Using Credit Cards Online, Are you Safe
Using Credit Cards Online, Are you
Safe?
by Anurag
Phadke
When the Internet first surfaced to the general public
in the early 90's everyone welcomed the beginning of a new era. Many hopes were
floated and everyone seemed to be of the opinion that the Internet would change
the standard of living for every individual. Of course, along with Internet came
the blooming of on line credit cards and the convenience of Online Shopping
coupled with a frenzy new products and loads of discount offers. Just when
everything seemed to be "too good to be true" came the era of so called code
breaker-crackers.
Every year millions of dollars are lost to credit card
fraud. Just who is supposed to be held responsible for all this stuff? The
online shopping sites, the end user or your over friendly neighbour? In this
article, I shall talk about the detailed anatomy of a credit card, the loop
holes of some of the online shopping sites and a few other details. I will try
to show you, the honest citizen, the Internet world through the eyes of a
cracker. Believe me, some of the facts here can give sleepless nights to anyone
who loves his/her hard earned money.
Understanding Credit Cards
A quick glance at a credit card and you have a name, an
expiration date and a long 13 or 16 digit number imprinted on a wonderful glossy
card. This number should not be mistook for any random number. It is a carefully
designed number, that perfectly fits into a self-checking formula that is
specific to each and every credit card company.
For instance, the first four to five digits of every
card points to the issuing bank:
4032 = Household Bank 5286 = First Card / F.C.C.
National Bank
Card number generating software such as CMaster4 are
able to generate fake real-looking numbers. Even today, there are sites which
process transactions only by checking the validity credit card number itself
(not qwhether the number exists or not). Hard to believe, but 2-3 years ago,
Mail.com used to only check for the credit card number and if it was found to be
correct, the user would have access to platinum account with increased webspace.
My research showed that only after a day would mail.com send you a reply back
saying the details that you have entered are invalid... but by that time a
malicious user has already used the paid service for free. During the recent
french open event, rolandgarros.com had opened a merchandise site for selling
items related to the event. The site used SSL but it did not bother to check the
credit card number of the customer, only a small javascript was introduced in
the web page for validating the card.
How Credit Card Processing takes
Place
"The people who commit credit card frauds don't even
care what will happen to the victims, for these people you are not a person but
an object, an object that shall help them realize their ultimate
fantasy.....unlimited money."
Lots of porn sites and online shops have a technique
called real time processing of cards. This means that as soon as one enters
his/her information, it is validated by the merchant who has a direct connection
with the credit card company itself, and the result is available immediately. On
the other hand, rediff.com (a popular Indian Portal) uses a manual technique to
check credit cards. This means, your vital information is actually passed onto a
third party before the transaction is finalised which also might be dangerous.
Try to do your shopping at a site that uses real-time
processing of credit cards.
Server Exploits
The presence of numerous exploits in servers is yet
another reason for crackers to make merry. To date more than 100 patches have
been released for Win2K. Some time back, I had a IRC chat with some person in
Europe who told me how he applied the IIS/4.0 exploit to a website, giving him
access to the harddisk of the computer hosting the website. He was then able to
browse the entire hard disk of the remote PC via Internet Explorer and what he
found was a login and password for a bank account. On checking it, it had
balance of more than HK $20000 and the password actually worked for more than 2
weeks! Now whether this particular anonymous "voice" was telling the truth or
not is irrelevant, the fact is this kind of thing can and is done every day.
Recently a lot of hype was created by companies such as
flooz.com and paypal.com. Though flooz.com has now closed down, during its
operations a person could easily use someone else's credit card and apparently
go scot free with the stolen earned source of income. This is not a rare case.
Paypal.com which puts money on a account from a cc and
can also send a cheque is equally vulnerable.
How does a Cracker find Credit Card
Numbers?
The three main ways appear to be server "expliots"
(attacking the server directly), attacking software services and weak or badly
written .cgi programs.
- Server Exploits: Hack yourself into a e-shopping site
with one of the many server vulnerabilities documented on the Internet and then
just snoop around.
- Software Services: Retailers who get small customers (10
/ month) cannot afford the huge investment in real time processing tend to buy
small modules from Cart32.com and similar sites. Cart32.com cart32's system
checks for validity of the customers credit cards for smaller merchants.
The
well known exploit for Cart32 v2.6 (Build less than 525) has a decoder that is
less than 20kb and exposes the admin passwords of the client. emy.com.au had an
admin password "a" for 15 days.......now how tough is that to crack? Even some
of the later versions of Cart32 such as 3.5a had some loop holes in them which
were royally exploited by many.
- .cgi Scripts: The shopper.cgi exploit, in which crackers
use any searchengine to find one line on a site. If that line is found on the
search engine after the "www.site.com/" page, then a cracker only has to add one
small line to get acces to a huge list of information including, potentially,
credit card numbers. There are plenty of other insecure amateur Perl and .cgi
scripts out there too.
Another Problem with Online Merchant
Accounts
Online merchant accounts such as ibill.com and
authorize.net allows verification of credit card data entered by the user. A
transaction is considered to be valid not only if the credit card details match
but the user should also have adequate amount of balance on his account. For
example say, I have just $30.00 USD in my bank account and I buy stuff worth
$100 USD. Even though my information is correct, it hardly makes sense for the
e-site to validate my transaction.
Another potential style of credit card fraud is not to
use a stolen credit card at all, but simply to use the Internet to effcectivley
increase your credit limit for a short period. Once a person get's access to
these merchant accounts, they have hard cash at their disposal.
IRC: Another Haven for CC's
Another way to get stolen credit cards numbers is simply
to bareter for them. One of the best place to get loads of CC's is to wander
around in some IRC channels (but there are plenty of other chat and Internet
services and protocols to use too). Just log on to your favourite server
(irc.dal.net) and join the channel #cc . Mainly a trading channel (cc's are
being traded there as if they were Pokemon cards) you can get whatever you want
by trading.... porn passes, virgin cc's, calling cards and sometimes even a
laptop. If you are good at psychology, getting your hands on files that contain
hundreds of credit card lists with details is a fairly simple task, albiet very
illegal, of course. Some of the credit cards over there have as high limit as
$5000/- Now isn't it time that someone took notice of all these activities?
Agreed, IRC is an unmoderated forum of free speech but isn't it playing with a
person's life?
Final Words
As days pass by we all are strving to make our lives
easier. Technology and its drawbacks are here to stay. If you have a look around
yourself, 80% of hacking occurs because of admin being careless when installing
a firewall, not updating the server regularly with patches or just turning a
blind eye to the suspicious logs that keep on getting accumulated on the server.
You can have your credit card number stolen in any
store, every time you use it, not just on the Internet. But a little knowledge
about what is happeneing, how it is happening and why will help everybody feel
more secure. The more you know, the better off you are.
Anurag Phadke, an Electronics Engineering student is
in his final year of graduation. He loves Dominos Pizza and hopes to own a hotel
sometime in the near future.
|
