- Feb 24, 2011
- 497
After Your Secure SSL Session Ends, Merchants can Theoretically Keep your Entire Customer Profile in Clear Text. Attackers love to Exploit Vulnerabilities in Online Stores to Steal that Data.
During Anonymous’ Operation Payback, in which they conducted DDOS attacks against organizations that supposedly “wronged” Wikileaks, a part of the group suggested that they should try and embarrass these organizations in other manners. One of the proposed ideas was to create a fake list of several thousand credit cards, claiming that they have been compromised. They anticipated that this news would be perceived as shocking, causing damage to the reputation of their targets. Why eventually the group has decided not to go ahead with the plan is unknown. A possible explanation would be that they’ve learned the real amounts of compromised credit cards. The TJX compromise alone spanned 45.6 million cards and the news media these days is filled with stories about other mass compromises, so a bogus story about a few thousand compromised cards wouldn’t even cause a dent.
The big compromises that hit the news only tell a part of the story. As Black Hat hackers have traded their morals for profits long ago, smaller online merchants have also been prey to hacking attempts. These merchants often use off-the-shelf shopping cart software, which are not invulnerable to exploits. As these exploits become public, the merchants that use these software products and do not patch their systems become prime targets for script kiddies and less sophisticated hackers. These attackers, who do not possess the skills to target giants such as TJX follow a known procedure to exploit these vulnerabilities and obtain administrator access to these online stores. Once they’re in, the credit card credentials are harvested from the orders logs. Administrator access to online merchants is known in fraudster terminology as “shopadmins” and is often traded in the underground markets. The card holders’ credentials, stolen from the order logs, are also traded in the underground.
Continue reading
Moral of the story, to me: If you are buying from a small merchant, use something like PayPal. Or, just buy from the big companies.
