- The Washington Times - Tuesday, June 21, 2005

BOSTON (AP) — The numbers involved in the latest high-stakes cyber-crime are astonishing: Burrowing into a payment-processing company’s computers, a hacker apparently stole data on 200,000 credit and debit accounts and had access to 40 million.

But that doesn’t make the techniques required to pull off such a heist all that unusual.

Security researchers say the murky online community of credit-card thieves is increasingly sophisticated at exploiting weaknesses in financial networks.

And even lesser mischief-makers, often derided as mere “script kiddies,” can pick from a bundle of easily available tools that let them cut and paste the programming code needed to carry out attacks — without even understanding how it works.

“I’d say a script kiddie could do this,” said Jim Stickley, chief technical officer for TraceSecurity Inc. “I don’t think it would be difficult at all.”

Little has been revealed about the attack on CardSystems Solutions Inc., an Atlanta company that ferries card transactions between merchants and banks. The FBI and the company have been tight-lipped on details of the hack.

Asked yesterday whether one of the company’s 115 employees could have been involved, Bill Reeves, CardSystems’ senior vice president of marketing, said the company would not “rule anything in or out at this point.”

Pressed to elaborate, he said he could not comment because of the ongoing investigation.

Even so, enough is known that computer-security experts can make educated guesses.

When the breach was announced Friday, MasterCard said someone had installed a viruslike program on CardSystems’ network. CardSystems later acknowledged that the compromised data had been stored inappropriately for “research purposes” rather than deleted after transactions had ended.

If that “research” had involved transferring data into less-secure parts of CardSystems’ network — perhaps, say, so CardSystems programmers could run tests on real credit-card records — outsiders who routinely probe systems for soft spots could have discovered the files.

“In this day and age, you have hundreds of attacks on every single Internet connection every single day,” said Jonathan Rosenoer, director of risk and compliance solutions in IBM’s financial-services practice.

Once a weakness is found, how can it be exploited?

Mr. Stickley offered one simple scenario: Someone could send a CardSystems employee an e-mail linking to a phony online greeting card. The link would produce the expected dancing dog or other jolly scene but in the background, a “Trojan horse” program would take root on the computer and prepare to relay information to an outsider.

Because the program would enter through communications ports commonly left open for Web browsing, the attack would not be picked up by intrusion-detection software or blocked by a fire wall.

Robert Richardson, editorial director of the Computer Security Institute in San Francisco, said he suspects the CardSystems hacker got into a database server rather than just an average Internet-connected computer.

For that, “you’d need to be a notch above script kiddie,” he said. Even so, he said, more automated tools now exist to unleash Trojan horses and other means of breaking into complex systems. “They’re moving up that food chain pretty fast.”

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times is switching its third-party commenting system from Disqus to Spot.IM. You will need to either create an account with Spot.im or if you wish to use your Disqus account look under the Conversation for the link "Have a Disqus Account?". Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide