Company says extortion try exposes thousands of card numbers

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1007-200-4115920.html?tag=st.ne.1002.bgif.ni

By Greg Sandoval and Stephen Shankland
Staff Writers, CNET News.com
December 12, 2000, 12:25 p.m. PT

Update: Creditcards.com was the victim of an extortion attempt by a
man accused of hacking into its site and exposing more than 55,000
credit card numbers, the company said Tuesday.

The company is working with the FBI on the case, said Laurent Jean, a
spokesman for Los Angeles-based Creditcards.com.

"It was an act of retribution," Jean said. "He was angry with us and
this was the way he took out his angerAfter (he asked) us for money,
we did everything we could to prevent him from entering our system."

The suspect hacked into the site and exposed the numbers on the
Internet sometime Monday, Jean said. They were still up early Tuesday.

Matt McLaughlin, spokesman for the FBI's Los Angeles field office,
confirmed that agents from the bureau's "Cyber Squad" are looking into
the case.

Privately held Creditcards.com is a business-to-business site that
works with Web merchants so they can accept credit card payments.
According to the company's Web site, its customers include software
maker iKnowledge and health site Premier Solutions.

The year has seen several high-profile security breaches at e-commerce
sites. In September, human error caused a glitch that allowed a hacker
to copy the credit card information of about 15,700 customers from
Western Union's Web site.

Hackers broke into CD Universe's database in January and posted links
to thousands of customer names, addresses and credit card numbers
after not being able to extort money from the online music store.

Though studies have shown that hacker attacks have caused some
consumers to shy away from online shopping, hacking is much more of a
threat to companies, IDC analyst Charles Cology said.

"It's a pain for the credit card companies who must cancel thousands
of cards and potentially reimburse bogus charges," Cology said.
However, for the individual cardholder, the breach is a mere nuisance,
he said.

Security breaches like the one at Creditcards.com are an indication of
where the real security problems are, Cology said: in companies'
back-end databases. While there is a certain risk that credit cards
sent over the Internet can be intercepted, databases contain huge
amounts of personal information that comes from all types of
transactions, not just from consumer Internet purchases, he said.

Chris Rouland, head of Internet Security Systems' security group, said
the breach is inconvenient for consumers, expensive for credit card
companies and potentially terminal for Creditcards.com.

"Their credibility is gone," Rouland said. "Their whole business had
to be around providing a secure service, which they weren't able to
do. For this to occur during the holiday shopping season, it will
certainly be an issue."

Issuing new credit cards costs about $10 to $20 apiece, Rouland said,
meaning that this particular problem could potentially cost credit
card companies as much as $1 million to fix.

In the history of publicly known computer security breaches, this one
probably ranks in the top 100, Rouland said. ISS, a security
consulting company, encounters roughly one extortion attempt a month
in its security consulting business, he said.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".