An Education in Hacking


By Alex Salkever Netrepreneur Dan Clements is a museum curator, only you won't find him working at the Met or the Louvre. Rather, Clements is the CEO of CardCops.com, an online credit-card fraud-prevention site. In February, 2001, Clements and CardCops opened the cyberdoors of their own online Fraud Museum, which contains what Clements judges to be most egregious examples of crime in the annals of hackerdom.

It's quite a display. One exhibit on the site details -- with explicit instructions and screen shots -- how to find and compromise vulnerable Web servers. Another exhibit shows software used to create fake credit-card numbers. Then there are the displays of fake Web pages used to dupe surfers into offering up credit-card numbers or other personal information to scammers.

More than 1,300 businesses and individuals have paid a $30 initiation fee and $10 monthly subscription to enter the museum and other restricted parts of the site. Clements says he counts among his paying members the FBI, which wasn't available to comment for this story after several requests, and American Express, which wouldn't confirm that it's a member. A spokesperson cited the small transaction size.

SPREADING THE WORD. Membership has been growing at a pretty impressive clip, too -- in part due to Clements' own flare for showmanship. In mid-April, he posted a Web site filled with fake credit-card numbers. Then he seeded chat rooms that he considered likely to be frequented by the online-fraud underground with links to his site, telling visitors in effect, "Come and get 'em."

For Clement, this was research for a possible new museum exhibit. The goal was to see how quickly word spread, as well as to track the geographical distribution of the people clicking on his site. After two days, he had collected 1,600 Internet protocol addresses, a number that serves as a unique identifier to every device connected to the Web, as well as to internal company networks from 75 countries.

The stunt grabbed tech-news headlines. But is Clements going too far? A growing chorus of detractors thinks so. They say CardCops provides information so specific that it could serve as a tutorial for those seeking to break into the online-fraud game. What's more, critics claim that CardCops is long on hacker techniques but short on ways businesses can actually protect themselves.

WHO BENEFITS? "The site is a profit center exploiting fraud," says Julie Fergerson, vice-president for emerging technologies at online-payment processor ClearCommerce. "The way the site is currently designed, it's more beneficial to the fraudsters than to the merchants they claim to try and protect." Fergerson is also the chairperson of MerchantFraudSquad, an industry trade group dedicated to helping merchants stamp out online fraud.

Clements strongly disagrees. After all, the germ of CardCops started in the late 1990s, when he and partner Mike Brown found that their online-advertising business was getting decimated by scammers, who were concocting fake Web sites to manufacture phony ad traffic. "We felt a long time ago that education is the key to making the Internet safe. You can't keep the information locked up. Then no one learns," Clements says.

Clements and Brown tracked down one of the scammers. Rather than turn the person in, however, they paid him to disclose how he scammed them. "We wanted to find out about the process to protect our advertisers," recalls Clements. With the information they gleaned, the duo launched a site in 1999 designed to help advertising agencies fend off this problem.

CAN OF WORMS. The site later switched its name from Adcops to CardCops and shifted its emphasis to online credit-card fraud, billing itself as a merchant's resource center. "The same guys that wrote these scripts to defraud advertising companies moved on to [credit-card fraud]," explains Clements.

Soon the site morphed into an educational center. CardCops caught little notice until Clements opened the Fraud Museum -- and with it a big can of worms. But Clements argues that the subscription price actually screens out criminals, who are loath to pay for anything on the Web.

For their money, CardCops customers aren't getting all that slick a production. The site is rife with broken links and misspellings. Many sections haven't been updated for months. It's a strange counterpoint to Ads360.com, the polished advertising site and business of which Clements remains a part-owner.

THE DOPE IS OUT THERE. Most of the things people find on CardCops they can find for free on the public Internet, Clements asserts. That's clearly true. I performed a basic Google search using three specific terms relating to credit-card fraud and turned up dozens of public sites claiming to offer number-generation software, which uses algorithms to generate fake credit-card numbers. However, "It would take [people] weeks to bring it all together in one place," Clements says.

That may be true, but is this convenience also an attraction for fraudsters? That's what concerns me. Clements surely is well-intentioned. He allowed me a cyberstroll through the Fraud Museum, and it's certainly interesting and educational. Still, some of the exhibits struck me as detailed enough to give the wrong people a pretty good idea of how to hack into Web servers.

Though much of this information is out there, the key to a free and unfettered Web, especially for business, is safety and best practices. True, many people can derive good use from such information, helping to make their sites safer, as Clements points out. But I don't think publishing such explicit information in such an easy-to-access format falls on the right side of good judgment. Salkever covers computer security issues weekly in his Security Net column, only on BusinessWeek Online


Burger King's Young Buns
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

 
blog comments powered by Disqus