expensive, corporate-oriented Falcon service. Merchants can buy into it at a per-transaction cost of only a few pennies, Jost said. The Web makes it extremely easy for fraudsters to make use of stolen credit data, where a card number, a name and an expiry date are all that's needed. But Jost says that the card numbers themselves are still gathered in the more traditional fashion, most often by a technique called skimming. A simple scanner, small enough to fit in a pocket or a waitress' apron, which can read and write to the cards' magnetic strips is readily available. The fraudster, presumably in a position to handle a card unobserved for a few seconds, swipes it through the scanner, which records all the necessary information, such as the card holder's name, address and account details. Later, the device can be used to write to the strips of out-dated or cancelled cards, converting them to working copies of the originals. Apparently, hackers, who seem able to gather hundreds of thousands of credit accounts with ease, are reluctant to misuse the data. We note that in the grand heist reported by MSNBC, none of the accounts was used. We note as well that in the CD Universe case, and in Curador's case, none of the cards appears to have been used either, though some of the data has been posted on the Web for months now. And the French whiz who cracked the smart cards also refrained from committing fraud with what he had learned. The hacking underground is generally motivated by curiosity and a desire for bragging rights, not larceny. But that could change. 'Market pressures' from organised crime syndicates may well corrupt enough skilled hackers to make them a potential threat in future, Jost predicts. At US $5 a pop, which seems to us a very reasonable cost to a criminal outfit, a hacker with a half-million card numbers could pocket a cool $2.5 million for a few hours' risky business. Hardly chump change, we must allow. ® Related Coverage Biggest online credit card heist leaked to MSNBC Chinese hackers turn to identity theft Credit card fraudsters cost Expedia $6 million French credit card hacker convicted Chinese Govt. loosely implicated in credit info heist Online store security holes let hackers buy at cut price Net credit card fraud pushes up crime figures Popular online billing software hacked Credit card details published on Web after hack attack

Combat fraud and increase customer satisfaction

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.