Have Identity Thieves Got Your Number?

Wednesday, April 19, 2006

By Jonathan Richards




Internet fraudsters are selling the credit-card details of hundreds of Britons each night by hacking into companies' computer systems.

The gangs, thought to operate out of Eastern Europe and southeast Asia, break through firewalls and steal information such as card numbers, security codes, PINs, street and e-mail addresses and mobile-phone numbers.

The Times has tracked them to Internet Relay Chat chatrooms, where they trade what they have stolen.

• Click here to visit's Cybersecurity Center.

An American company that monitors such chatrooms said that it was aware of the details of 300 to 400 British customers each day, although that estimate was conservative because it could not keep track of the whole trade.

"We monitor hundreds of rooms, but we don't see all the operators. These people go from one forum to another. It's a growing problem," Dan Clements, the head of, said.

The hackers, mainly young men, keep no record of their conversations, although police are investigating whether the payment system they often use, known as e-gold, may enable their transactions to be traced.

One of the most common techniques is known as "SQL injection," whereby a criminal accesses a database via a Web page set up by a company to interact with its customers.

A typical example is a "feedback" page, on which a customer fills out various fields and clicks "submit" rather than sending an e-mail.

"By inputting the right commands into those fields, a hacker can get the system to feed him back confidential information," said Alan Phillips, the managing director of, an information security consultancy that conducts "mock hacks" on the systems of government agencies and big corporations to test security.

Another method involves accessing a computer system through the port that accesses the World Wide Web, designated as port 80 on almost all computers.

"Port 80 is always open, and if a hacker gains entry through, it there's the potential to get control of a different machine and penetrate farther," Phillips said. "It's like using stepping-stones to get across a river."

About half of company computer systems are so insecure as to enable a hacker to gain administrator rights, Phillips said. Most companies are unaware that their server has been preyed upon.

"It's really frightening," said Jayne Mitchell, 47, who bought an adaptor and insect repellent from the site called before a trip to India and was later told by her bank that two fraudulent transactions totaling £950 ($1,700) had been attempted with her card.

"I use the Internet for everything, and other than trying to stick to names I know, I don't take any precautions," Mitchell, a property consultant from Stamford, Lincolnshire, said.

Toni Norris, the director of Homeway/Travelwithcare, said: "We can find no evidence that our system was hacked into but will investigate every avenue and are looking at ways of improving our system, including having a specialized company manage our payments. We are reassuring customers that we are in no way connected with the fraud, and are taking all available precautions in ensuring their details are kept safe."

All the victims of the two companies contacted by The Times — some lost as much as £1,000 ($1,750) — were reimbursed by their banks, but the theft of such personal information raises the prospect of long-term identity fraud, which can take more than a year to trickle back to a victim because of the time fraudsters spend building trust with unsuspecting lenders.

"Card-not-present" fraud — where a stolen number is used to make a payment over the phone or Internet — was the only type of card fraud to rise last year, increasing by 21 per cent to £183 million.

Campaigners say that companies should be legally obliged to give customers more protection. As long as the bank is seen as the victim, they argue, the customer will be without remedy beyond recovering immediate losses from his account.

Under the Data Protection Act, companies that hold personal information about customers have to use "appropriate security" to prevent harm resulting from its loss, but there is no specific obligation to inform customers about a potential breach of security.


Regular credit card number: $1

Credit card with 3-digit security code: $3-$5

Credit card with code and PIN: $10-$100

Social security number (US): $5-$10

Mother's maiden name: $5-$10


$100 billion: Total amount owed on British credit cards

141.1 million: Number of credit, debit and charge cards in Britain

1.9 billion: Number of purchases on credit and charge cards in Britain a year

$123 billion: Total value of credit and charge card purchases a year

5: Number of credit, debit and charge cards held by 1 in 10 consumers

$103: Average value of a purchase on a credit card

$73: Average value of a debit card purchase

88 percent: Proportion of applicants who have been issued with a credit card without providing proof of income

$895 million: Total plastic-card fraud losses on British cards a year

$2.3 million: Amount of fraud committed against cards each day

7: Number of seconds between instances of fraud

$1,235: Average size of fraud, 2004