Europe South Asia Asia Pacific Americas Middle East Africa BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 
Monday, 10 January, 2000, 18:41 GMT
Net thief grabs credit cards

The hacker's website offered a The hacker's website offered a "credit card datapipe"

By BBC News Online's Damian Carrington

In what may be the largest internet heist yet reported, a malicious hacker has stolen hundreds and perhaps many thousands of credit card details from e-commerce websites.

Some of the cards have been used fraudulently for purchases of over $1000.

We called his bluff. It may have hurt us and our customers in the short term but it's better for overall security in the industry in the long run
Brad Greenspan, eUniverse
The anonymous cyber-thief, who calls himself 'Maxus', says he went public on a website after his alleged attempts to blackmail the companies involved were rejected.

Hunt is on

The only site named so far as having been hacked is cdUniverse, based in Connecticut, US. Brad Greenstreet, president of parent company eUniverse, told BBC News Online: "We can confirm there was an attempt to hack in and that some of our customer data seems to have fallen into the possession of the individual who tried to blackmail our company."

"We are now working with FBI, the credit card companies and we have hired a private security investigation firm."

Other websites must have been breached however, as some of the card details stolen had never been used at cdUniverse.

Cards on tap

The hacker's website, now closed, presented a 'credit card datapipe'. By clicking a button, full details for a card were presented. At least a dozen sets of details given out have been verified as being genuine and some of the card owners had been unaware of the theft.

Maxus claims he offered to fix the security hole for a fee. When that was refused he threatened to go public unless $100,000 was paid.

But in an email, he told APBnews that he was not successful in his alleged blackmail. "They are bastards. I wanna fix their hole, but they don't want."

Matthew Bevan, a UK-based independent computer security consultant, told BBC News Online that the hack seemed genuine.

"I think he's ripped off the database from somewhere. I guess he's just broken the site and the card information is stored on the web server, rather than being piped elsewhere."

'Vulnerability exploited'

But there is another possibility, according to Mr Bevan. The hacker claims to have exploited software used by the cdUniverse website to verify the validity of credit cards. This is called ICVerify, made by CyberCash, and is widely used on e-commerce sites.

Mr Bevan noted that the company had issued a patch for a Y2K problem on ICVerify: "He could perhaps have exploited a vulnerability connected to the Y2K problem Cybercash had."

CdUniverse confirmed they had not installed the patch: "Cybercash told us they had a security breach and had issued a patch but we think that the responsibility for implementing this laid with them," said Brad Greenspan.

However CyberCash deny that their software could have been exploited. In a statement, the company said :"ICVerfiy is a PC-based payment system, not a web-enabled product and is not being used by cdUniverse on its website. Therefore the credit card information cited in recent coverage could not have come from ICVerify."

Russian roulette

The hacker claims to be 18 years old and his e-mails appear to come from Russia, but Mr Greenspan said: "If I was a hacker and wanted to get everyone off my trail, I'd say I was in Russia too. He may be there but he may as easily be in Los Angeles."

Mr Bevan added: "He's probably a youngster who got lucky and thinks he can make a bit of cash off it. Someone intent on ripping off 25,000 cards wouldn't brag about it on a website."

Alan Stevens, editor of the UK Consumer Association's website, Which Online, told BBC News Online: "This is a very serious incident indeed."

"But it is important to remember that people have been stealing credit card numbers since before the net existed. And people are not liable themselves - the potential victims are credit card companies and internet businesses who may have taken orders using stolen cards."

The large numbers of credit card details which can apparently be stolen at once will be of particular concern to the credit card companies.

Mr Stevens said: "Confidence in shopping on the web is pretty shaky - about half of internet users in the UK are nervous about putting their credit card numbers in. The only thing that will help is for companies trading on the web to give an absolute guarantee that, in the unlikely event of anything going wrong, the customer will not lose out."

Search BBC News Online

Advanced search options
Launch console

See also:
10 Jan 00 |  Sci/Tech
Hacker scare hits Virgin Net
07 Jan 00 |  Americas
Police seek key to cyber-crime
08 Oct 99 |  UK
Phone hacker dials 106,000 bill
06 Sep 99 |  e-cyclopedia
Cracking: Hackers turn nasty
28 Jun 99 |  Americas
Hackers a growing threat to security
28 Mar 99 |  Sci/Tech
Notorious hacker pleads guilty

Internet links:

The BBC is not responsible for the content of external internet sites
Links to other Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories