Hacker taps into 24,000 credit cards

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

June 25 2000 BRITAIN

Hacker taps into 24,000 credit cards

Maurice Chittenden

A COMPUTER hacker has breached the security of a pioneering internet service provider to obtain the names, addresses, passwords and credit card details of more than 24,000 people. The victims include scientists at the top-secret Defence Evaluation and Research Agency, senior officials in the government, BBC bosses and executives at companies such as Shell, Barclaycard and Halifax.

The hacker, an information technology consultant, says that he targeted Redhotant to expose security lapses.

The Kent-based company is at the forefront of a new style of internet provision: subscribers pay as little as #30 a year for unlimited access to the web with no additional phone charges. It aims to attract half a million users in Britain, but its critics say it is failing to cope with demand.

Trading standards officers are investigating complaints that people have had difficulty getting online, although the company claims to have a line for every nine customers.

The company, which has taken up to #1.5m in subscriptions, says it plans to double capacity. Last week it was offline for several days and blamed a technical hitch after a thunderstorm.

The consultant who obtained the details of Redhotant's subscribers broke the data protection law but says he did it only out of public interest to highlight lack of security.

He used a proxy, a device normally used for disguising the identity of a user, as an intermediary to search the site for files.

Among them he found the customer database. Only those connected to the company's internal network are supposed to access it. The hacker got around this by typing in: "referrer: the intranet site".

He said: "It was child's play. I didn't actually need to hack in the normal sense because I didn't need any passwords. It was like rooting around in bins for a key and then finding there was a wide-open side entrance.

"Redhotant's biggest mistake was keeping its own records on the same disk and machine as all its services."

He added: "I sent them a couple of e-mails alerting them to the problem but they ignored it. The lesson is simple. Don't put anything on a website that you wouldn't put on a billboard."

Redhotant is part of the Jak internet group, which operates from offices near the Channel Tunnel in Kent.

Kevin Packwood, a director, said he was unaware of the security breach. He said: "I would be very surprised if somebody could get that far. Our security measures should have been able to see it happening and alarms would have sounded."

http://www.sunday-times.co.uk/news/pages/sti/2000/06/25/stinwenws01002.html

-- Martin Thompson (mthom1927@aol.com), June 26, 2000


Moderation questions? read the FAQ