[901] in cryptography@c2.net mail archive
Re: FBI: Hacker sold 100,000 credit card numbers
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Fri May 23 14:37:56 1997
To: John Pescatore <johnp@tis.com>
cc: Rick Smith <smith@securecomputing.com>, cryptography@c2.net
Date: Fri, 23 May 1997 14:04:30 -0400
From: Steven Bellovin <smb@research.att.com>
Actually, if a sniffer was used something like SET would have
saved the day, or least made smak go after every PC. The story
I read said the FBI didn't know how he got them, and that they
suspected him of breaking into numerous servers.
I think on most ISPs it is probably easier to go after the
billing server that stores user credit card numbers. To sniff
100,000 credit card number coming from users means you found
that many folks accessing some number of sites not at least
using SSL.
Here's the text I'm referring to:
The scheme was discovered by the unidentified San Diego-based Internet
provider during routine maintenance. Technicians found an intruder had
placed a program in their server called a "packet sniffer," which locates
specified blocks of information, such as credit card numbers.
Possibly, of course, the sniffer was to help spread break-ins, and
the credit card numbers were stolen from a service host. Or maybe
there was a back-end processor handling credit cards for many vendors --
SSL to the vendor, then cleartext to the backend... Lots of ways to
screw up security! (My personal preference is for digitally signed
orders, so that card numbers never appear on the merchant's side.
Of course, then we'll see sniffing code that uses a virus as a vector...)
Mass market operating systems will always be security feeble,
much the way most internal doors have pretty feeble locks.
Yup.
