Hacked credit card numbers on-line

Hacked credit card numbers

Hackers are finding ways to use search engines and chatrooms to turn up credit card numbers, owners' addresses and online transactions

By Ho Ka Wei , Straits Times 30 Jul 2003

SEARCH engines can give a Web user more information than he needs.

With certain keywords, queries could throw up volumes on online transactions, credit card numbers, orders and customer addresses.

To prove this point, Mr Ravi Kiran Raju Yerra, principal consultant of Network Security Solutions in India - who spoke about online credit card fraud at the Information Security World Asia conference here recently - showed data he retrieved from the Web.

He said search engines should be fine-tuned so that they do not seek out such strings, or search keywords.

Mr Ravi, a certified 'ethical hacker' - one who is tasked by an organisation to test its network's vulnerability by penetrating it - managed to access the valuable information from a client he was working for.

He made the point to drive home to online businesses that they need to be more aware of gaps in security that can be exploited by hackers.

But while drawing credit card information from some merchant websites can be done through a simple online search at times - and only by very sophisticated hackers - Mr Ravi said it is generally difficult to get information because credit card companies do have hardy systems.

For instance, he said the toughest system he has had to crack so far was a card company's system - it took him 180 days of continuous research to break into.

But the crooks are getting more sophisticated, he cautioned.

According to a report this month by the Honeynet Project, a grouping of online security experts, the Internet Relay Chat (IRC) now plays an instrumental role in online credit card fraud.

The Honeynet Project studies the behaviour of malicious hackers, by setting up easy-to-infiltrate systems in order to identify intrusion methods.

IRC channels have always been fertile ground for illicit activities, but 'carders' - people who crack into such databases - have grown sophisticated and are using programs from IRC channels to sniff out vital information, according to the report.

Mr Ravi explained that these programs are linked to the merchant sites that facilitate transactions between the online store and the bank.

In other words, they open a gateway to a repository of information.

'Stop such channels in IRC servers or keep a close watch on such channels,' said Mr Ravi, who also researches credit card fraud and prevention at the Centre for Information and Network Security at the University of Pune in India.

He called for more counter-measures against online fraud to identify the new technologies being used by hackers.

According to him, most online credit card fraud happens in South-east Asia, Eastern Europe and Russia.

'But attacks happen wherever hackers find a weak link in the system,' he added.