Hacker Finds a New Home for Stolen Cards

Curador, the online credit-card thief who has penetrated the security mechanisms of several e-commerce sites, is master of his own domain again.

The cracker, who has been posting thousands of stolen credit cards at a
succession of personal Web sites for the past six weeks, opened up shop
Friday at a new location.

Curador, who calls himself “the custodian of e-commerce,” claims to have
stolen over 23,000 credit cards from eight small sites over the past six
weeks. After each hit, he’s posted several hundred additional card numbers
and customer names and addresses online in what he calls his “Hall of
Shame.” And each time he pops up online with a new site, Web hosting firms
and domain registrars have responded by shutting it down. Curador has said
he uses stolen credit cards to pay for the domain registrations.

Who-is records from Network Solutions’ WorldNic registration service reveal
that Curador’s new site is registered to Fibres Solutions of Swansea, Wales.
No valid phone or e-mail contact information was provided.

Although Curador claims to have cracked some new sites, he has not yet
published their names or posted any card numbers or other customer records
obtained from them.

Spokesperson Chris Clough said NSI is investigating the incident, but the
registration firm has no way of preventing such occurrences. Clough added
that the proposed acquisition of Network Solutions by digital certificate
firm Verisign could result in new authentication services that could prevent
such fraudulent registrations.

According to a source close to the investigation, law enforcement officials
are still gathering and analyzing evidence against Curador, including log
files from his previous victims.

While Curador registers personal sites to get attention for his exploits and
to taunt law enforcement officials, that isn’t the modus operandi of a
cracker who reportedly stole half a million credit cards from an online
retailer last year.

According to a report published Friday by MSNBC, a cracker broke into
an unidentified e-commerce site in January 1999 and subsequently hid the
485,000 stolen card numbers, along with customer names and addresses, at an
unspecified U.S. government agency’s Web site.

Although the stolen cards were discovered the following March of 1999,
credit card issuers were unaware of the theft until last December, when Visa
USA notified its member institutions of the break-in.

A spokesperson for Visa said there was no evidence that the cards had been
used fraudulently. Nor were the unidentified cracker’s motives apparent for
stashing them within the government site.

While the incident may lead some to conclude that Visa was negligent for not
notifying card issuers and card holders more promptly, experts say the
company’s conduct was not improper.

“While Visa and Mastercard do try to combat fraud, they don’t have a legal
obligation to do anything in these situations. So I don’t think its fair to
say they acted improperly,” said Anita Boomstein, an attorney with Hughes
Hubbard & Reed in New York.

According to Boomstein, a specialist in credit card law, it’s up to
individual banks and other card issuers to watch for fraudulent charges and
decide on a case-by-case basis whether to cancel a card number and issue a
new one.

News Around the Web