[902] in cryptography@c2.net mail archive
Re: FBI: Hacker sold 100,000 credit card numbers
daemon@ATHENA.MIT.EDU (John Pescatore)
Fri May 23 14:37:58 1997
Date: Fri, 23 May 1997 13:43:02 -0400
To: Steven Bellovin <smb@research.att.com>,
Rick Smith <smith@securecomputing.com>
From: John Pescatore <johnp@tis.com>
Cc: cryptography@c2.net
Actually, if a sniffer was used something like SET would have saved the
day, or least made smak go after every PC. The story I read said the FBI
didn't know how he got them, and that they suspected him of breaking into
numerous servers.
I think on most ISPs it is probably easier to go after the billing server
that stores user credit card numbers. To sniff 100,000 credit card number
coming from users means you found that many folks accessing some number of
sites not at least using SSL.
Mass market operating systems will always be security feeble, much the way
most internal doors have pretty feeble locks.
JP
At 01:04 PM 5/23/97 -0400, Steven Bellovin wrote:
> When we talk about the risks of weak crypto and the costs of privacy
> breaches, credit card numbers generally appear as a secret whose discl
> osure
> carries monetary value. Here's a look at the cost/benefit trade off fr
> om
> the perpertrator's point of view:
>
> >>>>
> FBI: Hacker sold 100,000 credit card numbers
> Associated Pres
>
> SAN FRANCISCO -- A clever hacker slipped into a major Internet
> provider and gathered 100,000 credit card numbers along with enough
> information to use them, the FBI said Thursday. < text skipped >
> After making two small buys, the FBI agents arranged to meet
> Salgado on Wednesday at San Francisco International Airport to pay
> $260,000 for 100,000 credit card numbers with credit limits that
> ranged up to $25,000 each.
>
> <<<<
>
> Some observations:
>
> 1) Attacks on e-commerce crypto protections won't happen (except as pa
> rlor
> tricks) unless the promised windfall is big enough to make the
> perpetrator's costs and risks worthwhile. This particular perpetrator
> sold
> credit card numbers for $2.60 each in quantity. Before this I'd heard
> rumors of street prices between $5 and $15, which may have included th
> e
> physical card as well. I wonder if this perpetrator had other offers t
> hat
> the FBI outbid, or if the FBI was the only bidder.
>
> 2) In this particular case the perpetrator applied Rule #1 of
> Cryptanalysis: he sought out the plaintext and stole it before it was
> encrypted. The feeble "C2" security of COTS computing systems remains
> a
> huge weakness in e-commerce systems.
>
>The (full) AP wire story said that he used a sniffer.
>
>
John Pescatore
Trusted Information Systems 301-947-7153
15204 Omega Drive, 3rd floor 301-527-0482 (fax)
Rockville, MD 20850 johnp@tis.com
