low graphics version | feedback | help
| Front Page World UK UK Politics Business |
| Sci/Tech |
| Health Education Sport Entertainment Talking Point In Depth AudioVideo |
Net thief grabs credit cards
 The hacker's website offered a "credit card datapipe" |
By BBC News Online's Damian Carrington
In what may be the largest internet heist yet reported, a malicious hacker has stolen hundreds and perhaps many thousands of credit card details from e-commerce websites.
Some of the cards have been used fraudulently for purchases of over $1000.
 We called his bluff. It may have hurt us and our customers in the short term but it's better for overall security in the industry in the long run  |
| Brad Greenspan, eUniverse |
The anonymous cyber-thief, who calls himself 'Maxus', says he went public on a website after his alleged attempts to blackmail the companies involved were rejected.
Hunt is on
The only site named so far as having been hacked is cdUniverse, based in Connecticut, US. Brad Greenstreet, president of parent company eUniverse, told BBC News Online: "We can confirm there was an attempt to hack in and that some of our customer data seems to have fallen into the possession of the individual who tried to blackmail our company."
"We are now working with FBI, the credit card companies and we have hired a private security investigation firm."
Other websites must have been breached however, as some of the card details stolen had never been used at cdUniverse.
Cards on tap
The hacker's website, now closed, presented a 'credit card datapipe'. By clicking a button, full details for a card were presented. At least a dozen sets of details given out have been verified as being genuine and some of the card owners had been unaware of the theft.
Maxus claims he offered to fix the security hole for a fee. When that was refused he threatened to go public unless $100,000 was paid.
But in an email, he told APBnews that he was not successful in his alleged blackmail. "They are bastards. I wanna fix their hole, but they don't want."
Matthew Bevan, a UK-based independent computer security consultant, told BBC News Online that the hack seemed genuine.
"I think he's ripped off the database from somewhere. I guess he's just broken the site and the card information is stored on the web server, rather than being piped elsewhere."
'Vulnerability exploited'
But there is another possibility, according to Mr Bevan. The hacker claims to have exploited software used by the cdUniverse website to verify the validity of credit cards. This is called ICVerify, made by CyberCash, and is widely used on e-commerce sites.
Mr Bevan noted that the company had issued a patch for a Y2K problem on ICVerify: "He could perhaps have exploited a vulnerability connected to the Y2K problem Cybercash had."
CdUniverse confirmed they had not installed the patch: "Cybercash told us they had a security breach and had issued a patch but we think that the responsibility for implementing this laid with them," said Brad Greenspan.
However CyberCash deny that their software could have been exploited. In a statement, the company said :"ICVerfiy is a PC-based payment system, not a web-enabled product and is not being used by cdUniverse on its website. Therefore the credit card information cited in recent coverage could not have come from ICVerify."
Russian roulette
The hacker claims to be 18 years old and his e-mails appear to come from Russia, but Mr Greenspan said: "If I was a hacker and wanted to get everyone off my trail, I'd say I was in Russia too. He may be there but he may as easily be in Los Angeles."
Mr Bevan added: "He's probably a youngster who got lucky and thinks he can make a bit of cash off it. Someone intent on ripping off 25,000 cards wouldn't brag about it on a website."
Alan Stevens, editor of the UK Consumer Association's website, Which Online, told BBC News Online: "This is a very serious incident indeed."
"But it is important to remember that people have been stealing credit card numbers since before the net existed. And people are not liable themselves - the potential victims are credit card companies and internet businesses who may have taken orders using stolen cards."
The large numbers of credit card details which can apparently be stolen at once will be of particular concern to the credit card companies.
Mr Stevens said: "Confidence in shopping on the web is pretty shaky - about half of internet users in the UK are nervous about putting their credit card numbers in. The only thing that will help is for companies trading on the web to give an absolute guarantee that, in the unlikely event of anything going wrong, the customer will not lose out."
Hunt is on
The only site named so far as having been hacked is cdUniverse, based in Connecticut, US. Brad Greenstreet, president of parent company eUniverse, told BBC News Online: "We can confirm there was an attempt to hack in and that some of our customer data seems to have fallen into the possession of the individual who tried to blackmail our company."
"We are now working with FBI, the credit card companies and we have hired a private security investigation firm."
Other websites must have been breached however, as some of the card details stolen had never been used at cdUniverse.
Cards on tap
The hacker's website, now closed, presented a 'credit card datapipe'. By clicking a button, full details for a card were presented. At least a dozen sets of details given out have been verified as being genuine and some of the card owners had been unaware of the theft.
Maxus claims he offered to fix the security hole for a fee. When that was refused he threatened to go public unless $100,000 was paid.
But in an email, he told APBnews that he was not successful in his alleged blackmail. "They are bastards. I wanna fix their hole, but they don't want."
Matthew Bevan, a UK-based independent computer security consultant, told BBC News Online that the hack seemed genuine.
"I think he's ripped off the database from somewhere. I guess he's just broken the site and the card information is stored on the web server, rather than being piped elsewhere."
'Vulnerability exploited'
But there is another possibility, according to Mr Bevan. The hacker claims to have exploited software used by the cdUniverse website to verify the validity of credit cards. This is called ICVerify, made by CyberCash, and is widely used on e-commerce sites.
Mr Bevan noted that the company had issued a patch for a Y2K problem on ICVerify: "He could perhaps have exploited a vulnerability connected to the Y2K problem Cybercash had."
CdUniverse confirmed they had not installed the patch: "Cybercash told us they had a security breach and had issued a patch but we think that the responsibility for implementing this laid with them," said Brad Greenspan.
However CyberCash deny that their software could have been exploited. In a statement, the company said :"ICVerfiy is a PC-based payment system, not a web-enabled product and is not being used by cdUniverse on its website. Therefore the credit card information cited in recent coverage could not have come from ICVerify."
Russian roulette
The hacker claims to be 18 years old and his e-mails appear to come from Russia, but Mr Greenspan said: "If I was a hacker and wanted to get everyone off my trail, I'd say I was in Russia too. He may be there but he may as easily be in Los Angeles."
Mr Bevan added: "He's probably a youngster who got lucky and thinks he can make a bit of cash off it. Someone intent on ripping off 25,000 cards wouldn't brag about it on a website."
Alan Stevens, editor of the UK Consumer Association's website, Which Online, told BBC News Online: "This is a very serious incident indeed."
"But it is important to remember that people have been stealing credit card numbers since before the net existed. And people are not liable themselves - the potential victims are credit card companies and internet businesses who may have taken orders using stolen cards."
The large numbers of credit card details which can apparently be stolen at once will be of particular concern to the credit card companies.
Mr Stevens said: "Confidence in shopping on the web is pretty shaky - about half of internet users in the UK are nervous about putting their credit card numbers in. The only thing that will help is for companies trading on the web to give an absolute guarantee that, in the unlikely event of anything going wrong, the customer will not lose out."
| Search BBC News Online | |
|  Advanced search options | |
| |
 | |
 | |
| |
 | BBC RADIO NEWS |
| |
| |
 | BBC ONE TV NEWS |
| |
| |
| WORLD NEWS SUMMARY |
| |
| |
| |
| |
 | PROGRAMMES GUIDE |
| |
See also: | |
 | |
 | 10 Jan 00 | Sci/Tech |
| Hacker scare hits Virgin Net |
| |
| 07 Jan 00 | Americas |
| Police seek key to cyber-crime |
| |
| 08 Oct 99 | UK |
| Phone hacker dials �106,000 bill |
| |
| 06 Sep 99 | e-cyclopedia |
| Cracking: Hackers turn nasty |
| |
| 28 Jun 99 | Americas |
| Hackers a growing threat to security |
| |
| 28 Mar 99 | Sci/Tech |
| Notorious hacker pleads guilty |
| |
| |
Internet links: | |
| |
| APB News |
| |
| CDUniverse |
| |
| Cybercash |
| |
| InternetNews |
| |
| Matthew Bevan |
| |
| Which Online |
| |
The BBC is not responsible for the content of external internet sites | |
Links to other Sci/Tech stories are at the foot of the page.
E-mail this story to a friend
