BW Online | May 28, 2002 | An Education in Hacking

BW MAGAZINE Get Four Free Issues Register Subscribe Customer Service

ONLINE FEATURES Book Reviews BW Video Columnists Interactive Gallery Newsletters Past Covers Philanthropy Podcasts Special Reports BLOGS Auto Beat Bangalore Tigers Blogspotting Brand New Day Byte of the Apple Economics Unbound Eye on Asia Fine On Media Green Biz Hot Property Investing Insights Management IQ NEXT: Innovation NussbaumOnDesign Tech Beat Working Parents TECHNOLOGY J.D. Power Ratings Product Reviews Tech Stats Wildstrom: Tech Maven AUTOS Home Page Auto Reviews Classic Cars Car Care & Safety Hybrids INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads

BW EXTRAS BW Digital BW Mobile BW Online Alerts Dashboard Widgets Podcasts RSS

RSS Feeds

Reprints/ Permissions Conferences Research Services

MAY 28, 2002

SECURITY NET
By Alex Salkever

An Education in Hacking
At Dan Clements' Fraud Museum, businesses can see how online scamsters operate. It's all very informative -- maybe too much so

STORY TOOLS

E-Mail This Story

Security Net Archive

POLL INSTANT SURVEY >>

PEOPLE SEARCH

Search for business contacts:

PREMIUM SEARCH
Search by job title, geography and build a list of executive contacts

Tech White Papers

Netrepreneur Dan Clements is a museum curator, only you won't find him working at the Met or the Louvre. Rather, Clements is the CEO of CardCops.com, an online credit-card fraud-prevention site. In February, 2001, Clements and CardCops opened the cyberdoors of their own online Fraud Museum, which contains what Clements judges to be most egregious examples of crime in the annals of hackerdom.

It's quite a display. One exhibit on the site details -- with explicit instructions and screen shots -- how to find and compromise vulnerable Web servers. Another exhibit shows software used to create fake credit-card numbers. Then there are the displays of fake Web pages used to dupe surfers into offering up credit-card numbers or other personal information to scammers.

More than 1,300 businesses and individuals have paid a $30 initiation fee and $10 monthly subscription to enter the museum and other restricted parts of the site. Clements says he counts among his paying members the FBI, which wasn't available to comment for this story after several requests, and American Express, which wouldn't confirm that it's a member. A spokesperson cited the small transaction size.

SPREADING THE WORD. Membership has been growing at a pretty impressive clip, too -- in part due to Clements' own flare for showmanship. In mid-April, he posted a Web site filled with fake credit-card numbers. Then he seeded chat rooms that he considered likely to be frequented by the online-fraud underground with links to his site, telling visitors in effect, "Come and get 'em."

For Clement, this was research for a possible new museum exhibit. The goal was to see how quickly word spread, as well as to track the geographical distribution of the people clicking on his site. After two days, he had collected 1,600 Internet protocol addresses, a number that serves as a unique identifier to every device connected to the Web, as well as to internal company networks from 75 countries.

The stunt grabbed tech-news headlines. But is Clements going too far? A growing chorus of detractors thinks so. They say CardCops provides information so specific that it could serve as a tutorial for those seeking to break into the online-fraud game. What's more, critics claim that CardCops is long on hacker techniques but short on ways businesses can actually protect themselves.

WHO BENEFITS? "The site is a profit center exploiting fraud," says Julie Fergerson, vice-president for emerging technologies at online-payment processor ClearCommerce. "The way the site is currently designed, it's more beneficial to the fraudsters than to the merchants they claim to try and protect." Fergerson is also the chairperson of MerchantFraudSquad, an industry trade group dedicated to helping merchants stamp out online fraud.

Clements strongly disagrees. After all, the germ of CardCops started in the late 1990s, when he and partner Mike Brown found that their online-advertising business was getting decimated by scammers, who were concocting fake Web sites to manufacture phony ad traffic. "We felt a long time ago that education is the key to making the Internet safe. You can't keep the information locked up. Then no one learns," Clements says.

Clements and Brown tracked down one of the scammers. Rather than turn the person in, however, they paid him to disclose how he scammed them. "We wanted to find out about the process to protect our advertisers," recalls Clements. With the information they gleaned, the duo launched a site in 1999 designed to help advertising agencies fend off this problem.

CAN OF WORMS. The site later switched its name from Adcops to CardCops and shifted its emphasis to online credit-card fraud, billing itself as a merchant's resource center. "The same guys that wrote these scripts to defraud advertising companies moved on to [credit-card fraud]," explains Clements.

Soon the site morphed into an educational center. CardCops caught little notice until Clements opened the Fraud Museum -- and with it a big can of worms. But Clements argues that the subscription price actually screens out criminals, who are loath to pay for anything on the Web.

For their money, CardCops customers aren't getting all that slick a production. The site is rife with broken links and misspellings. Many sections haven't been updated for months. It's a strange counterpoint to Ads360.com, the polished advertising site and business of which Clements remains a part-owner.

THE DOPE IS OUT THERE. Most of the things people find on CardCops they can find for free on the public Internet, Clements asserts. That's clearly true. I performed a basic Google search using three specific terms relating to credit-card fraud and turned up dozens of public sites claiming to offer number-generation software, which uses algorithms to generate fake credit-card numbers. However, "It would take [people] weeks to bring it all together in one place," Clements says.

That may be true, but is this convenience also an attraction for fraudsters? That's what concerns me. Clements surely is well-intentioned. He allowed me a cyberstroll through the Fraud Museum, and it's certainly interesting and educational. Still, some of the exhibits struck me as detailed enough to give the wrong people a pretty good idea of how to hack into Web servers.

Though much of this information is out there, the key to a free and unfettered Web, especially for business, is safety and best practices. True, many people can derive good use from such information, helping to make their sites safer, as Clements points out. But I don't think publishing such explicit information in such an easy-to-access format falls on the right side of good judgment.

Salkever covers computer security issues weekly in his Security Net column, only on BusinessWeek Online
Edited by Douglas Harbrecht

Get BusinessWeek directly on your desktop with our RSS feeds. XML

Add BusinessWeek news to your Web site with our headline feed.

Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.

To subscribe online to BusinessWeek magazine, please click here.

Learn more, go to the BusinessWeekOnline home page