O/T Warning! Hacker steals 300,000 credit card numbers

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

[Fair use for educational purposes.] From CNN.com:

"Report: Blackmailer reveals stolen Internet credit card data January 10, 2000 Web posted at: 11:21 AM EST (1621 GMT)

"NEW YORK (AP) -- A computer hacker who claimed to have stolen 300,000 customer credit card numbers from an Internet music store posted thousands of the numbers on a Web site after his attempt to extort money from the company failed, The New York Times reported today."

"The company, CD Universe, refused to pay the hacker's demand of $100,000. The unknown extortionist claimed in e-mails to the Times that he used some of the credit card numbers to obtain money for himself."

"The hacker, believed to be based in Eastern Europe, for two weeks used a Web site to distribute up to 25,000 of the stolen numbers, said Elias Levy of SecurityFocus.com, a computer security firm. The site was shut down Sunday morning."

"CD Universe and its parent, eUniverse, were working with the FBI to track the hacker."

"He definitely has CD Universe data," said eUniverse chairman Brad Greenspan. "Whether he hacked the site or got the data in some other way, I'm not sure exactly."

"The company was notifying customers of the theft and was working with the credit card companies to help holders of stolen card numbers."

"The hacker, identifying himself as Maxim in an e-mail to the Times, said he exploited a security flaw in the software used to protect financial information at CD Universe's Web site. He said he sent a fax to the company last month offering to destroy his credit card files in exchange for $100,000. When he was rebuffed, he said, he began posting the numbers on another Web site, called Maxus Credit Card Pipeline, on Christmas Day."

"The hacker e-mailed the Times the numbers for 198 credit cards as proof of the theft. The numbers were real, said the Times, which contacted the credit card owners. At least one owner confirmed she had been a CD Universe customer."

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Back in '93 there was a federal law where the credit card holder was only liable for the first $50 (total) of any fraudulent charges placed on their card - I hope that is still the case for these poor people.

-- Deb M. (vmcclell@columbus.rr.com), January 10, 2000


That law by the way applies only to credit cards, NOT DEBIT CARDS. If you own a debit card you are IMHO a fool. Any guarentees on debit cards are strickly the banks policy which in many cases could be changed at any time.

-- Squid (ItsDark@down.here), January 10, 2000.

... posted thousands of the numbers on a Web site after his attempt to extort money from the company failed...

Link Please! $(.)(.)$

-- Slobby Don (slobbydon@hotmail.com), January 10, 2000.

And that is merely the tip of the iceberg. I can't provide a link but I know CNN reported last year (May/June) time frame that there was an ongoing criminal enterprise which consisted of a large number of 'crackers' who break into networks and collect password information to further compromise other networks and credit card information to feather the organizations pockets.

In addition I have seen this activity first hand in my security work. It is really happening. I am not sure of the scale but it appears to be common enough to be a serious problem.

I have posted this before but...

If you purchase items on line using your credit card, you are USUALLY in safe because your browser will use a secure means of communicating your private information. If you EVER receive a receipt with containing that sort of information via email. You should immediatly start watching the billing on that number. You should immediatly contact the company which sent the receipt and explain to them that email is a completely non-secure means of communication and should never be used for that purpose. You should inform that company that you will no longer make purchases from their site until their receipt forwarding policy is changed to ensure your privacy.

Soap Box: This is where we stand, we are moving financial matters onto the web faster than the people using the medium are able to grasp the security issues of the medium. This has the potential to cause even more serious problems down the road. The most important thing we can do in this area is beat the idea of a need for better network security into the heads of our legislators and programmers.

Soap Box OFF

-- Michael Erskine (Osiris@urbanna.net), January 10, 2000.

Article's URL:

http://www.cnn.com/2000/TECH/computing/01/10/credit.card.crack.ap/inde x.html

-- Deb M. (vmcclell@columbus.rr.com), January 10, 2000.

This links to full text of ap report


-- Carl Jenkins (somewherepress@aol.com), January 10, 2000.

CNN's Article

AP's Article

-- Deb M. (vmcclell@columbus.rr.com), January 10, 2000.

One more time... CNN's Article

AP's Article

-- Deb M. (vmcclell@columbus.rr.com), January 10, 2000.

It's a good thing I only have vinyl LP's!

Retro Kook

-- Y2Kook (Y2Kook@usa.net), January 10, 2000.

I have done online biz with CD Universe within the past few months. I used a credit card. I have sent an e-mail to the company in regards to this Monday morning after I heard it on the news, with no response as of yet. No info about this on their website. What should one do in this situation? I dont know if my # was one that was posted or not. There are no unidentified charges on my card, but I don't like the possibilty that my credit card # was posted on the net for weeks.

-- Leilani (never@again.com), January 11, 2000.


I used to work for a major bank, and took lost and stolen credit card reports (would block them from futher usage as well). I'd suggest at least getting a temporary block placed upon your credit card until you know one way or another if your card number was taken. Personally, I'd report it as stolen and get a new credit card, just to be sure - it shouldn't take too long to get a new card/card #.

You see, not only does the bank have to block the card here in the U.S., but it has to send the info overseas to other processing centers to block foreign transactions (protect foreign merchants). Since some of the numbers were placed on the internet, the banks will have to have the cards blocked for the entire globe.

Even if your CREDIT card number was stolen, you *should* (as far as I know) still only be liable for $50 max. of fraudulent charges.

-- Deb M. (vmcclell@columbus.rr.com), January 11, 2000.

Thanks Deb. Now I just need to find the invoice/statements and figure out what one of 3 credit cards I used.....LOL..

-- Leilani (never@again.com), January 11, 2000.

Moderation questions? read the FAQ