RealTime IT News

Hacker Finds a New Home for Stolen Cards

Curador, the online credit-card thief who has penetrated the security mechanisms of several e-commerce sites, is master of his own domain again.

The cracker, who has been posting thousands of stolen credit cards at a succession of personal Web sites for the past six weeks, opened up shop Friday at a new location.

Curador, who calls himself "the custodian of e-commerce," claims to have stolen over 23,000 credit cards from eight small sites over the past six weeks. After each hit, he's posted several hundred additional card numbers and customer names and addresses online in what he calls his "Hall of Shame." And each time he pops up online with a new site, Web hosting firms and domain registrars have responded by shutting it down. Curador has said he uses stolen credit cards to pay for the domain registrations.

Who-is records from Network Solutions' WorldNic registration service reveal that Curador's new site is registered to Fibres Solutions of Swansea, Wales. No valid phone or e-mail contact information was provided.

Although Curador claims to have cracked some new sites, he has not yet published their names or posted any card numbers or other customer records obtained from them.

Spokesperson Chris Clough said NSI is investigating the incident, but the registration firm has no way of preventing such occurrences. Clough added that the proposed acquisition of Network Solutions by digital certificate firm Verisign could result in new authentication services that could prevent such fraudulent registrations.

According to a source close to the investigation, law enforcement officials are still gathering and analyzing evidence against Curador, including log files from his previous victims.

While Curador registers personal sites to get attention for his exploits and to taunt law enforcement officials, that isn't the modus operandi of a cracker who reportedly stole half a million credit cards from an online retailer last year.

According to a report published Friday by MSNBC, a cracker broke into an unidentified e-commerce site in January 1999 and subsequently hid the 485,000 stolen card numbers, along with customer names and addresses, at an unspecified U.S. government agency's Web site.

Although the stolen cards were discovered the following March of 1999, credit card issuers were unaware of the theft until last December, when Visa USA notified its member institutions of the break-in.

A spokesperson for Visa said there was no evidence that the cards had been used fraudulently. Nor were the unidentified cracker's motives apparent for stashing them within the government site.

While the incident may lead some to conclude that Visa was negligent for not notifying card issuers and card holders more promptly, experts say the company's conduct was not improper.

"While Visa and Mastercard do try to combat fraud, they don't have a legal obligation to do anything in these situations. So I don't think its fair to say they acted improperly," said Anita Boomstein, an attorney with Hughes Hubbard & Reed in New York.

According to Boomstein, a specialist in credit card law, it's up to individual banks and other card issuers to watch for fraudulent charges and decide on a case-by-case basis whether to cancel a card number and issue a new one.