The apparent theft of 350,000 credit card numbers from CD Universe's Web site by a Russian teenager has sent several companies scrambling to repair the damage, and set off a worldwide manhunt by the Federal Bureau of Investigation.

After stealing the card numbers, "Maxus," the alleged perpetrator, told CD Universe he would not post them on a Web site if the firm paid him $100,000. When CD Universe refused, Maxus posted the numbers in early January. Several CD Universe customers already have said their credit cards were used for unauthorized charges. Before the Maxus site was shut down, a traffic counter indicated that several thousand visitors had downloaded more than 25,000 credit-card numbers between Dec. 25 and January 7.

American Express announced it was replacing compromised cards of the Web site's customers. Discover said it reissued about 10,000 cards. Discover's Cathy Edwards said although it wasn't yet clear if card numbers were misused, it was the only time she remembers the company recalling its cards, CNET reported. CD Universe was expected to announce a beefed-up security program. In the days following the Maxus caper, CD Universe's Web site privacy policy boasted that buying online was safe, and that 350,000 had made purchases without a problem.

Perhaps most significant was that the affair opened a window, albeit briefly, into a world of hackers dedicated to stealing credit card numbers, who call themselves "carders." On an Internet chat site, one carder said, "Maxus, you're da man! :) AMAZING site. how about adding a page with suggestions of things you can do with cards? that can be really useful. i'm sure many will agree with me :) keep on with the great work!"

Another said: "Hey MAN really great IDEA. I'm from Argentina Here the Credit Card Numbers are sold for about 15 dolars (sic). Hehehehe Is South America or what?" Another had this suggestion: "Max, Can you try adding the phone number of the CC Holder and the Bank's phone, Issuing bank :) thank you thank you thank you." Finally, a fourth carder asked, "When will there be fresh credit cards again Max?" (Naturally, no identities were available.)

Privacy Times sent an e-mail to one carder, asking for more information. His only reply: "hmmmm hackers... they dont harm.. they are forced to harm :) the word exploit is not only for computers... some human exploit other humans to :) thats why .."

In one e-mail, Maxus said he'd been involved in the illegal use of credit cards since 1997. He said he tried to create a legal online company that would take payments with a credit card processing system. But then he found he could subvert ICVerify, Cybercash's credit card verification software program, which is widely used by e-commerce merchants.

"In 1998," he wrote, "I hacked in to a chain of shops and got ICVerify program with necessary configuration files for transferring money." Using ICVerify, he was able to make a charge on a credit card and then give a chargeback refund to a second credit card, a system he said gave him an "almost anonymous" offshore credit card account, he claimed. He also claimed that he obtained cash form an automatic teller machine using this account after performing unspecified "tricks" with ICVerify.

While it's possible that Maxus cracked an encrypted file, experts said it's more likely that CD Universe's online log files stored the credit-card data in "plain text," making it readable to anyone who could hack the site. Some experts said ICVerify software logs each transaction, and, at the end of each day, saves the log file, credit card numbers and all, in a plain-text archive, MSNBC reported. Up to nine years of data can be saved, said one ICVerify reseller.

Maxus claimed that both CyberCash (ICVerify's owner) and Microsft were "lame because I can view their files in plain text," MSNBC reported.

"The real issue is, why are merchants storing the credit cards at all?" asked Jim Cannavinno, CEO of Cybersafe, which is promoting a new online transaction scheme that eliminates credit card numbers entirely.

This probably wasn't the first extortion attempt by a hacker. One MSNBC source said he once helped broker a deal where a London bank paid $1 million to destroy stolen data.

One CD Universe customer Joe Maloney of Boston, said there were 13 unauthorized charges of $250 on his Visa card, between Dec. 26 and Jan. 4. "I wasn't so upset about what happened as I was upset that CD Universe had not contacted me. They still haven't," Maloney told MSNBC Jan. 11. "I don't know if I'll be ordering anything from them for a while -- if ever."

In a follow up, MSNBC was able to view some 2,500 credit card numbers at seven e-commerce Web sites within about 20 minutes using elementary instructions provided by a source. Then MSNB turned its attention to GlobalHealthtrax, which sells health products using the multilevel marketing method. The site allows customers to pay for their monthly subscription of products by automatically deducting from bank accounts or through automatic charges to a credit card.

An unnamed source provided a link which, by merely clicking on, brought up a plain text file of customers, their home phone numbers, and in about 1,000 cases, bank account information - including account numbers, routing numbers, and even bank names. The records date from Nov. 19, 1998, through this month, though there are only a handful of new entries dated after May of 1999. GlobalHealthtrax immediately moved to fix the problem and blamed the incident on a disgruntled former employee. (http://www.msnbc.com/news/358952.asp?cp1=1)

(From Privacy Times, February 18, 2000)

FEARSOME FOURSOME FORMS CONGRESSIONAL PRIVACY CAUCUS

On Feb. 10, two Republicans joined with two Democrats to announce formation of the first-ever Congressional Privacy Caucus, which most observers see as boosting the issue's visibility on the Hill. 

Sens. Richard Shelby (R-AL) and Richard Bryan (D-NV), and Reps. Ed Markey (D-MA) and Joe Barton (R-VA), said their inability to add stronger privacy protections to the Bank Modernization Bill underscored the need for an entity that could both educate other members and advocate legislation.

The Caucus hopes to hold it first briefing for Congressional members and staff in the coming weeks, a source said.  The four lawmakers already have re-introduced their financial privacy bill.  In response to a "Dear Colleague" letter that mentions the new Caucus, several members already have expressed an interest in joining, the source said. 

The Caucus subscribes to the four principles: 1) individuals be informed when private firms or government agencies collect and/or disclose personally identifiable information;  2) individuals have a right to access their personally identifiable information and have the ability to correct it;  3) individuals must consent to a private company or government agency before it can disclose the individual's personally identifiable information; 4) federal privacy laws do not preempt stronger state privacy laws.

Noting their opposition to Gramm-Leach-Bliley Bill because of inadequate privacy protections, Shelby said, "Unfortunately, we were not able to sufficiently highlight the abuses and invasions of privacy so as to pass legitimate privacy protections.  We believe the Congressional Privacy Caucus will help us bring these issues to the attention of Members of Congress by holding Congressional briefings, and by examining and recommending legislative proposals."

Markey said at a recent retreat, the Democratic Congressional Campaign Caucus unveiled opinion polls showing that privacy was the top issue of concern among a majority of respondents.

Privacy advocates, who generally favor legislation, lauded the move.  Lisa Dean, of the Free Congress Foundation (FCF), said, "we must rely on Congress -- not the courts or federal agencies" -- to define Americans' privacy rights. FCF spokesman Robert McFarland added:  "The formation of this caucus will bring privacy concerns to the forefront and serve to move the debate in the direction of protecting Americans' private information.  Now more than ever we need legislation protecting our privacy from Big Brother and his Little Brother in corporate America."

Jerry Cerasale, senior vice president for the Direct Marketing Association, an opponent of most legislation, said, "We're going to work with them.  We will probably agree on some things and disagree on others."  Allen R. Caskie, executive director of the Financial Services Coordinating Council's privacy project, told the Bureau of National Affairs. "Anytime you get a bipartisan group together working on something and they are serious about it and want it, their concerns are going to be taken seriously."

Senate Democratic Leader Tom Daschle, D-S.D., announced Feb. 9 the formation of a Senate Democratic Privacy Task Force, to be headed by Sen. Patrick Leahy (D-VT).  ``The issue of privacy touches virtually every American, often in extremely personal ways,'' Daschle said in a statement. ``Whether it is bank records or medical files or Internet activities, Americans have a right to expect that personal matters will be kept private.''