posted on July 5, 2001 10:15:49 AM
Here's something I saw today. Wonder how vulnerable the old gasp and wheeze ebay computers are?
_____________________________________________
Hackers pounce on Web site flaw
Now criminals can use search engines to find credit cards
By Bob Sullivan
MSNBC
July 3 — Time has apparently run out for Internet e-commerce sites to fix a critical software flaw that exposes customer credit card numbers. In the past few days, dozens of URLs have been posted in Internet chat rooms linking to small Web sites that hadn’t patched their flawed shopping cart programs. The flaw is so widespread that some of the URLs containing customer information are being picked up by search engines — meaning finding hot cards is almost as easy as conducting a search on Yahoo or Google.
OFTEN IN THE computer security world, vulnerabilities are announced that in the end appear to not cause any real-world problems — what one might call a “victimless vulnerability.” Much ado is made about a flaw in a piece of software, but weeks and months later, there are no stories of victims having been hit by a computer criminal exploiting that flaw.
That’s hardly the case with a flaw revealed by PDG Software Inc. back in April. In May, MSNBC.com reported on a trickle of Web sites that had been victimized by the problem, which lets criminals see complete order information entered by Web site customers. Now, that trickle seems to have turned into a flood.
While hundreds of sites have downloaded and installed the necessary patch provided by software maker PDG Software Inc., dozens of others have yet to do so.
And now, instructions on how the flaw works have spread through the Internet’s underground, and exploiting it is so trivial that several sites are being victimized each day.
For example, on Monday, armed with simple instructions provided on a Web site, MSNBC.com was able to find eight sites revealing information. Finding the sites is easy — it involves using a particular search term on a search site like Google or Yahoo, followed by one additional cut-and-paste operation. While most sites uncovered using this search method had installed the patch, about one in 15 had not.
Each of the sites was informed of the issue via e-mail.
Flaw causes credit card chaos
A source who requested anonymity told MSNBC.com he has been monitoring chat rooms for signs of PDG-exploited sites and says activity around the flaw has reached fever pitch in the past week.
He provided MSNBC.com with chat room logs detailing 19 other sites that had been posted during the weekend, but most of those sites had fixed their problem by Tuesday afternoon.
Each of the sites was a low-traffic, low-transaction-volume e-commerce property — the seven found by MSNBC.com revealed only about 100 credit card numbers. But other critical information was also revealed, such as merchant identification numbers used by retailers to communicate with payment processing companies. User names and passwords for credit card verification systems were also exposed.
Credit card criminals can have a field day with such information. For example, the merchant ID and verification system login information gives card thieves an easy way to test the credit limits on cards they’ve stolen.
Health site exposed private information
PDG SOFTWARE BLAMED
The PDG Software flaw first revealed in April was so widespread and easy to use that the FBI, through its National Infrastructure Protection Center, issued a warning about it on April 6. PDG Software Inc. also says it attempted to contact each of its 2,000 customers, warning of the need to install a fix.
But the company added that many customers purchased the software through a third party, and in some cases has no contact information for those customers.
In other cases, the company said, customers have simply failed to act on warnings about the software.
Company President David Snyder said his company has done everything it can to alert PDG users to the need to install a patch. “If they get an e-mail and don’t read it or don’t take action, we can’t go over there and install it for them,” he said.
posted on July 5, 2001 11:22:46 AM
I wouldn't worry so much about hackers getting access to this information from ebay or other large web sites.
I would be more worried about the fact that the personal information you type in the forms for these website is all stored and save in you own computer.
your passwords user name credit card # ss # address PH # and anyother information you every type in a form on the web is all stored and saved in your web browser if you can go to a site like my ebay and whe you type the frist letter of your user name a drop down menu comes up and the form can be filled in with you info with a click computers running win 95 98 or ME have no way of locking file for read or write at all.
if you useing ISDN DSL cable modem or have a fixed IP with your provider any hacker can get your information from your computer far far easier then any linux or unix server.
smaller sites many dont have the file locking and security locks and shttp they dont use umasking to pervent file mode changeing on each users dat files.
best bet before putting any personel info on any small site like credit card # is to make sure your info is being sent to a larger more secure company like thur Ibill paypal billpoint propay or one of the many others out there .
posted on July 5, 2001 01:18:07 PM
I belive what this is referring to is this article. I have been trying to explain to some buyers that a secure payment service such as C2it is far more secure than giving out their credit card number to every seller on ebay. Some of them argue that it is safer to call in the CC number than to enter it on a site, even if the site is secure. But when I accepted CCs directly, folks called it in to me, I entered it into my PC and then transmitted it to my merchant account. Now that data resided both at the merchant site and on my PC. Why is this more secure than entering it on a secure site? I haven't heard of hackers stealing CC transmissions over the net but I have heard of them hacking into sites and stealing the data there. I would guess that C2it has better security than most mom & pop PCs. Not to mention that there are some sellers who advertise that they take CCs but what they really do is take your CC and then use it to make other purchases or sell it to a foreign stolen CC ring.
