Hackers Steal 1 Million Card Numbers

By Maria Bruno Teams of Russian and Ukrainian hackers stole more than 1 million credit card numbers from 40 American e-businesses in recent months, according to the Federal Bureau of Investigation. Then the hackers threatened to plaster the purloined customer data all over the Internet unless the targeted companies bought their "security" services. The FBI calls the scheme, which unfolded over several months, one of the biggest hacker attacks in the history of the Web, and said that it believed stolen data has been sold to organized crime groups.

The FBI refused to name the companies that fell victim to the hackers, although law enforcement officials implied that the targets were all online merchants and Internet banks. The hackers took advantage of well known and easy-to-fix vulnerabilities in Windows NT operating systems, as well as some Unix-based systems.

Take Note

The following are samples of some of the exploits that were observed by law enforcement authorities. Unauthorized access to Internet Information Servers (IIS) through Open Database Connectivity (ODBC) data access with Remote Data Service (RDS)—allows unauthorized users to execute shell commands on the IIS system as a privileged user and allows unauthorized access to secured files on the IIS system.

SQL query abuse vulnerability—could allow the remote author of a malicious Standard Query Language (SQL) query to take unauthorized actions on a SQL or Microsoft Data Engine (MSDE) database.

Web server file request parsing—could allow a malicious user to run system commands on a Web server. Over the past several months, the FBI has been working in concert with the National Infrastructure Protection Center to monitor a series of organized hacker activities aimed at U.S. e-commerce and e-banking Web sites. They traced the attacks to several hacker groups from Russia and the Ukraine using essentially the same modus operandi.

When the hackers gain access to a system, they download proprietary information, customer databases and credit card information. Then they brazenly contact the company (via phone, fax or email) and inform it of the security breach. The hackers offer the corporate victim their own security services to protect against other hackers—with the caveat that if the company refuses, their customers' private card data would likely be made public. If the company doesn't cooperate with the hackers' demands for money or use of their services, investigators say, their correspondence becomes more threatening.

Officials also believe there is evidence the stolen data is being sold to organized crime groups abroad.

Jeanne Capachin, an analyst with Newton, MA-based Meridien Research, says the fact that the FBI has chosen to make such a splash about the attacks shows just how serious a matter Internet security is becoming. She thinks it indicates a new trend to watch—that hackers aren't just kids in their basements, anymore. Throw some mobsters from former Communist-block countries in the mix, and it becomes quite a messy situation. "The fact that they're actually threatening the companies rather than just stealing the cards is something new," she says.

Microsoft was aware of the Windows NT weaknesses as early as 1998, and it has publicized the patches necessary to repair them in Microsoft Security Bulletins MS98-004, MS00-014 and MS00-008. The fixes are available at no cost at Microsoft's Web site, www.microsoft.com. Yet some companies clearly were lax in applying these patches, and, as a result, may be among the 40 victims of these attacks identified by the FBI.

"It's just complacency," says Meridien's Capachin. "They figure there are so many other companies online that they can't possibly be targeted."

Online banks and merchants would do well to learn from the mistakes committed by their victimized counterparts. Capachin doesn't necessarily think traditional banks were involved in the crime. She says these banks are usually adept at protecting themselves and their data. "Maybe they targeted a bill payer or something," she says. "The true virtual companies have less experience with security procedures and usually not as much money to invest in security products as bricks-and-clicks banks."

But Avivah Litan, a vice president with Stamford, CT-based Gartner, disagrees. She feels that it's hard to say whether traditional banks are safer. "It all depends on the person at the bank who manages the computer systems," she says.

BTN contacted Citibank and First USA, two of the largest credit card issuers in the country, for their take on the situation. Says Richard Howe, vice president of corporate media relations at Citigroup, "While we generally don't comment on security matters, we can say we've reviewed our security procedures to prevent our becoming a victim of such an attack." Citi has 49 million card members worldwide. A spokesman for First USA, with more than 51 million card members, could not be reached for comment.

Gartner's Litan agrees with Capachin that we'll be seeing a lot more of these kinds of attacks. "From conversations I've had with people in the industry, they're saying law enforcement has noticed some very malicious organized crime gangs forming in Russia," she says. "Law enforcement is really in reactive mode now. The crooks are always a few steps ahead of the law."

Even more frightening, Capachin hints there's always the chance that foreign governments might be involved in such activity, making the job of "the good guys" even more daunting. Litan isn't dismissing this possibility either

The news is likely to be devastating for consumer confidence in e-commerce. "Consumers are pretty edgy anyway, and this just adds to it," says Capachin. "But I think the card companies like Visa are getting serious about implementing security procedures and are demanding this of their merchants."

Litan says we should get away from using cards online all together unless they employ some of the new authentication technology that has been developed. Smarter neural networks that can pick up on transaction irregularities might be another solution, she suggests.

But most importantly, says Capachin, if the industry wishes to have a ghost of a chance in thwarting such criminals, it must become "just as organized as the crime groups" to solve the problem.

http://www.electronicbanker.com/btn/articles/btnapr01-5.shtml

-- Martin Thompson (mthom1927@aol.com), April 11, 2001