Can hackers kill credit cards?

By Bob Sullivan, MSNBC; March 15, 2000 - Copyright © MSNBC
MSNBC Technology News

He calls himself "The Saint of E-commerce." Two months ago, "Curador" started posting his catalog of stolen credit card numbers on his Web page. He's stolen database after database from a variety of e-commerce sites, each time updating his site, then gleefully mailing notification to reporters. He's up to 25,000 records now from 13 Web sites, and still going. Despite all that the financial risk and all that violation of personal privacy, no one can stop him. Perhaps instead, we'll have to stop using credit cards.

OF COURSE, AUTHORITIES have removed Curador's Web site - at least a dozen times. No matter; he uses the many free, anonymous Web hosting services available on the Internet. And as fast as his Web page is taken down, "Curador" puts up another one.

The 18-year-old computer intruder, who also goes by the nickname "mind gimp," is located somewhere in Europe; that's all he would tell MSNBC during a telephone interview.

He's not using the credit cards for financial gain. The self-proclaimed "Saint of E-commerce" says he simply wants to
embarrass the victim Web sites into employing better security. He promised to continue breaking into e-commerce sites and posting stolen numbers "until I don't need to do it anymore or until I get arrested."

His arrest, however, is unlikely. As MSNBC's Mike Brunker reported last week, there hasn't been a single reported arrest of a foreign credit card thief by U.S. authorities. Anyone who's serious about this is getting a lesson.

The wake-up call is here - STEPHEN ORFEI, SETCo

Curador's thefts are simple, and his sharing of the personal information is currently unstoppable. But it's just another story in this year's litany of tales surrounding online theft of personal and financial information. E-merchants are furiously fighting the battle to keep down fraud costs, and consumer confidence in Internet safety is continually shaken, with no apparent end in sight. So some experts think Curador may just be another nail in the coffin of a credit card system that was hardly designed for Internet purchasing.

"Anyone who's serious about this is getting a lesson. The wake-up call is here. The time is now," said Stephen Orfei, vice president of electronic commerce and emerging technology for MasterCard International. Orfei is also the spokesperson for SETCo, the Visa- and MasterCard-backed organization pushing SET, a new payments protocol designed to limit electronic fraud.

The raging success of online thieves, some say, will force the hand of banks, merchants, credit card companies and consumers to change the way we spend money much sooner than we intended.

The high-profile hacks have at least gotten the attention of merchants, said Alyxia Do, electronic payment and smart card analyst with Frost & Sullivan.

"It seems that there have been a greater number of queries coming in," she said. "It began with the CD Universe break-in and it has just continued to be in the news. I have heard more and more merchants are going back to Visa and MasterCard and asking, 'How can we do more?'"

The stakes are higher for merchants than consumers. While consumers face a limited liability of $50 and a paperwork hassle, online merchants must write off credit card theft as "acceptable loss." Hard data on how bad losses are is impossible to find, but anecdotally some industries relate fraud rates as high as 40 percent. Merchants use inexact software to filter out potential fraudulent purchases, but that means they turn away legitimate sales, too.

The mathematics are alarming. In fact, according to Joe Barrett, chairman of the Internet Fraud prevention Advisory Council, in some industries, merchants are turning away 20 percent of proposed sales.

"You're killing your business. You'd be better off taking every sale and self-insuring," he said.

"A number and a date and you can buy anything you want with it." That's how a teen-aged Internet credit card thief described to MSNBC the fundamental problem of using credit cards online. "I try to encourage people to think about fraud detection as a public good. Merchants on the Internet have a tendency to want to wall off and control and not share their knowledge or incidents of fraud." - JOE BARRETT, Internet Fraud Prevention Advisory Council.

"The familiar plastic currency was designed to be physically handed to merchants, who could at least make a cursory check to see if signatures on the card and the sales slip matched. Online, commerce is anonymous. There is no way to see who's entering the credit card numbers into the Web page, an anonymity that heavily favors the fraud artists.

Several technologies hope to tip the scales against thieves by implementing systems that require some real-world physical component when shopping online. Smart cards, the generic term for any plastic which includes an embedded microchip, are one promising solution.

Smart cards, which identify the user through encrypted information embedded on the chip, must be inserted into a "card reader" attached to the computer. That means the card can't be used for e-commerce unless the purchaser is currently holding it.

A PIN number is also required, so a thief needs to physically have the card and a security code in order to use it. That's not an insurmountable hurdle, but a far more difficult one than using "a number and a date."

Still, smart cards are 20 years old, and while there have been smatterings of adoption in Europe, trials of the technology in the U.S. have failed repeatedly. Consumers perceived them as inconvenient, and in the past they have been unmoved by the improvement in security.

For full story, click here.