March 24, 2000 12:25 PM PST

British police charge teens with online credit card thefts

Police in Wales arrested two teenagers on charges of hacking into Web sites and stealing tens of thousands of consumers' credit card numbers.

The 18-year-old suspects, who live in a small village of about 700 people in southwest Wales, were arrested yesterday and charged under Britain's Computer Misuse Act of 1990. The names of the suspects, who were released on bail, were not disclosed by British police.

The teenagers are accused of stealing information related to more than 26,000 credit card accounts and posting the numbers on the Web using the nickname "Curador," according to the Federal Bureau of Investigation. The Web sites hit were based in the United States, Canada, Thailand, Japan and Britain, the FBI said.

The bureau added that the losses connected with the computer break-ins could exceed $3 million.

As earlier reported by CNET, a hacker going by the name of Curador claimed responsibility for at least eight Web site break-ins in four countries. All the sites were relatively small, ranging from e-commerce marketplace to the American Society of Clinical Pathologists site.

In a letter posted online, the hacker claimed to have taken advantage of a known bug in Microsoft software to read sites' commerce databases and to download more than 23,000 credit card numbers.

The arrests were welcome news to the hacked sites--and to an e-commerce industry facing renewed concerns about online security and privacy. Several other high-profile incidents of online credit card theft have made headlines in recent months, and the memory of the massive distributed denial-of-service attacks which temporarily shut down sites including Yahoo and eBay is still fresh in people's minds.

Another incident, in which a hacker named "Maxus" obtained close to 350,000 Shutdown
special report credit card numbers from e-commerce site CD Universe and then tried to extort money from the Web company, also made headlines early this year.

One security consultant hired by a firm hacked by Curador said the case showed that even relatively inexperienced hackers, far from the mainstream of high-tech society, can do serious damage.

The hackers left a clear digital trail for investigators to follow, said Chris Davis, a Canadian security consultant with Tyger Team.

"Their sophistication level was very low," he said. "They were sophisticated enough to get into the sites. But obviously they were not as bright as they thought they were."

In each of the eight cases for which Curador took credit, a well-known bug in Microsoft's e-commerce software allowed the intruder to download credit card information from the Web sites' databases, the victims have said. In several of the cases, the hacker left a digital trail that pointed to a single Internet service provider in the United Kingdom and left an identical digital "fingerprint," Davis said.

Microsoft released a patch for the security hole in mid-1998, and it has since sent several bulletins to software users asking them to download and install it.

Curador also apparently registered several domain names using stolen credit card numbers and later used those names to post the numbers online, Davis said. A credit card used to register "" belonged to a Jacksonville, Fla., postal worker, Stacey Yaple, who reported the incident to the FBI after she saw Curador's site.

For the domain name "," also used to post the credit card information online, the hacker gave a fictitious company address in Swansea, Wales, a town just a few miles from the suspects' homes.

The arrests could help assuage the fears of some consumers worried about the Security, privacy issues make Net users uneasy safety of their financial information online, analysts said.

"I think anytime both consumers and retailers feel like government can actually do something about the problem, and that there are real penalties, then they will feel more confident shopping," said Jamie Lewis, CEO of the Burton Group, a high-tech consulting firm in Salt Lake City.

The case should underscore the need for businesses to ensure that all online security holes have been closed, analysts added.

Law enforcement officials have not made any arrests in several other high-profile cybercrime cases, including the CD Universe case and the denial-of-service attacks on Yahoo and others.

1 comment

Join the conversation!
Add your comment
Hello my name is Brittany and i am here to talk to you about this subject. I think that it's a good idea to still have the police involved because then they can stop the person. But if someone gives it back and they are sorry about what they did shouldn't that give the person the right so let it go and say that they aren't allowed near them or their vehicle or something like that?I am in that postion kindof right now because it's happened but i know that it was wrong but i apoligized to the person and i told him that i had some problem and i knew that it was wrong and i made the right decision to tell the person the truth....
thanks and hope to hear from you all as well

PS my e-mail is if you want to talk to me
Posted by brittyboo1989 (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.