Your credit card information is coming under more frequent attack on the Internet than ever before.

A study released on Monday by Symantec Corp. says electronic commerce has become the favourite target of computer hackers.

Increasing numbers of international hackers are searching for people’s bank account and credit card details, instead of trying to infiltrate corporate and government systems or cause other mischief.

Attacks against the e-commerce industry worldwide have increased four-fold in the six months ending in June this year, compared to the previous six months, according to the study by Symantec, which specializes in security and anti-virus software.

It took a Vancouver Sun reporter just 30 seconds on Monday to crack an online shopping cart program with the help of a computer security consultant and pick up credit card numbers and other personal information.

The Sun didn’t hack into the program because it’s illegal to do so.

Chatting online, however, is not against the law and it took just another five minutes in a hacker chat room to acquire the name, street address, e-mail, credit card number, expiry date and security code for the combination debit/credit card belonging to a woman in California. Contacted at home, the woman said she still had the card in her wallet and had no idea everything needed to access her bank and credit accounts was freely available on the Internet.

Despite the efforts of security specialists and companies to protect against online attacks, this experiment by The Sun shows it is easy to come up with a so-called “fresh” credit-card number.

Ryan Purita, a senior security consultant with Totally Connected Security, demonstrated how simple it is to hack into the data files of a company involved in electronic commerce. He quickly guided The Sun through the process of uncovering vulnerable software, determining what companies were using that software, picking up the code online and exploiting the vulnerability.

Hackers are getting more efficient, narrowing the time frame between the announcement of vulnerability in software and the emergence of code to exploit the weakness. You can now find code to crack vulnerable systems just 5.8 days, on average, after the vulnerability is announced. That’s down from the last six months of 2003, when it would take a week. And the code is no further away than your Internet browser.

The Symantec study also found a rise in unauthorized “bot” networks — vast armies of computers that are being remotely controlled without their owners’ knowledge.

In a single day over the six-month reporting period ending in June, 75,000 remotely controlled computers were added to the number of monitored bots. The average number rose from under 2,000 to 30,000 a day during the first six months of this year.

Once a computer is remotely controlled, it can be used to launch denial-of-service attacks; it can also provide personal information that can be sold and traded and otherwise disrupt online service and commerce.

Vulnerabilities are outpacing the ability of many businesses to cope, with organizations facing more than seven new vulnerabilities a day — a significant percentage of which Symantec reports could result in “a partial or complete compromise of the targeted system.”

Companies that are highly security conscious and those that have large tech security departments, or outsource their security to experts, are the ones likely to plug those vulnerabilities quickly. However, that leaves a huge number of companies that don’t have the resources or the knowledge to keep their security systems current.

Stolen credit cards are not necessarily ones that have been used online. Hackers can use the techniques to try to get into the data files of any company that uses the Internet. So even if you have never bought online, you could still find yourself the victim of a hacking attack if you used a credit card to buy from a company — say a pizza shop — that uses the Internet in its business.

While hacking tools are making it easier for even the technologically inept to wreak havoc online, the criminally inclined don’t even need to hack to come up with lucrative credit-card numbers and other valuable information.

The Sun signed into an online chat room, and with Purita as guide, was able to link up with someone offering fresh credit cards.

“I have cc fresh with cvv2 … i need cc full info ssn … etc … pm me for trade,” was the offer made in the chat room, which at the time had about 75 people signed on.

Following Purita’s careful instructions to write in chat-room style (any hacker will recognize a novice who doesn’t speak the jargon), The Sun claimed to have credit cards “w/SSN.”

That piqued the interest of our online contact, who asked if the SSN was working, and once convinced of that, agreed to send one of his CCs for a test.

At that point, Purita said, a trader seriously engaged in the transaction would test the card by making a small donation to an online charity. If it worked, the parties could agree to a deal to defraud hundreds or thousands of credit cards.

“You don’t need to be a good hacker to steal credit cards,” said Purita, who demonstrated this by posting his own credit card number in the chat room. He instantly received the number on the back of his card, which is supposed to ensure the card’s security, plus the news that he had a $1,000 limit on the card.

This made it a less desirable target than the 1,000 high-limit cards which were for sale at the time in the room.

“The most credit cards I’ve seen scrolled was over 10,000 in three days,” said Purita. As for online shopping cart software, Purita said it is rife with vulnerabilities.

“Shopping cart programs are riddled with holes and they have been since day one,” he said.

The little lock you see in the corner of your screen on a secure site isn’t a guarantee your personal information won’t end up in the wrong hands. Purita said once the information is in a company’s database, it is vulnerable to a hacker breaking in and stealing it.

“They aren’t looking to steal one credit-card number, they are stealing 50,000 numbers from a database,” he said.

Michael Murphy, general manager of Symantec Canada, said “phishing” and spywork scams are most popular today.

Phishing, an online version of a criminal fishing expedition, is a scam in which a computer user is presented with a request for personal and financial information — ranging from account numbers to passwords — from someone posing as a reputable organization, such as the user’s bank. While security software like that offered by Symantec includes safeguards against releasing such information, there is no way to prevent a user from answering the request if they are fooled into thinking it is legitimate.

“Phone the bank and they will tell you, ‘We do not conduct business this way,’ and no reputable business will,” Murphy said.

Murphy said the rise in online attacks can be attributed to a desire by the attackers to make money.

“Once an attacker can monetize their efforts, that’s what they are going after,” he said. “Before that, it was peer acceptance, bragging rights. Today, groups of attackers are more organized, more sophisticated. It is no surprise e-commerce and web-related industries are the target. Clearly it is an economics-driven thing.”

Murphy pointed to stats showing that in 2003, U.S. banks and credit-card companies estimated phishing resulted in close to $1.2 billion US in damages, with 1.78 million individuals falling victim to the scam.

“Phishing scams have become the modern-day phone scams,” said Murphy, referring to fraud rackets in which the elderly and other victims were talked into opening their bank accounts or credit cards to unscrupulous phone solicitors.

Staff-Sgt. Bruce Imrie of the RCMP’s technological crime unit said consumers and businesses must be security savvy and take the time to understand and implement online security measures.

“In the industry as a whole, it is a continuation of a trend. It is not a new trend, but perhaps there has been an exponential increase,” he said. “Phishing has increased tremendously.”

Imrie said should consumers should not only ensure they are dealing with reputable online businesses, but also that the business’ security is sound.

“I would hesitate to say all e-commerce sites are that vulnerable, but certainly there will be vulnerable e-commerce sites,” he said. “There are vendors who are not right up to date.”

Imrie said computer users must also be aware of the vulnerability of their own computers to attack, even if they don’t shop online.

While it used to take opening an attachment to trigger a Trojan horse or worm that could take over your computer, today you don’t even have to do that to unwittingly allow an outsider to infiltrate your computer system.

Irmie urged consumers to:

– Update their software, including the operating system, regularly and as soon as updates become available.

– Use virus protection.

– Install both hardware and software firewalls.

– Be careful about sharing your credit-card information online and ensure you are dealing with sites that will safeguard the information and consider if you shop online, using a card for only that.

HER DATA ON NET LEAVES SHOPPER IN SHOCK, FEAR:

Colleen Ginsberg’s combination credit/debt card was stowed safely in her wallet when she got the call from The Vancouver Sun saying everything from her card number and expiry home address were being freely offered on the Internet.

“That’s horrible,” gasped Ginsberg. That isn’t her real name, but since she is already facing a security nightmare, cancelling her cards and trying to safeguard her bank accounts, we have chosen not to identify her.

“I’m hyperventilating right now.”

At first Ginsberg was mystified by the call from a Vancouver Sun reporter. This isn’t a crank call, she was assured, but you may want to know your credit card information has been compromised and you should cancel it.

The Sun gave her the credit card number, complete with expiry date, along with her home phone number, address and e-mail address. She couldn’t believe it. She also had several cards and didn’t know which it was. In minutes, she was back on the phone, even more aghast.

“It’s really scary because that was my debit card linked to my entire bank account,” she said. “We use that to check our balance online, to check our company balance, transfer money and stuff.

“I’m debating whether I should cancel all my credit cards.”

Ginsberg buys online regularly, but she uses more than one card and the last time she remembers using the card that appeared online was a month or two ago.

“I’m thinking I should change my phone number. I’m scared now.”

© The Vancouver Sun 2004