Partner With Us Web Design Imprinted Promotions Dental Insurance KVM over IP Computer Deals SMS Gateway Promotional Gifts Online Education Desktop Computers Compare Prices Phone Cards Computer Hardware Find Software Imprinted Gifts

Biz Resources Technology Asset Management Software Information Technology Services ecommerce solutions

Cybercash Inc. is disputing an 18-year-old Russian cracker's claims that the company's credit card verification system was penetrated, resulting in the theft of thousands of credit card numbers from an online music store.

Before it was taken offline early Sunday morning, the rogue site, a page of which has been mirrored here, had doled out more than 25,000 stolen card numbers, according to a counter on the page. Also included with the numbers were expiration dates and cardholder names and addresses. With the click of a button, visitors could launch a script that purportedly obtained a valid credit card "directly from the biggest online shop database," according to a message at the site.

The cracker, who goes by the nickname Maxus, claimed in an e-mail to InternetNews.com sent Saturday that he breached the security of CDuniverse.com, an online music store operated by eUniverse, Inc. of Wallingford, Conn. Maxus said he had defeated a popular credit card processing application called ICVerify, from CyberCash (CYCH) and obtained a database containing more than 300,000 customer records from CDuniverse.

As proof of his exploit, Maxus e-mailed a file to InternetNews containing nearly 200 customer records, including card numbers, which he claimed were stolen from CDuniverse.

Cybercash vice president of marketing Chuck Riegel said Tuesday the company's ICVerify product may once have been installed at CDuniverse, but it is no longer in use there, and is not to blame for the breach. He noted that ICVerify is a PC-based product that's typically used by brick-and-mortar merchants to accompany a PC-based cash-register system. It is connected over a phone line to a credit-card processor, and has no Web interface.

"As far as security in ICVerify goes, that thing is buttoned down, nailed down and it's been in production for 10 years. It's hard for us to comment on what the possibilities might have been outside of that, I just know for sure that it had nothing to do with my software product," Riegel said.

One of the victims, Greg Wilson of Binghamton, N.Y., confirmed that he had shopped at the online music store over a year ago. According to Wilson, he was contacted by his credit card company's fraud division last week after someone had attempted to make an authorized charge to his card.

Another victim, Charles Vance of Marietta, Ga. said he had purchased CDs from the company in the past, but had recently cancelled the card on file for unrelated personal reasons.

Maxus said that he decided to set up the site, titled Maxus Credit Cards Datapipe, and to give away the stolen customer data after officials at CDuniverse failed to pay him $100,000 to keep quiet about the security hole. Maxus claims the company agreed to the payment last month, but subsequently balked at initiating a wire transfer to a secret bank account because it might be noticed by auditors. After a week passed with no further contact from the company, Maxus said he put up his site and announced its presence Dec. 25th on an Internet Relay Chat group devoted to stolen credit cards.

Soon after launching his site, Maxus said it became so popular with credit card thieves that he had to implement a cap to limit visitors to one stolen card at a time.

The Internet service provider which hosted the Maxus site, Lightrealm Inc., of Kirkland, Wa, took the Maxus site down sometime early Sunday morning. Lightrealm was acquired by Micron Electronics (MUEI) last October.

According to Elias Levy, chief technology officer of Internet security information firm SecurityFocus.com, which first publicized the existence of the Maxus site, the incident "is very disturbing. It realizes the fears people have about online commerce." But Levy pointed out that because card holders are usually only responsible for first $50 in fraudulent charges, the real danger in Internet credit card fraud falls on online merchants and credit card companies.

"The Internet is not more dangerous for consumers. It allows a criminal to break into a single site and obtain not one credit card, but possibly a database of all credit cards of that site's customers," Levy said.

Apprehending Maxus will not be easy, said Richard M. Smith, an online security expert in Brookline, Mass., who helped federal agents track down the author of the Melissa virus, David L. Smith. Maxus appears to move about online using stolen accounts and relays his email through other sites to conceal the originating Internet protocol address, said Smith.

"It's possible he could have slipped up somewhere along the way, but I think he's pretty free and clear and it's near zero that they will catch him," Smith said.

A guest book at the Maxus site contained dozens of entries from visitors, many of them in Russian.

According to BizRate, a service which collects feedback from online shoppers, CD Universe rates highly overall with excellent customer satisfaction scores for nearly all dimensions of its service.