Using Credit Cards Online, Are you Safe?

posted onAugust 20, 2001
by hitbsecnews

When the Internet first surfaced to the general public in the early 90's everyone welcomed the beginning of a new era. Many hopes were floated and everyone seemed to be of the opinion that the Internet would change the standard of living for every individual. Of course, along with Internet came the blooming of on line credit cards and the convenience of Online Shopping coupled with a frenzy new products and loads of discount offers. Just when everything seemed to be "too good to be true" came the era of so called code breaker-crackers.

Every year millions of dollars are lost to credit card fraud. Just who is supposed to be held responsible for all this stuff? The online shopping sites, the end user or your over friendly neighbour? In this article, I shall talk about the detailed anatomy of a credit card, the loop holes of some of the online shopping sites and a few other details. I will try to show you, the honest citizen, the Internet world through the eyes of a cracker. Believe me, some of the facts here can give sleepless nights to anyone who loves his/her hard earned money.
Understanding Credit Cards

A quick glance at a credit card and you have a name, an expiration date and a long 13 or 16 digit number imprinted on a wonderful glossy card. This number should not be mistook for any random number. It is a carefully designed number, that perfectly fits into a self-checking formula that is specific to each and every credit card company.

For instance, the first four to five digits of every card points to the issuing bank:

4032 = Household Bank 5286 = First Card / F.C.C. National Bank

Card number generating software such as CMaster4 are able to generate fake real-looking numbers. Even today, there are sites which process transactions only by checking the validity credit card number itself (not qwhether the number exists or not). Hard to believe, but 2-3 years ago, Mail.com used to only check for the credit card number and if it was found to be correct, the user would have access to platinum account with increased webspace. My research showed that only after a day would mail.com send you a reply back saying the details that you have entered are invalid... but by that time a malicious user has already used the paid service for free. During the recent french open event, rolandgarros.com had opened a merchandise site for selling items related to the event. The site used SSL but it did not bother to check the credit card number of the customer, only a small javascript was introduced in the web page for validating the card.

How Credit Card Processing takes Place

"The people who commit credit card frauds don't even care what will happen to the victims, for these people you are not a person but an object, an object that shall help them realize their ultimate fantasy.....unlimited money."

Lots of porn sites and online shops have a technique called real time processing of cards. This means that as soon as one enters his/her information, it is validated by the merchant who has a direct connection with the credit card company itself, and the result is available immediately. On the other hand, rediff.com (a popular Indian Portal) uses a manual technique to check credit cards. This means, your vital information is actually passed onto a third party before the transaction is finalised which also might be dangerous.

Try to do your shopping at a site that uses real-time processing of credit cards.

Server Exploits

The presence of numerous exploits in servers is yet another reason for crackers to make merry. To date more than 100 patches have been released for Win2K. Some time back, I had a IRC chat with some person in Europe who told me how he applied the IIS/4.0 exploit to a website, giving him access to the harddisk of the computer hosting the website. He was then able to browse the entire hard disk of the remote PC via Internet Explorer and what he found was a login and password for a bank account. On checking it, it had balance of more than HK $20000 and the password actually worked for more than 2 weeks! Now whether this particular anonymous "voice" was telling the truth or not is irrelevant, the fact is this kind of thing can and is done every day.

Recently a lot of hype was created by companies such as flooz.com and paypal.com. Though flooz.com has now closed down, during its operations a person could easily use someone else's credit card and apparently go scot free with the stolen earned source of income. This is not a rare case.

Paypal.com which puts money on a account from a cc and can also send a cheque is equally vulnerable.

How does a Cracker find Credit Card Numbers?

The three main ways appear to be server "expliots" (attacking the server directly), attacking software services and weak or badly written .cgi programs.

1. Server Exploits: Hack yourself into a e-shopping site with one of the many server vulnerabilities documented on the Internet and then just snoop around.

2. Software Services: Retailers who get small customers (10 / month) cannot afford the huge investment in real time processing tend to buy small modules from Cart32.com and similar sites. Cart32.com cart32's system checks for validity of the customers credit cards for smaller merchants.

The well known exploit for Cart32 v2.6 (Build less than 525) has a decoder that is less than 20kb and exposes the admin passwords of the client. emy.com.au had an admin password "a" for 15 days.......now how tough is that to crack? Even some of the later versions of Cart32 such as 3.5a had some loop holes in them which were royally exploited by many.

3. .cgi Scripts: The shopper.cgi exploit, in which crackers use any searchengine to find one line on a site. If that line is found on the search engine after the "www.site.com/" page, then a cracker only has to add one small line to get acces to a huge list of information including, potentially, credit card numbers. There are plenty of other insecure amateur Perl and .cgi scripts out there too.

Another Problem with Online Merchant Accounts

Online merchant accounts such as ibill.com and authorize.net allows verification of credit card data entered by the user. A transaction is considered to be valid not only if the credit card details match but the user should also have adequate amount of balance on his account. For example say, I have just $30.00 USD in my bank account and I buy stuff worth $100 USD. Even though my information is correct, it hardly makes sense for the e-site to validate my transaction.

Another potential style of credit card fraud is not to use a stolen credit card at all, but simply to use the Internet to effcectivley increase your credit limit for a short period. Once a person get's access to these merchant accounts, they have hard cash at their disposal.

IRC: Another Haven for CC's

Another way to get stolen credit cards numbers is simply to bareter for them. One of the best place to get loads of CC's is to wander around in some IRC channels (but there are plenty of other chat and Internet services and protocols to use too). Just log on to your favourite server (irc.dal.net) and join the channel #cc . Mainly a trading channel (cc's are being traded there as if they were Pokemon cards) you can get whatever you want by trading.... porn passes, virgin cc's, calling cards and sometimes even a laptop. If you are good at psychology, getting your hands on files that contain hundreds of credit card lists with details is a fairly simple task, albiet very illegal, of course. Some of the credit cards over there have as high limit as $5000/- Now isn't it time that someone took notice of all these activities? Agreed, IRC is an unmoderated forum of free speech but isn't it playing with a person's life?

Final Words

As days pass by we all are strving to make our lives easier. Technology and its drawbacks are here to stay. If you have a look around yourself, 80% of hacking occurs because of admin being careless when installing a firewall, not updating the server regularly with patches or just turning a blind eye to the suspicious logs that keep on getting accumulated on the server.

You can have your credit card number stolen in any store, every time you use it, not just on the Internet. But a little knowledge about what is happeneing, how it is happening and why will help everybody feel more secure. The more you know, the better off you are.

Linux.com

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs