Practical Ecommerce

How To Steal Credit Card Numbers

At, Internet programmers can post the details of various software bugs to assist other professionals. These software bugs could include shopping carts, payment gateways, Unix code and more. The helpful programmers always supply, by name, the software manufacturer and the name of the program.

“Credit card thieves continually monitor sites like,” says Dan Clements, CEO of, a Los Angeles-based security firm that consults with banks and other firms on credit-card fraud. “Once a programmer posts a vulnerable piece of software there, the hackers add it to their scanning programs and then search for ecommerce sites that use the flawed software.”

Find vulnerable code

For example, say a programmer discovers XYZ Shopping Cart contains code that is vulnerable to hackers. He might post that code onto a site like A thief could then copy that code, add it to his scanning program and search the Internet for sites that use XYZ Shopping Cart. Having located those ecommerce sites, the thief can then run his scanning program containing a list of flawed code (called, technically, a SQL Injection List) against the sites’ servers to detect if a particular line of code is in use. If it is, the thief can frequently penetrate the server and steal customers’ names, credit-card numbers, billing addresses and so forth.

“Once they’ve found a vulnerable site,” says Clements “the hackers will mine it day after day. The ecommerce owners don’t know their websites are exposed. We’ve seen consumers of such sites cancel and reissue credit cards multiple times, not knowing which site is causing the problem.”

According to Clements, the number of major ecommerce software providers that have had, at one time or the other, vulnerable programming code is long and prominent. “I can tell you prominent ecommercerelated companies that have had flawed code,” says Clements. “When it happens, the programming flaws usually pop up on sites like”

The lists of flawed computer code used by hackers can contain thousands of entries. “These lists float around the Internet,” says Clements. “They aren’t really that hard to find.”

Clements emphasizes that ecommerce sites are really a collection of different pieces of software. There’s the HTML for the site itself and various programming languages such as PHP and JavaScript. There’s shopping-cart software, credit-card payment gateways, server software such as Unix and Linux, forum software, newsletter software, order forms and so on.

Keep software updated

“Each piece of software is a potential vulnerability,” says Clements. “But the good news is that software providers, including hosting companies, will usually fix a flaw immediately. So the hackers typically have just a couple of weeks to exploit it before it’s corrected.”

So, how do operators of ecommerce sites protect themselves from unwittingly using flawed software?

“The key is to keep the latest, most up-to-date version of each and every piece of software,” says Clements. “That’s the best way for ecommerce owners to protect their customers’ data.”

Kerry Murdock

Kerry Murdock

Bio   •   RSS Feed


Sign up for our email newsletter

Get the Practical Ecommerce RSS feed

Comments ( 5 )

  1. Legacy User March 13, 2007 Reply

    I don't see a compelling reason to store credit card information in your actual online store. If you script is tied in with your payment gateway to authorize and capture funds, you don't need to store their credit card info yourself. It opens you up to all kinds of security and legal issues.

    — *Emm*

  2. Legacy User March 13, 2007 Reply

    We, at Down Home Living Products & Gifts do not require our members to register, nor do we even keep credit card information. Our customers pay by check or money order by mail, or PayPal on-line. So, if their information is in fact comprimised on-line, that would need to be taken up with PayPal. Our site is secure, but in this day and age, is anything really secure? The most secure thing you can do is NOT keep that kind of personal information about your customers. That is the security we offer OUR customers.

    — *Kevin*

  3. Legacy User March 30, 2007 Reply

    Storing credit card numbers is illegal, as it violates the policy of protection of customer personal information.

    — *Storing Credit Card number is illegal*

  4. Legacy User May 11, 2007 Reply

    Storing numbers is not illegal per se, and many popular ecommerce sites, such as, do it. However, there's no reason to store any credit card information since authorizations are done via your payment gateway. And as for SQL-injection attacks, there are a number of techniques you can use to prevent such assaults (be sure to escape any variables passed through the URL or use mod-rewritting to make sql injection much harder). Also, make sure you keep your SSL certficate up to date! :)

    — *Eric*

  5. Vinay Bharadwaj May 15, 2012 Reply

    I am an ethical whitehat hacker myself. What I have observed in my experience is that the instances of a potential thief actively trying out attacks on these sites are far less than people not observing proper safety precautions. Entering credit card numbers on public untrusted networks is the biggest problem. Anyone could listen in, get in and get out without getting caught.

    These days, almost every public places offer free wifi, be it cafes, malls, anywhere. These are potential targets for thieves. Many people are ignorant and use credit cards through such public networks. A thief could just launch a man-in-the-middle attack and channel all network traffic through his laptop, and would listen to just about anything on the network. This is very easy to do, and they wouldn’t have to look for vulnerabilities on sites and break their heads weeks long. I would say that if people were a little more educated, many of these incidents could be prevented..