WASHINGTON – Organized hacker groups, primarily from former Soviet countries, are responsible for recent increases in credit card thefts and extortion attempts, the FBI said Thursday. It said e-commerce companies should be more vigilant in protecting their customers’ credit card numbers.
Investigators at the National Infrastructure Protection Center, the FBI’s cyber crimes arm, cited an increase in thefts of credit card numbers and a similar increase in the fraudulent use of credit cards in Russia.
“The investigations have disclosed several organized hacker groups in eastern Europe, specifically Russia and the Ukraine, that have penetrated U.S. e-commerce computer systems,” the FBI said.
More than 40 companies in 20 states have been identified as targets, the FBI said, with more than a million credit card numbers stolen.
The hackers are using well-known holes in their targets’ Web sites and transaction software, and the infrastructure center is asking companies to patch holes more quickly.
It is a hassle for customers to change their credit cards after they have been used on compromised e-commerce sites, but companies are even more at risk, security experts say.
Individual liability is capped by law at $50 if fraudulent charges are made on a card, but a company loses consumer confidence and almost assuredly loses the business of the stolen card’s holder.
“E-commerce sites have got to realize that they are fiduciaries of other peoples’ information,” said Mark Rasch, legal counsel for Predictive Systems, a computer networking firm. “They’ve got credit cards, names addresses and buying habits. They have to take that responsibility more seriously.”
NIPC director Michael Vatis said in January that the bureau periodically sees organized criminal groups make extortion demands related to hacker attempts. It is not known if any of the criminals are sponsored by a government, although that possibility is part of the FBI’s investigation.
In December 1999, a hacker claimed to have stolen the card numbers of 300,000 CD Universe customers. The hacker, using the name Maxim, said he was a 19-year-old from Russia. He released thousands of the numbers when the company refused to pay a $100,000 ransom.
Western Union shut its Web site for five days in September 2000 after hackers stole the card numbers of more than 15,000 customers.
Last December, another Russian hacker stole more than 55,000 cards from creditcards.com, which processes transactions for online merchants. About 25,000 card numbers were posted online when a $100,000 extortion demand was ignored.
Visit: National Infrastructure Protection Center: http://www.nipc.gov
