Hackers steal 1m credit card numbers

Russian and Ukrainian computer hackers have stolen more than a million credit card numbers as part of a massive extortion scheme, the United States Federal Bureau of Investigation (FBI) said on Thursday.

Hackers gain access to the networks of companies involved in e-commerce or e-banking and download customer databases, credit card numbers and proprietary information, the FBI said.

The criminals then contact the firms and threaten to publish the information if they are not paid.

The FBI said that paying the hackers is not a guarantee that they will not pass the stolen information on anyway.

"Investigators believe that in some instances the credit card information is being sold to organised crime groups," an FBI statement said.

The FBI is reportedly investigating the possibility that governments are supporting the hackers.

Known vulnerabilities

The FBI and its computer-crimes division, the National Infrastructure Protection Center (NIPC), have identified more than 40 victims in 20 US states.

E-businesses have got credit cards, names, addresses and buying habits - they have to take their responsibility more seriously

Mark Rasch,
Predictive Systems

The hackers take advantage of vulnerabilities in Microsoft Windows NT operating systems that have been known at least since 1998.

Patches for these weaknesses are available for free downloading from the Microsoft website, but the FBI says many computer owners have not bothered to upgrade.

The NIPC website provides a list of software vulnerabilities that have been exploited.

A computer networking expert warned that online traders have to make more serious efforts to guard information.

"They've got credit cards, names, addresses and buying habits. They have to take their responsibility more seriously," said Mark Rasch, legal counsel for Predictive Systems.

Extortion demands

At least two companies have been the subject of $100,000 extortion demands.

Both CD Universe and creditcards.com refused to pay hackers who identified themselves as Russian, and both saw thousands of credit card numbers from their databased released to the public.

Western Union shut its website down for five days last autumn when hackers stole more than 15,000 credit card numbers from its online operation.

One analyst warned that online customers may find out the hard way that their details have been stolen.

"Merchants don't want people to know they've been hacked" because their business depends on people trusting them with their credit card numbers, said Meridien Research analyst Jeanne Capachin.