[905] in cryptography@c2.net mail archive
Re: FBI: Hacker sold 100,000 credit card numbers
daemon@ATHENA.MIT.EDU (John R Levine)
Tue May 27 12:46:15 1997
Date: Sat, 24 May 1997 16:26:55 -0400 (EDT)
From: John R Levine <johnl@iecc.com>
To: jamesd@echeque.com
cc: cryptography@c2.net
In-Reply-To: <199705241825.LAA19851@proxy4.ba.best.com>
> > Besides, if you can install code on the server, why waste your time sniffing
> > packets when all the data is conveniently assembled in files?
>
> Because the commerce data is not on the server.
>
> They said he installed the packet sniffer on an internet provider,
> not on a particular electronic commerce business. E-commerce businesses
> always have their own hosts.
>
> It would appear from the story that he simply sniffed cleartext credit
> card numbers as they were transmitted through the internet.
Uh, wait a minute. The Internet is not a sea of data from which you can
extract data at random. It is a mesh of interconnected networks. Any single
host can only see the data on the networks to which that host is directly
connected. Extracting 100,000 credit card numbers from network traffic
through an ISP is implausible for several reasons:
* There aren't very many providers who have 100,000 customers.
* The ones who do don't put all their customers on the same host or the same
subnet for reasons having more to do with network performance than with
security, and for the most part don't let their users run software on their
servers. (Netcom is an exception, but see below.)
* Sniffing a lot of credit card numbers from passing traffic is a fairly
difficult task. Yeah, you can look for packets with likely looking 16 digit
numbers, but how long will it take you to find 100,000 of them, with
expiration dates? And would a large ISP realistically not notice a program
sniffing all the traffic (which requires superuser privileges on a Unix box)
long enough to do that?
On the other hand, a couple of years ago Kevin Mitnick broke into one of
Netcom's poorly secured servers and stole a copy of their accounting
database which included, among other things, the credit card numbers of
all their members, no packet sniffing needed.
I can believe that someone stole 100,000 credit card numbers, but it's a lot
easier to believe that he found them in a database than that he sniffed them
one at a time. Isn't there an old crypto rule of thumb that tells you
that when you hear hoof beats, don't think zebra?*
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
* - Except in central Africa where it tells you don't think horse.
