One of the biggest Internet fraud cases has been brought to light by the FBI in the US. Carlos Delgado, a student at the University of California, San Francisco, is to be charged with the theft of over 100,000 credit card numbers from the server of an unnamed ISP in San Diego, California.
Delgado used a packet sniffer which he had downloaded from the Web and installed it on the ISP's server to record the passwords of subscribers. The whistle was blown when the thief, using the pseudonym Smak, offered credit card numbers for sale during a chat session. The FBI was informed and an undercover agent trapped Delgado by arranging a sales meeting at San Francisco Airport.
Rather than undermining Internet security, the case underlines the need for ISPs and their customers to ensure there is a substantial security procedure in place before revealing a credit card number online. This applies to how it is stored as much as to how it is transmitted.
Stephen Harris, systems network manager at MatriX Publishing Network, expressed surprise that the San Diego server was so insecure that a hacker could not only infiltrate it, but also implant a sniffer. "This is equivalent to someone going round the back of a supermarket to take credit card receipts out of the bins," said Harris.
Richard Nuttall, director of innovation at UUNet Pipex, said: "If someone could hack into the internal system it doesn't speak well of the ISP. We've taken steps to ensure that customers only gain access to servers for legitimate transactions and that access cannot be gained from, say, the DNS server to the mail server. For most ISPs this is standard procedure."
Details of how the fraud was perpetrated have not been released as packet sniffers usually only give access to subscriber names and passwords. "I can't believe the hacker typed in each password to gain access to the accounts, so I presume he installed something that would intercept and collect account details as they were opened."
Apart from the legal case against Delgado there's the question of the ISP's responsibility to safeguard its customer information. In the UK, an ISP could be taken to court if it can be proved that the theft of credit card numbers was attributable to an insecure system.
Using photocatalysts to convert carbon dioxide into usable energy such as methane or ethane
Trained on curated data from Moorfields Eye Hospital, the neural networks show clinicians how they reached their decisions
Yokohama National University demonstrate technology that could lead to a fault-tolerant universal quantum computer
Top-of-the-range Threadripper 2990WX now available from Scan, Ebuyer, Overclockers, Novatech and Amazon