Hacker Posts Credit Cards

By CBSNews.com staff CBSNews.com staff

January 10, 2000 / 10:26 AM EST / CBS

If you're one of those consumers who experimented with Internet shopping this Christmas, CBS News Correspondent Jim Stewart reports, then this latest news can hardly be reassuring: A teen-age hacker in Russia wormed his way into an online music store, and then apparently swiped every one of its customers' credit card numbers. He told CD Universe he would safely destroy the information - but only if paid $300,000.

Computer security analysts are calling it the biggest internet extortion plot ever.

"There are two things unique about this case," John Vranesevich told CBS News. "Number one is the obvious financial motivation. And second is the sheer number of customers affected."

Some 300,000 credit card numbers may have been stolen, and when the company refused the thief's demand, he handed out thousands of them on his Internet Web site before it was shut down.

Investigators believe it all began when the Russian hacker found a way to penetrate the company's security software.

He then sent the CD company a message demanding $300,000 "or I'll sell your cards and tell about this incident in the news."

"To think you could have a 19-year-old sitting in Russia and affect a major multi-million dollar corporation in the United States, in the past is rather absurd, it would have been laughed at," said Vranesevich. "Today we see time and time again the effect an individual, in this case a teen-ager, can have literally from his bedroom."

This crime may send cyber-shoppers back to the mall.

"I might put off buying music and stuff (on the Internet) until I find out what happened," said Carol Schmaltz, 19, a student at DePaul University who was browsing through compact discs at a downtown music store in Chicago.

"Everybody is talking about it," he said. "Just the amount of people whose card numbers were stolen, if the story is true - how could that many numbers be stolen like that?"

Melissa Shore, an analyst at Jupiter Communications, said for people who are not yet comfortable shopping by computer, the hacker's exploits will make them shy away even more.

A survey last year by Jupiter found that 65 percent of people who browsed for merchandise by computer but did not buy online would be more likely to buy if security were tightened.

She said CD Universe's experience will prompt other Internet retailers to improve security.

E-commerce analysts said it was only a matter of time before a case of hacker blackmail was made public, claiming that many other attacks go unreported.

"It is a public relations disaster of incredible scale for the company," said Charles Rutstein, an analyst at Forrester Research Inc. "In terms of the actual consumer, their liability is at most $50 or zero. The problem is the loss in consumer confidence."

In general, credit card holders are responsible for only up to $50 of any unauthorized charge.

Some consumers said he news would not impact their buying habits.

"The Internet is no better or worse than a phone call and I don't hesitate to order by phone," said Milburn, N.J., resident Andy Cohen outside of the RCS computer store in New York.

Steve Demmet, a New York resident, agreed.

"Online is scary to begin with and online shopping adds fear to people, but there's no difference," said Demmet, a digital ad processor. "If something's going to be stolen, it's going to be stolen."

The FBI has been called into the CD Universe case, but so far it's not even clear how the hacker got into the files - much less who he is - where precisely he lives...and how to prosecute him, should he ever be discovered.

"The Internet is indeed a splendid tool of wonder, but there is a dark side of hacking, crashing networks and viruses that we absolutely must address," Attorney General Janet Reno told several hundred members of the National Association of Attorneys General at Stanford University on Monday.

Reno rolled out details of what she called "LawNet," an online law enforcement agency that could cross local, state and even international borders with warrants, subpoenas and requests for information.

She said the agency, led by an around-the-clock team of computer and law enforcement experts, should be able to work quickly and without the red tape that can slow investigations.

"I envision a network that extends from local detectives to the FBI to investigators abroad," said Reno.

She also proposed a new interstate compact to ensure enforcement of out-of-state subpoenas and warrants stemming from Internet investigations.

An FBI survey of Fortune 500 companies found 62 percent reported computer security breaches during the past year, she said.

The LawNet proposal partially addresses a directive President Clinton issued last year to encourage law enforcement and crucial industries in the country to set up information-sharing networks.

Attorneys at the conference responded to the LawNet proposal with a standing ovation and said they need new tools.

"I'm very enthusiastic about this plan to get us all together," said California Attorney General Bill Lockyer, adding that jurisdictional issues will be particularly important to decide. "There are a lot of questions about which law applies, and even who is going to enforce that law."

Reno said LawNet would attempt to handle many of those jurisdictional questions.

The network also would focus on privacy issues, protecting consumers from invasions like the CD Universe extortion case, Reno said. In that instance, a hacker stole credit card numbers from the Internet music retailer and posted them on a Web site after CD Universe refused to pay the hacker $100,000.

"It is perhaps not Big Brother we should be worried about, but big browser," said New York Attorney General Eliot Spitzer. "We need to be fearful that the aggregation f information, if it is misused, is very terrifying."