hackers kill credit cards?
State of e-commerce intrusions might mean a new form
of payment system will come sooner than expected.
By Bob Sullivan,
March 15, 2000
MSNBC Technology News
He calls himself "The Saint
of E-commerce." Two months ago, "Curador"
started posting his catalog of stolen credit card
numbers on his Web page. He's stolen database after
database from a variety of e-commerce sites, each
time updating his site, then gleefully mailing notification
to reporters. He's up to 25,000 records now from 13
Web sites, and still going. Despite all that the financial
risk and all that violation of personal privacy, no
one can stop him. Perhaps instead, we'll have to stop
using credit cards.
OF COURSE, AUTHORITIES have removed Curador's Web
site - at least a dozen times. No matter; he uses
the many free, anonymous Web hosting services available
on the Internet. And as fast as his Web page is taken
down, "Curador" puts up another one.
The 18-year-old computer intruder, who also goes by
the nickname "mind gimp," is located somewhere
in Europe; that's all he would tell MSNBC during a
He's not using the credit cards for financial gain.
The self-proclaimed "Saint of E-commerce"
says he simply wants to
embarrass the victim Web sites into employing better
security. He promised to continue breaking into e-commerce
sites and posting stolen numbers "until I don't
need to do it anymore or until I get arrested."
His arrest, however, is unlikely. As MSNBC's Mike
Brunker reported last week, there hasn't been a single
reported arrest of a foreign credit card thief by
U.S. authorities. Anyone who's serious about this
is getting a lesson.
The wake-up call is here - STEPHEN ORFEI, SETCo
Curador's thefts are simple, and his sharing of the
personal information is currently unstoppable. But
it's just another story in this year's litany of tales
surrounding online theft of personal and financial
information. E-merchants are furiously fighting the
battle to keep down fraud costs, and consumer confidence
in Internet safety is continually shaken, with no
apparent end in sight. So some experts think Curador
may just be another nail in the coffin of a credit
card system that was hardly designed for Internet
who's serious about this is getting a lesson. The
wake-up call is here. The time is now," said
Stephen Orfei, vice president of electronic commerce
and emerging technology for MasterCard International.
Orfei is also the spokesperson for SETCo, the Visa-
and MasterCard-backed organization pushing SET, a
new payments protocol designed to limit electronic
CAN WE DO MORE?'
The raging success of online thieves, some say, will
force the hand of banks, merchants, credit card companies
and consumers to change the way we spend money much
sooner than we intended.
The high-profile hacks have at least gotten the attention
of merchants, said Alyxia Do, electronic payment and
smart card analyst with Frost & Sullivan.
seems that there have been a greater number of queries
coming in," she said. "It began with the
CD Universe break-in and it has just continued to
be in the news. I have heard more and more merchants
are going back to Visa and MasterCard and asking,
'How can we do more?'"
The stakes are higher for merchants than consumers.
While consumers face a limited liability of $50 and
a paperwork hassle, online merchants must write off
credit card theft as "acceptable loss."
Hard data on how bad losses are is impossible to find,
but anecdotally some industries relate fraud rates
as high as 40 percent. Merchants use inexact software
to filter out potential fraudulent purchases, but
that means they turn away legitimate sales, too.
The mathematics are alarming. In fact, according to
Joe Barrett, chairman of the Internet Fraud prevention
Advisory Council, in some industries, merchants are
turning away 20 percent of proposed sales.
killing your business. You'd be better off taking
every sale and self-insuring," he said.
number and a date and you can buy anything you want
with it." That's how a teen-aged Internet credit
card thief described to MSNBC the fundamental problem
of using credit cards online. "I try to encourage
people to think about fraud detection as a public
good. Merchants on the Internet have a tendency to
want to wall off and control and not share their knowledge
or incidents of fraud." - JOE BARRETT, Internet
Fraud Prevention Advisory Council.
familiar plastic currency was designed to be physically
handed to merchants, who could at least make a cursory
check to see if signatures on the card and the sales
slip matched. Online, commerce is anonymous. There
is no way to see who's entering the credit card numbers
into the Web page, an anonymity that heavily favors
the fraud artists.
Several technologies hope to tip the scales against
thieves by implementing systems that require some
real-world physical component when shopping online.
Smart cards, the generic term for any plastic which
includes an embedded microchip, are one promising
Smart cards, which identify the user through encrypted
information embedded on the chip, must be inserted
into a "card reader" attached to the computer.
That means the card can't be used for e-commerce unless
the purchaser is currently holding it.
A PIN number is also required, so a thief needs to
physically have the card and a security code in order
to use it. That's not an insurmountable hurdle, but
a far more difficult one than using "a number
and a date."
Still, smart cards are 20 years old, and while there
have been smatterings of adoption in Europe, trials
of the technology in the U.S. have failed repeatedly.
Consumers perceived them as inconvenient, and in the
past they have been unmoved by the improvement in
For full story, click here.