Originally Published: Friday, 17 August 2001 Author: Anurag Phadke
Published to: enchance_articles_security/Basic Security Articles Page: 1/1 - [Std View]

Using Credit Cards Online, Are you Safe?

We've all been scared by FUD (fear, uncertainty and doubt) articles when it comes to online security and online transactions. But how many of those journalists have actually taken the time to go out and talk to crackers or search out their tools and techniques? How many of those dangers are real, and how many are a load horseshit? Intrepid Linux.com reporter Anurag Phadke gives us a glimpse of the online world through the eyes of a cracker.

When the Internet first surfaced to the general public in the early 90's everyone welcomed the beginning of a new era. Many hopes were floated and everyone seemed to be of the opinion that the Internet would change the standard of living for every individual. Of course, along with Internet came the blooming of on line credit cards and the convenience of Online Shopping coupled with a frenzy new products and loads of discount offers. Just when everything seemed to be "too good to be true" came the era of so called code breaker-crackers.

Every year millions of dollars are lost to credit card fraud. Just who is supposed to be held responsible for all this stuff? The online shopping sites, the end user or your over friendly neighbour? In this article, I shall talk about the detailed anatomy of a credit card, the loop holes of some of the online shopping sites and a few other details. I will try to show you, the honest citizen, the Internet world through the eyes of a cracker. Believe me, some of the facts here can give sleepless nights to anyone who loves his/her hard earned money.

Understanding Credit Cards

A quick glance at a credit card and you have a name, an expiration date and a long 13 or 16 digit number imprinted on a wonderful glossy card. This number should not be mistook for any random number. It is a carefully designed number, that perfectly fits into a self-checking formula that is specific to each and every credit card company.

For instance, the first four to five digits of every card points to the issuing bank:

4032 = Household Bank 5286 = First Card / F.C.C. National Bank

Card number generating software such as CMaster4 are able to generate fake real-looking numbers. Even today, there are sites which process transactions only by checking the validity credit card number itself (not qwhether the number exists or not). Hard to believe, but 2-3 years ago, Mail.com used to only check for the credit card number and if it was found to be correct, the user would have access to platinum account with increased webspace. My research showed that only after a day would mail.com send you a reply back saying the details that you have entered are invalid... but by that time a malicious user has already used the paid service for free. During the recent french open event, rolandgarros.com had opened a merchandise site for selling items related to the event. The site used SSL but it did not bother to check the credit card number of the customer, only a small javascript was introduced in the web page for validating the card.

How Credit Card Processing takes Place

"The people who commit credit card frauds don't even care what will happen to the victims, for these people you are not a person but an object, an object that shall help them realize their ultimate fantasy.....unlimited money."

Lots of porn sites and online shops have a technique called real time processing of cards. This means that as soon as one enters his/her information, it is validated by the merchant who has a direct connection with the credit card company itself, and the result is available immediately. On the other hand, rediff.com (a popular Indian Portal) uses a manual technique to check credit cards. This means, your vital information is actually passed onto a third party before the transaction is finalised which also might be dangerous.

Try to do your shopping at a site that uses real-time processing of credit cards.

Server Exploits

The presence of numerous exploits in servers is yet another reason for crackers to make merry. To date more than 100 patches have been released for Win2K. Some time back, I had a IRC chat with some person in Europe who told me how he applied the IIS/4.0 exploit to a website, giving him access to the harddisk of the computer hosting the website. He was then able to browse the entire hard disk of the remote PC via Internet Explorer and what he found was a login and password for a bank account. On checking it, it had balance of more than HK $20000 and the password actually worked for more than 2 weeks! Now whether this particular anonymous "voice" was telling the truth or not is irrelevant, the fact is this kind of thing can and is done every day.

Recently a lot of hype was created by companies such as flooz.com and paypal.com. Though flooz.com has now closed down, during its operations a person could easily use someone else's credit card and apparently go scot free with the stolen earned source of income. This is not a rare case.

Paypal.com which puts money on a account from a cc and can also send a cheque is equally vulnerable.

How does a Cracker find Credit Card Numbers?

The three main ways appear to be server "expliots" (attacking the server directly), attacking software services and weak or badly written .cgi programs.

  1. Server Exploits: Hack yourself into a e-shopping site with one of the many server vulnerabilities documented on the Internet and then just snoop around.

  2. Software Services: Retailers who get small customers (10 / month) cannot afford the huge investment in real time processing tend to buy small modules from Cart32.com and similar sites. Cart32.com cart32's system checks for validity of the customers credit cards for smaller merchants.

    The well known exploit for Cart32 v2.6 (Build less than 525) has a decoder that is less than 20kb and exposes the admin passwords of the client. emy.com.au had an admin password "a" for 15 days.......now how tough is that to crack? Even some of the later versions of Cart32 such as 3.5a had some loop holes in them which were royally exploited by many.

  3. .cgi Scripts: The shopper.cgi exploit, in which crackers use any searchengine to find one line on a site. If that line is found on the search engine after the "www.site.com/" page, then a cracker only has to add one small line to get acces to a huge list of information including, potentially, credit card numbers. There are plenty of other insecure amateur Perl and .cgi scripts out there too.

Another Problem with Online Merchant Accounts

Online merchant accounts such as ibill.com and authorize.net allows verification of credit card data entered by the user. A transaction is considered to be valid not only if the credit card details match but the user should also have adequate amount of balance on his account. For example say, I have just $30.00 USD in my bank account and I buy stuff worth $100 USD. Even though my information is correct, it hardly makes sense for the e-site to validate my transaction.

Another potential style of credit card fraud is not to use a stolen credit card at all, but simply to use the Internet to effcectivley increase your credit limit for a short period. Once a person get's access to these merchant accounts, they have hard cash at their disposal.

IRC: Another Haven for CC's

Another way to get stolen credit cards numbers is simply to bareter for them. One of the best place to get loads of CC's is to wander around in some IRC channels (but there are plenty of other chat and Internet services and protocols to use too). Just log on to your favourite server (irc.dal.net) and join the channel #cc . Mainly a trading channel (cc's are being traded there as if they were Pokemon cards) you can get whatever you want by trading.... porn passes, virgin cc's, calling cards and sometimes even a laptop. If you are good at psychology, getting your hands on files that contain hundreds of credit card lists with details is a fairly simple task, albiet very illegal, of course. Some of the credit cards over there have as high limit as $5000/- Now isn't it time that someone took notice of all these activities? Agreed, IRC is an unmoderated forum of free speech but isn't it playing with a person's life?

Final Words

As days pass by we all are strving to make our lives easier. Technology and its drawbacks are here to stay. If you have a look around yourself, 80% of hacking occurs because of admin being careless when installing a firewall, not updating the server regularly with patches or just turning a blind eye to the suspicious logs that keep on getting accumulated on the server.

You can have your credit card number stolen in any store, every time you use it, not just on the Internet. But a little knowledge about what is happeneing, how it is happening and why will help everybody feel more secure. The more you know, the better off you are.

Anurag Phadke, an Electronics Engineering student is in his final year of graduation. He loves Dominos Pizza and hopes to own a hotel sometime in the near future.