|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
Credit-card numbers stolen via known security hole
(IDG) -- A 2-year-old security hole in Microsoft Corporation's Internet Information Server (IIS) software let a computer cracker download thousands of credit-card numbers from e-commerce sites recently and post them on the Internet.
A patch for that hole has been available for 18 months. But webmasters at small companies say they don't have the resources to keep up with all of the patches needed to keep out malicious hackers, also known as crackers.
"In a lot of companies, you have one system/admin guy who goes around and fixes computers, and you can't keep up to date with all the patches," said Eric Geiler, a principal at Promobility Inc. in Markham, Ontario. The wireless phone seller had 50,000 to 70,000 credit-card numbers downloaded from Web sites it runs.
Geiler said the credit-card numbers, which include his personal credit card, were stolen along with customer names, addresses and phone numbers.
The cracker, who calls himself Curador, has exploited the IIS hole to steal credit-card numbers from several e-commerce sites.
Chris Davis, a partner at Tyger Team Consultants Ltd., an Ottawa-based security firm, said other victims included:
SalesGate.com, owned by Buffalo, N.Y.-based Internet Management Services Inc.
LTA Media LLC in Knoxville, Tenn.
Feelgoodfalls.com, a health site owned by Raleigh Professional Pharmacy in Denver.
Davis said Curador is being pursued by investigators in Canada, the U.S., the U.K. and Thailand, where authorities are looking into a breach at the Shoppingthailand.com site.
Geiler said he delivered evidence of the theft to Royal Canadian Mounted Police investigators ÷ who are still pursuing the case ÷ and he's pressing charges of trespassing, fraud and vandalism.
But Geiler said he's still puzzled as to why Curador targeted Promobility's Web site. "How the hell did he even find us? We are nobody. Why did he pick us?" Geiler wondered.
A Microsoft spokeswoman said the company created a patch for the hole in July 1998 and reissued the warning in July 1999, when it became clear that users weren't installing it.
"Microsoft takes this very seriously, because even after a bulletin is issued, Microsoft looks poorly" if the security gap remains, the spokeswoman said.
Promobility's Geiler said many small e-commerce sites neglect security. "The biggest flaw you can have is to go into business undercapitalized. And one of the biggest traps you can fall into is not to fund your IT security," he said.
Administration report on fighting Internet crime wins broad industry support
RELATED IDG.net STORIES:
Is a new Internet architecture needed?
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.