[899] in cryptography@c2.net mail archive
FBI: Hacker sold 100,000 credit card numbers
daemon@ATHENA.MIT.EDU (Rick Smith)
Fri May 23 12:47:13 1997
Date: Fri, 23 May 1997 11:21:21 -0600
To: cryptography@c2.net
From: Rick Smith <smith@securecomputing.com>
When we talk about the risks of weak crypto and the costs of privacy
breaches, credit card numbers generally appear as a secret whose disclosure
carries monetary value. Here's a look at the cost/benefit trade off from
the perpertrator's point of view:
>>>>
FBI: Hacker sold 100,000 credit card numbers
Associated Pres
SAN FRANCISCO -- A clever hacker slipped into a major Internet
provider and gathered 100,000 credit card numbers along with enough
information to use them, the FBI said Thursday. < text skipped >
After making two small buys, the FBI agents arranged to meet
Salgado on Wednesday at San Francisco International Airport to pay
$260,000 for 100,000 credit card numbers with credit limits that
ranged up to $25,000 each.
<<<<
Some observations:
1) Attacks on e-commerce crypto protections won't happen (except as parlor
tricks) unless the promised windfall is big enough to make the
perpetrator's costs and risks worthwhile. This particular perpetrator sold
credit card numbers for $2.60 each in quantity. Before this I'd heard
rumors of street prices between $5 and $15, which may have included the
physical card as well. I wonder if this perpetrator had other offers that
the FBI outbid, or if the FBI was the only bidder.
2) In this particular case the perpetrator applied Rule #1 of
Cryptanalysis: he sought out the plaintext and stole it before it was
encrypted. The feeble "C2" security of COTS computing systems remains a
huge weakness in e-commerce systems.
Rick.
smith@securecomputing.com
