Defunct Web site leaks credit card info

From...

by Joris Evers

(IDG) -- Full details of hundreds of credit cards are out in the open. At the time of this writing Monday, all customer orders of a U.S.-based electronic commerce site, with pornography as the best-selling item, were openly available online without any protection.

The site lists information on more than 800 orders, all placed last year. More than 600 of these were paid by credit card. The numbers and expiration dates of the cards can be viewed by anyone. Order details also include the customers' names, mailing addresses, and the items ordered.

MORE COMPUTING INTELLIGENCE

IDG.net home page

PC World home page

How awareness can prevent cybercrime

Online porn business booms

Is the Web turning you into a pervert?

Reviews & in-depth info at IDG.net

E-Business World

TechInformer

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletters

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

The company, which according to Network Solutions' WHOIS database is based in Akron, Ohio, has a global clientele. Most buyers are from the United States and Canada; others come from Europe, South America, and Asia.

One of the customers is an employee of Europol, a European law enforcement organization based in the Netherlands. The employee, who is not an investigator but a member of the Europol IT department, ordered a video CD entitled "Tiny Women And Massive Erections." He had it sent to his work address. The e-mail address he gave when placing the order ends with @europol.eu.int.

Large-scale breach of privacy

The e-commerce Web site is no longer operational, and instead of a virtual shop, visitors are met by a directory listing. Clicking through the various directories gives access to different parts of the store. Besides pornography, the Web shop also sold jewelry and security items like pepper spray. Every directory has a subdirectory named "orders," in which information about individual orders is stored.

It is possible that many of the credit cards are still valid. Of the 600 cards, about 60 have not yet expired, including the card used by the Europol employee. With the expired cards it is fairly easy to guess the new expiration date. Many credit card companies send their customers new cards with the same number and add two years to the expiration date.

This large-scale breach of privacy is also politically sensitive. Some of the orders were sent to Pakistan, Saudi Arabia, Dubai, and Singapore. People who possess pornography in these Islamic countries can face harsh penalties, which could explain why one customer requested his purchase of two X-rated DVD discs to be stripped of any marks identifying the discs as porn. "They should look like raw DVDs or CDs," the purchaser entered as a "special instruction."

Credit card companies have been informed, as has the registered operator of the online shop, according to the Dutch Security Information Network, which first alerted Dutch IDG publication WebWereld to the security problem. A spokeswoman for MasterCard in the Netherlands says specialists are investigating the case.

AOL says hackers may have stolen credit card numbers
June 17, 2000
Will online escrow services protect you from auction scammers?
May 16, 2000
Online bill payment becoming popular with consumers
March 29, 2000
Two arrested in Wales for credit card theft costing $3 million
March 24, 2000
Credit-card numbers stolen via known security hole
March 13, 2000

Fake bank sites trick consumers
(Computerworld)
Online privacy 101
(The Industry Standard)
Is the Web turning you into a pervert?
(The Industry Standard)
Online porn business booms
(PC World.com)
Hell hath no fury...
(NetworkWorld Fusion)
Law and disorder on the Web
(Computerworld)
How awareness can prevent cybercrime
(Civic.com)
Free Web tools help you save money
(PC World.com)

The Online Security Superstore

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.