Hacking credit cards is preposterously easy

Better sit down for this one


Recent headlines exposing vast credit card heists from retail Web sites have prompted a media frenzy around issues of Internet security. Most recently, MSNBC broke the story of one semi-malicious hacker who gathered the details of nearly a half-million credit cards which he tauntingly stored on a US government computer. Meanwhile, a hacker named 'Curador' claimed to have gathered 23,000 credit card numbers, many of which he published on Web sites across the Net. And now The Register is here to tell you that the situation is a good deal worse than even the normally twitchy mainstream press imagine. Child's Play One computer enthusiast well known to The Register, who goes by the alias 'Ksoze' (as in Kayser Soze), shows particular contempt for the security of the popular CGI log-in forms which enable consumers to enter their credit details when making a purchase on line. These Perl scripts are ripe for exploitation -- the real low-hanging fruit of the IP jungle. Some of the worst on-line credit card payment processors, Ksoze says, are those that cater to sites with adult content, where credit fraud rates are so high that most billing service providers won't handle their accounts. ICVerify, a popular billing software product for online credit-card transactions marketed by Cybercash, was exploited for the 300,000-account score at CD Universe. Ksoze's pet hate is CCBill, a similar product. "I cracked over fifty passwords using their weak CGI recently. [An associate] got in [there as well] and found a lot of credit card numbers," Ksoze told us. It's all too easy: "Just hit 'update account' and you get the form as filled in by customers," he says. Much of the weakness comes from the site administrators, who often know little about Web security and must therefore rely on the product to protect their data and that of their customers. "Defaults are also a great inherent weakness," Ksoze says. "Site administrators don't care or don't understand, so they leave CGI scripts in default locations. It's quite dangerous." "CCBill are thieves, OK, but they're morons too," he said. "They supply a CGI script to their customers named ccbill-local.cgi by default. Site administrators need that CGI to add users, update accounts, and so on; but CCBill supplies the CGI chmoded as world-readable, in a world-readable directory! Aren't they totally lame?" Indeed, they must be. Such a setup requires no hacking skills whatever to exploit. No UNIX box, no knowledge of Internet architecture, no stealth except perhaps an http proxy. A Web browser and a modem are all anyone would need. The problem here is that smaller commercial Web sites lack the resources to hire a security specialist, and, being innocent, will most likely trust the company's default settings. Even worse, "the first CCBill local.cgi version allows anyone to add their own login pass file," Ksoze notes. This has been fixed in later versions; but even there, only a single wordlist is needed to crack an administrator's password to gain access. Combination passes, which take longer to crack, are not required. Ksoze is far from sympathetic. "The problem is, CCBill are morons, so they fuck whoever trusts them. I wonder....how can an experienced company supply a CGI which is world readable and which allows anyone to add any login to the pass file?" Industry Backpedaling We thought that a good question, so we asked. CCBill spokesman Craig Tant assured us that the company has one of the highest security ratings in the industry. If they were easy to hack, he says, they would have been already. Tant suggested that we arrange for Ksoze to attempt to penetrate the site, so that he could learn for himself how difficult it really is. We were arranging to introduce Tant and Ksoze on line, but first we e-mailed to CCBill security specialist and UNIX co-developer Peter Mountain an exploit which Ksoze had written to make hacking the company's admin CGI form a more convenient procedure. The Register hasn't heard from CCBill since. It would be unfair to single out CCBill as a unique example. The entire on-line retail industry is in denial of credit, privacy and other security threats. Consumer confidence in on-line shopping is very shaky, and merchants and their billing service providers face a dilemma: worrying in public risks unfairly stigmatising one company as less secure than another, while keeping silent about a threat which everyone suspects is bigger than reported compromises their credibility. Internet Fraud Prevention Advisory Council (IFPAC) co-founder Joe Barrett calls on-line losses to credit fraud the "dirty little secret" of the retail industry. Whereas the fraud rate in face-to-face credit card transactions is in the range of two or three tenths of one percent, the rate in on-line sales is in the range of one to two percent, in spite of the card issuers' constant insistence that the rates are roughly equivalent. A rate below one percent is considered good for a commercial Web site; the rate for adult Web sites is in the range of eight to twelve percent, Barrett told The Register. But the true losses are concealed from the public, he maintains, because even when a site or a billing service provider can claim a charge-back rate of only one percent, the number of sales declined in order to achieve such an exemplary record is high. "How much business are you willing to throw away?" Barrett asks rhetorically. "If you turn away five percent of revenues to keep your charge-back rate below one percent, are you really doing yourself any favours?" Managing Risk Numerous proposals for easing the on-line security problem are circulating. Government law-enforcement agencies are especially eager to take matters into their own heavy hands, but at a significant cost to civil liberties and national treasuries. Internet security firms pitch their own solutions, but the problem there is that very good security is very expensive security. Most small merchants simply can't afford the sophisticated security tactics that large corporations and banks use. The real solution to on-line fraud, Barrett says, is risk management, such as that which his company, Vitessa, offers. Such services enable merchants to select the level of fraud protection that makes the most business sense in their market. The trick is to configure the software to flag a sale as suspicious based on the actual needs of the individual merchant, and his likelihood of encountering fraudulent purchases. Vitessa partner HNC Software VP Allen Jost agrees. "Merchants need to manage fraud to a cost that makes business sense to them," he told The Register. There is no point spending more on fraud prevention than the potential losses would represent. "If fraud losses would cost you X, and it would cost Y prevent them, then you had better make sure that Y is less than X," he says. HNC has a fraud-detection service for small on-line merchants called e-HNC, which is modelled on its more expensive, corporate-oriented Falcon service. Merchants can buy into it at a per-transaction cost of only a few pennies, Jost said. The Web makes it extremely easy for fraudsters to make use of stolen credit data, where a card number, a name and an expiry date are all that's needed. But Jost says that the card numbers themselves are still gathered in the more traditional fashion, most often by a technique called skimming. A simple scanner, small enough to fit in a pocket or a waitress' apron, which can read and write to the cards' magnetic strips is readily available. The fraudster, presumably in a position to handle a card unobserved for a few seconds, swipes it through the scanner, which records all the necessary information, such as the card holder's name, address and account details. Later, the device can be used to write to the strips of out-dated or cancelled cards, converting them to working copies of the originals. Apparently, hackers, who seem able to gather hundreds of thousands of credit accounts with ease, are reluctant to misuse the data. We note that in the grand heist reported by MSNBC, none of the accounts was used. We note as well that in the CD Universe case, and in Curador's case, none of the cards appears to have been used either, though some of the data has been posted on the Web for months now. And the French whiz who cracked the smart cards also refrained from committing fraud with what he had learned. The hacking underground is generally motivated by curiosity and a desire for bragging rights, not larceny. But that could change. 'Market pressures' from organised crime syndicates may well corrupt enough skilled hackers to make them a potential threat in future, Jost predicts. At US $5 a pop, which seems to us a very reasonable cost to a criminal outfit, a hacker with a half-million card numbers could pocket a cool $2.5 million for a few hours' risky business. Hardly chump change, we must allow. ® Related Coverage Biggest online credit card heist leaked to MSNBC Chinese hackers turn to identity theft Credit card fraudsters cost Expedia $6 million French credit card hacker convicted Chinese Govt. loosely implicated in credit info heist Online store security holes let hackers buy at cut price Net credit card fraud pushes up crime figures Popular online billing software hacked Credit card details published on Web after hack attack


Other stories you might like

  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Using a Pi to process sensor readings and manage motors has been a thing since the inception of the computer, and users (including ourselves) have long made use of the General Purpose Input / Output (GPIO) pins that have been a feature of the hardware for all manner of projects.

    However, not all users are entirely happy with breadboards and jumpers. Lego, familiar to many a builder thanks to lines such as its Mindstorms range, recently introduced the Education SPIKE Prime set, aimed at the classroom.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading

Biting the hand that feeds IT © 1998–2021