he was sixteen and from Russia - he e-mailed CD Universe and demanded one hundred thousand dollars. If the website didn't pay, he threatened to divulge the card numbers on the Internet. If he was paid, he said he would fix CD Universe's security bugs, destroy the stolen card files, and forget about their store forever.
Well, CD Universe officials refused to respond to blackmail. On Christmas Day, Maxim made good on his threat. He set up a website that he called Maxus Credit Card Pipeline and began listing some of the stolen credit card numbers, adding new numbers on a daily basis. With a click of one's mouse, anyone who logged onto the site could pick up a credit card number, name, and address.
The website operated for two weeks before some security experts found out about it, and alerted the Internet system that was carrying the site without its knowledge. It promptly shut it down. By that point, however, a traffic counter suggested that a few thousand visitors had downloaded more than 25,000 credit card numbers. Maxim also claimed that he had used some of the cards himself to raise some money.
The e-mail trail on the hacker suggested that he was indeed somewhere in Eastern Europe, making it difficult for American law enforcement to touch him.
Not long ago, someone broke into Western Union's website and accessed 23,000 credit card numbers and expiration dates. Western Union had to call all 23,000 customers and tell them to cancel their credit cards. These were people who, a week before, had innocently transferred money through Western Union using their cards. You'd think a company the magnitude of Western Union would have a secure website, but it didn't.
An editor at MSNBC, hearing about hackers wreaking havoc day after day, said that if it's so easy to break into websites, why can't my reporters do it? So he told two of his reporters to go home and get online and see if they could download credit card names, numbers, and expiration dates. He assumed it would take a couple of days. They were back within a few hours with 2500 credit card accounts.
The problem is, too many e-commerce companies don't care if credit cards get stolen over their site, because it's generally the credit card companies' problem, and it costs staggering amounts to ensure security. If you're Bank of America or Citicorp, it's worthwhile to spend $50 million or $100 million to secure your site. But if you and I are selling outdoor lightbulbs or cheese, we're not going to spend $50 million. Where would we get it?
WHAT'S BEING DONE
The Internet is so widely considered to be lacking in security, that companies have been forced to conceive of new ways to pay online. Late in 2000, American Express announced what it called a "private payments" service for credit card charges on the Internet. In effect, it's a disposable credit card. We've got disposable cameras and disposable contact lenses, so why not a disposable credit card? The way it works is that a customer registers on American Express's website, entering a name, password, and account number. Then the customer gets a private payment number that can be used once and only once. When you make a purchase online, you use that number rather than your regular credit card. As soon as the transaction clears, the number is worthless to anyone who gets hold of it. So if you want to send some flowers to Mom, you punch in the number, you've got the flowers, and the credit card number is immediately void.
American Express also offers a Blue card. If you order one, the company supplies you with a Smart-Card reader that gets attached to your home computer. It works pretty much the same way that a card reader does at the gas station or department store. The card has to be swiped through the reader, which authenticates purchases only after the correct PIN number is typed in.
Visa has been testing an online verification system of its own. One version goes like this: when you make a purchase over the Internet at a retailer's website, a tiny window appears on the screen that asks for a password. When you type it in, that password is transmitted not to the store's site, but to the bank that issued the card. This makes it harder for someone who has a stolen card to use it, because without that password being verified by the bank, the transaction won't be processed.
In my