How To Steal Credit Card Numbers

July 01, 2006 · by Kerry Murdock

• Print Article
• Email to a Friend
• 4 Comments
• Comments RSS

At SecurityFocus.com, Internet programmers can post the details of various software bugs to assist other professionals. These software bugs could include shopping carts, payment gateways, Unix code and more. The helpful programmers always supply, by name, the software manufacturer and the name of the program.

"Credit card thieves continually monitor sites like SecurityFocus.com," says Dan Clements, CEO of CardCops.com, a Los Angeles-based security firm that consults with banks and other firms on credit-card fraud. "Once a programmer posts a vulnerable piece of software there, the hackers add it to their scanning programs and then search for ecommerce sites that use the flawed software."

Find vulnerable code

For example, say a programmer discovers XYZ Shopping Cart contains code that is vulnerable to hackers. He might post that code onto a site like SecurityFocus.com. A thief could then copy that code, add it to his scanning program and search the Internet for sites that use XYZ Shopping Cart. Having located those ecommerce sites, the thief can then run his scanning program containing a list of flawed code (called, technically, a SQL Injection List) against the sites' servers to detect if a particular line of code is in use. If it is, the thief can frequently penetrate the server and steal customers' names, credit-card numbers, billing addresses and so forth.

"Once they've found a vulnerable site," says Clements "the hackers will mine it day after day. The ecommerce owners don't know their websites are exposed. We've seen consumers of such sites cancel and reissue credit cards multiple times, not knowing which site is causing the problem."

According to Clements, the number of major ecommerce software providers that have had, at one time or the other, vulnerable programming code is long and prominent. "I can tell you prominent ecommercerelated companies that have had flawed code," says Clements. "When it happens, the programming flaws usually pop up on sites like SecurityFocus.com."

The lists of flawed computer code used by hackers can contain thousands of entries. "These lists float around the Internet," says Clements. "They aren't really that hard to find."

Clements emphasizes that ecommerce sites are really a collection of different pieces of software. There's the HTML for the site itself and various programming languages such as PHP and JavaScript. There's shopping-cart software, credit-card payment gateways, server software such as Unix and Linux, forum software, newsletter software, order forms and so on.

Keep software updated

"Each piece of software is a potential vulnerability," says Clements. "But the good news is that software providers, including hosting companies, will usually fix a flaw immediately. So the hackers typically have just a couple of weeks to exploit it before it's corrected."

So, how do operators of ecommerce sites protect themselves from unwittingly using flawed software?

"The key is to keep the latest, most up-to-date version of each and every piece of software," says Clements. "That's the best way for ecommerce owners to protect their customers' data."

Related Articles

• Credit Card Theft: Steps to Protect You and Your Customers
• Credit Card Fraud: How Big Is The Problem?
• Insuring Against Fraud, Data Breaches

This article is filed under Accounting, Management & Legal and has the following keyword tags: fraud, credit card payments, stolen credit cards.

4 Comments