AP NEWS
Related topics

Teens Accused of Credit Data Theft

March 24, 2000

WASHINGTON (AP) _ Two 18-year-old boys were arrested in Britain on charges of breaking into e-commerce Internet sites in five countries, stealing information on more than 26,000 credit card accounts and posting some of it on the Web, the FBI said Friday.

Many of the credit cards belonged to U.S. citizens, Michael Vatis, head of the FBI’s National Infrastructure Protection Center, said in an interview with The Associated Press.

The pair was arrested in connection with intrusions into nine e-commerce Web sites in the United States, Canada, Thailand, Japan and the United Kingdom over the past several months, he added.

The two, whose names were withheld under British law, were arrested at their home Thursday by the Dyfed-Powys Police Service, FBI spokeswoman Debbie Weierman said. The Dyfed-Powys Police said they were arrested in Clynderwen in southwest Wales and released on police bail after being questioned.

The intrusions, conducted under the screen name, ``Curador,″ could result in losses of more than $3,000,000, the FBI estimated.

That amount would cover the credit card industry’s average cost of closing more than 26,000 accounts and issuing new cards, Vatis said. He said there would be other costs, including repair of the Internet sites and any losses suffered by credit card holders whose numbers were improperly used.

``Curador″ most recently claimed credit for obtaining 23,000 credit card numbers and publishing 6,500 of them on Web sites he created across the Internet. Service providers several times shut down his Web site, which resurfaced elsewhere sometimes within hours.

One of his Web sites recently said, ``It’s now time to return to the task at hand. Which is of course proving how insecure most e-commerce sites are, in fact several of the sites I have cracked have been still vulnerable days after I posted my page with links to them...″

″... I would like to thank the nice people at ALL the Sites I Cracked for having left their entire sales database, readable & writeable for any one who bothered to check their site out.″ He also thanked Microsoft chief Bill Gates this way: ``Any guy who sells products Like SQL Server, with default world readable permissions can’t be all BAD.″

Computer experts believe a 2-year-old security hole in Microsoft Corp.’s Internet Information Server software let a hacker download thousands of credit-card numbers from e-commerce sites and post them on the Internet. A patch has been available for 18 months, but small companies have not had the resources to employ it.

Among the sites ``Curador″ claimed to have hacked were: http://www.shoppingthailand.com; http://www.promobility.net; http://www.ltamedia.com; http://www.ascp.org; http://www3.ntd.co.uk; http://www.visioncomputers.com; http://salesgate.com, and http://www.feelgoodfalls.com.

Vatis declined to identify the e-commerce sites that were victimized. He said authorities were still investigating the extent of losses suffered by credit card holders.

He said authorities first learned of the problem in several ways, including reports from some of the victimized Internet sites and from the posting of some of the credit cards on the Web.

The case was investigated by the FBI, the Dyfed-Powys Police Service, the Royal Canadian Mounted Police and Internet security consultants.

The international banking and credit card industry also provided substantial cooperation, the FBI said.

``This case demonstrates that cybercriminals cannot hide behind international boundaries and escape notice,″ Vatis said. ``This is why we have worked so hard to build alliances with industry and our foreign counterparts.″

AP RADIO
Update hourly