- The Washington Times - Friday, March 9, 2001

East European hackers have hit more than 40 U.S. electronic-commerce and banking sites in recent months in an effort to get confidential financial information or carry out extortion, the FBI said yesterday.

Investigators at the National Infrastructure Protection Center, the FBI's cyber-crimes arm, cited an increase in thefts of credit-card numbers and a similar increase in the fraudulent use of credit cards in Russia.

"The investigations have disclosed several organized hacker groups in Eastern Europe, specifically Russia and Ukraine, that have penetrated U.S. e-commerce computer systems," the FBI said.

Hundreds of companies have fallen victim, with more than one million credit-card numbers stolen. The FBI has 40 investigations in 20 states.

In December 1999, a hacker claimed to have stolen the card numbers of 300,000 CD Universe customers. The hacker, using the name Maxim, said he was a 19-year-old from Russia. He released thousands of the numbers when the company refused to pay a $100,000 ransom.

Western Union shut its Web site for five days in September after hackers stole the card numbers of more than 15,000 customers.

In December, another Russian hacker stole more than 55,000 cards from creditcards.com, which processes transactions for on-line merchants. About 25,000 card numbers were posted on line when a $100,000 extortion demand was ignored.

The FBI broke from its policy of not discussing pending investigations because bureau officials said they believed it necessary to alert the public even though the announcement could compromise their work.

The bureau said charges have been filed but declined to elaborate. The scheme was said to involve organized crime groups outside the United States.

The hackers are using well-known holes in their targets' Web sites and transaction software; the infrastructure center is asking companies to patch holes more quickly.

It is a hassle for customers to change their credit cards after they have been used on compromised e-commerce sites, but companies are even more at risk, security experts said.

Individual liability is capped by law at $50 if fraudulent charges are made on a card, but a company loses consumer confidence and almost assuredly loses the business of the stolen card's holder.

"E-commerce sites have got to realize that they are fiduciaries of other peoples' information," said Mark Rasch, legal counsel for Predictive Systems, a computer networking firm. "They've got credit cards, names, addresses and buying habits. They have to take that responsibility more seriously."

NIPC Director Michael Vatis said in January that the bureau periodically sees organized criminal groups make extortion demands related to hacker attempts. It is not known whether any of the criminals are sponsored by a government, although that possibility is part of the FBI's investigation.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide