By HIAWATHA BRAY
c.1997 The Boston Globe
ust as Americans are getting comfortable with the idea of using their
credit cards on the Internet, along comes the story of Carlos Felipe
Salgado.
According to an FBI affidavit, Salgado has confessed to one of the
biggest ripoffs yet seen on the Internet -- the theft of up to 100,000
credit card numbers from a computer in San Diego. The case
underscores the continuing risks of doing business on the Internet, but
software makers insist that proper use of security products could have
prevented the theft.
The FBI says the investigation began in late March when an Internet
service provider in San Diego discovered an outsider had broken into
its system and installed a ``packet sniffer'' -- a program that detects
and records passwords used by subscribers to the system.
Then a customer reported he met someone claiming to be the intruder
while engaged in an online ``chat session,'' where people type
messages directly to one another. The intruder, who used the
nickname ``Smak,'' claimed he had 60,000 stolen credit card numbers
to sell.
With this information, the service provider -- which the FBI would not
name -- traced Smak to a computer at the University of California at
San Francisco. They called in the FBI, which set up a trap with the
help of the customer who'd encountered the intruder.
In early May, Smak sent electronic mail messages to the customer,
offering to sell him 710 card numbers at $1 per card number. The FBI
made the purchase, then a second deal for 580 numbers at a price of
$2,900.
Finally, Smak agreed to meet with the customer at San Francisco
International Airport on May 21. He wanted $260,000 for over
100,000 credit card numbers. Instead, he got arrested. Smak turned
out to be Salgado, who is 36 years old and who lives with his parents
in Daly City, Calif.
He's out now on $100,000 bail; his parents put up their house as
security. The FBI says he admitted he'd obtained the credit card
numbers by hacking into a computer at the San Diego Internet
provider. The computer was used by businesses that wanted to sell
their products over the Internet and collect credit card data as
payment.
Internet security experts are quick to point out that the numbers
weren't actually stolen while they were being transmitted across the
Internet. The problem arose when the data was stored on an insecure
computer.
``It has always been possible to steal credit card numbers off of the
computer, even before the Internet came along,'' says Eric Greenberg,
group security product manager at Netscape Communications Corp.,
maker of the most popular Internet browsing software.
Greenberg noted that today's browsers use a system called SSL that
enables a customer to transmit credit data in a form that can't be read
by an intruder. ``There is no documented case of a credit card number
being stolen while it was being transmitted through SSL,'' says
Greenberg. ``Not one.''
But there have been documented cases of credit card data being
stolen from the computer where it's being stored. Open Market Inc. in
Cambridge makes security software for businesses that is designed to
prevent such theft.
The company's director of security, Win Treese, says the Salgado
affair ``certainly suggests that there are quite a number of merchants
out there who are not taking what we would consider the important
security steps to protect customer information.''
Treese says some Web-based firms don't use SSL to prevent credit
card ``sniffing.'' And companies that use SSL may store card numbers
on their computers in an unencrypted form.
Treese says all customer data should be stored in encrypted files so
that even if a hacker gets to the information, he can't use it.