Before he was arrested by police in Wales last Thursday, the online credit
card
thief who called himself “Curador” worked as an e-commerce consultant, his
former boss revealed Monday.
As previously reported, an 18-year-old man in Clynderwen, Wales was arrested
Thursday in connection with break-ins at nine e-commerce sites in recent
weeks. Under U.K. law, Curador’s name was not released by police, but the
Britain’s Daily Telegraph reported Saturday that Curador’s real
name was Raphael Gray. The true name of his accomplice, who was also
arrested, was not disclosed.
While he was allegedly breaking into online stores in the United States,
Canada,
Thailand and Great Britain, Gray was also working to develop an e-commerce
strategy for Console King, a
mail-order company in Narberth, Wales.
According to Sam Lee, managing director, the retailer of video games and
DVDs hired Gray around Christmas 1999 on the recommendation of a job
recruitment firm.
“[Gray] told us that he worked for several companies, including a
subsidiary
of Microsoft. And he showed us some of the work he had done, and it was
pretty good. As far as we knew, he had no criminal record,” said Lee.
Console King paid Gray about US$6.50 per hour to build the company an online
storefront. But Lee said he fired Gray in the beginning of March after Gray
began failing to show up for work. Only last week did Lee know that Gray had
allegedly been involved in the online theft of about 26,000 credit cards
over the course of six weeks.
“We couldn’t believe it. He’s put my company and my staff in jeopardy. He’s
so stupid he doesn’t know what he’s done,” said Lee, who added that Console
King has tightened security at its site since learning of Gray’s true
identity.
Gray has been released on bail and according to Lee has been seen on the
streets of Clynderwen, which has a population of 550.
FBI officials declined to comment on whether Gray had used any of the stolen
card numbers to place fraudulent orders. Britain’s Daily Mail
newspaper
quoted a detective who said police had confiscated “a pile of stuff” from
the homes of Gray and his accomplice.
Gray also apparently used a card stolen from an online retailer named Albion’s MO to register one of the sites
where he posted stolen card numbers and diatribes about e-commerce security.
According to Robert Koseluk of Carmel, Indiana, he received an unauthorized
charge for $198 to register and set up a site at free-creditcard.com. Gray
also apparently used a card stolen from Stacy Yaple of Jacksonville,
Fla., to register another site, e-crackerce.com.
Lee of Console King said that Gray apparently had financial problems. Lee
also said Gray would often borrow small amounts of money from him.
“He never had any money. I had to lend him money for a haircut and for
lunch. He came into work stinking and wore the same clothes everyday. I had
to speak with him about his personal appearance and hygiene,” said Lee.
At his Web sites,
Gray has argued that he broke into other sites to shame operators into
improving their shoddy security. Tim Ward, owner of feelgoodfalls.com, a
site that Curador hit around the end of February, said Curador has had his
desired effect.
“There’s some good that came out of this. We never intended to expose
anybody’s card numbers, but what he did resulted in us being more secure,”
said Ward, who revealed that his mother-in-law built the site at
feelgoodfalls.com using Microsoft StoreFront. In the wake of the break-in,
Ward has hired a security consulting firm to batten down the hatches.
Michael Vatis, director of the FBI’s National infrastructure protection
center, said Friday that regardless of a cracker’s motives, breaking into a
site is stil
l a federal crime.
“If someone gains unauthorized access to a computer that’s engaged in
interstate or foreign commerce, that access is a federal crime, whether the
state of security is poor or excellent,” said Vatis.
Reuters reported Sunday that one of the credit
cards that Curador had stolen belonged to none other than Microsoft Chairman
Bill Gates. The report apparently was based on information gleaned from one
of Curador’s Web sites where he posted stolen credit card numbers.
But that site, which is mirrored here,
contains information suggesting the Reuters report is inaccurate. For
example, the credit card number Curador posted and claimed was Gates’ has
only 12 digits, and the first four do not match any algorithms used by Visa,
Mastercard, Discover, American Express, or any of the other major credit
card companies.
A spokesperson for the U.S. Secret Service, which investigates credit card
fraud, would not comment on Curador’s claims, although he did say that the
card appeared to be missing numbers.