[900] in cryptography@c2.net mail archive
Re: FBI: Hacker sold 100,000 credit card numbers
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Fri May 23 13:18:12 1997
To: Rick Smith <smith@securecomputing.com>
cc: cryptography@c2.net
Date: Fri, 23 May 1997 13:04:08 -0400
From: Steven Bellovin <smb@research.att.com>
When we talk about the risks of weak crypto and the costs of privacy
breaches, credit card numbers generally appear as a secret whose discl
osure
carries monetary value. Here's a look at the cost/benefit trade off fr
om
the perpertrator's point of view:
>>>>
FBI: Hacker sold 100,000 credit card numbers
Associated Pres
SAN FRANCISCO -- A clever hacker slipped into a major Internet
provider and gathered 100,000 credit card numbers along with enough
information to use them, the FBI said Thursday. < text skipped >
After making two small buys, the FBI agents arranged to meet
Salgado on Wednesday at San Francisco International Airport to pay
$260,000 for 100,000 credit card numbers with credit limits that
ranged up to $25,000 each.
<<<<
Some observations:
1) Attacks on e-commerce crypto protections won't happen (except as pa
rlor
tricks) unless the promised windfall is big enough to make the
perpetrator's costs and risks worthwhile. This particular perpetrator
sold
credit card numbers for $2.60 each in quantity. Before this I'd heard
rumors of street prices between $5 and $15, which may have included th
e
physical card as well. I wonder if this perpetrator had other offers t
hat
the FBI outbid, or if the FBI was the only bidder.
2) In this particular case the perpetrator applied Rule #1 of
Cryptanalysis: he sought out the plaintext and stole it before it was
encrypted. The feeble "C2" security of COTS computing systems remains
a
huge weakness in e-commerce systems.
The (full) AP wire story said that he used a sniffer.
