Credit Cards Online Information

Byline: Brian Krebs

Schuyler Cole needed an accessory for his Palm Treo 600 smartphone, so the Haleiwa, Hawaii, resident fired up his Web browser last month and ran a Google search.

After scanning the search results, he purchased the inexpensive item -- a USB cable used to synchronize the Treo's settings with his personal computer -- from Cellhut.com, the first online store displayed in the results that looked like it carried the cable. The site featured a "Hackersafe" logo indicating that the site's security had been verified within the past 24 hours.

Later that day, information from Cole's purchase --- including his name, address, credit card and phone numbers, and the date and exact time of the transaction --- were posted into an online forum that caters to criminals engaged in credit card and identity theft. Ostensibly, the data on Cole was posted as an enticement to other fraudsters lurking on the forum who might be interested in buying large numbers of similar records.

Other personal data posted into the fraud forum included the personal and financial information for Shane Galloway, an 18-year-old freshman at Louisiana State University in Baton Rouge. When contacted by washingtonpost.com, Galloway said he purchased a wireless phone from Cellhut.com shortly after midnight on Sept. 6, just minutes after the time stamp on Cole's purchase.

Another individual whose data was found in the online chat channel --- a southern California resident who asked that his name not be used --- confirmed that he bought wireless accessories from Cellhut.com at 9:15 a.m. on Sept. 7, the exact time listed in the entry that was posted into the online forum along with his credit card data and other personal information. Later, he discovered that $6,000 in fraudulent charges were made using his credit card.

While public attention has remain fixed on a series of high-profile data losses or database breaches at federal government agencies, large corporations and universities, experts who study financial fraud say hackers increasingly are targeting small, commercial Web sites. In some cases, criminals are able to gain real-time access to the sites' transaction information, allowing them to steal valid credit card numbers and quickly charge large numbers of fraudulent purchases.

Small e-businesses offer fewer total victims, but they often present a softer target, either due to flaws in the software merchants use to process online orders or an over reliance on outsourced Web site security.

Cole's and Galloway's information was recorded being traded in an online chat room by Dan Clements, co-founder of CardCops.com, a fraud prevention service that monitors underground chat rooms where criminals trade in stolen credit cards and information used to commit identity theft. Clements said many smaller online merchants use generic shopping cart software that they fail to maintain with the latest software security patches.

"Most of these merchants that get hacked do not have updated versions of the software that runs their business, they're just trying to sell widgets," he said.

Nearly 80 percent of all software vulnerabilities discovered in the first six months of 2006 involved Web-based applications produced by hundreds of different software vendors, according to a report released Monday by Cupertino, Calif.-based security vendor Symantec Corp.

"The people writing these applications often don't know very much about Web-based vulnerabilities," said Alfred Huger, a senior director at Symantec Security Response. "Many of these Web vulnerabilities are not that difficult to discover and are very easy to exploit."

Cellhut.com, like many e-commerce Web sites, features the "HackerSafe" seal on its homepage proclaiming that the site "is tested and certified daily to pass the FBI/SANS Internet Security Test." ScanAlert Inc., a Napa, Calif.-based company that sells the service, scans some 75,000 online merchants each day for thousands of known Web site flaws.

ScanAlert is one of many companies providing third-party Web site security audits to online businesses. Other players in this market include Comodo Group Inc. of Jersey City, N.J., which markets its HackerGuardian scanning service; Coral Gables, Fla.-based Xenitel and its HackerFree seal; and the Verified Safe service from Lansing, Mich.-based Periscan.

By and large, the companies offer a range of basic and advanced security services that they say will assure Web customers that a site is doing everything possible to protect their personal data. But computer security experts are quick to question the effectiveness of these services.

"We hear from our assessor contacts who investigate (Web site) breaches that most of the sites had previously passed vulnerability scans," said Avivah Litan, a financial fraud analyst with the Stamford, Conn. research firm Gartner Inc.

# posted by Medical Information : 10:11 PM