Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Hacker taps into 24,000 credit cards
- From: Paul Howell
- Date: Tue Jun 27 07:23:15 2000
At http://www.the-times.co.uk/news/pages/sti/2000/06/25/stinwenws01002.html
Hacker taps into 24,000 credit cards
Maurice Chittenden
A COMPUTER hacker has breached the security of a
pioneering internet service provider to obtain the names,
addresses, passwords and credit card details of more than
24,000 people.
The victims include scientists at the top-secret Defence
Evaluation and Research Agency, senior officials in the
government, BBC bosses and executives at companies such
as Shell, Barclaycard and Halifax.
The hacker, an information technology consultant, says that he
targeted Redhotant to expose security lapses.
The Kent-based company is at the forefront of a new style of
internet provision: subscribers pay as little as £30 a year for
unlimited access to the web with no additional phone charges.
It aims to attract half a million users in Britain, but its critics
say it is failing to cope with demand.
Trading standards officers are investigating complaints that
people have had difficulty getting online, although the company
claims to have a line for every nine customers.
The company, which has taken up to £1.5m in subscriptions,
says it plans to double capacity. Last week it was offline for
several days and blamed a technical hitch after a thunderstorm.
The consultant who obtained the details of Redhotant's
subscribers broke the data protection law but says he did it
only out of public interest to highlight lack of security.
He used a proxy, a device normally used for disguising the
identity of a user, as an intermediary to search the site for files.
Among them he found the customer database. Only those
connected to the company's internal network are supposed to
access it. The hacker got around this by typing in: "referrer: the
intranet site".
He said: "It was child's play. I didn't actually need to hack in
the normal sense because I didn't need any passwords. It was
like rooting around in bins for a key and then finding there was
a wide-open side entrance.
"Redhotant's biggest mistake was keeping its own records on
the same disk and machine as all its services."
He added: "I sent them a couple of e-mails alerting them to the
problem but they ignored it. The lesson is simple. Don't put
anything on a website that you wouldn't put on a billboard."
Redhotant is part of the Jak internet group, which operates from
offices near the Channel Tunnel in Kent.
Kevin Packwood, a director, said he was unaware of the
security breach. He said: "I would be very surprised if
somebody could get that far. Our security measures should
have been able to see it happening and alarms would have
sounded."
|
