WASHINGTON -- More than a million credit card numbers have been stolen from e-commerce websites over the past year, according to the FBI, which blamed the crimes on organized hacker groups in Russia and the Ukraine.
Investigators at the National Infrastructure Protection Center, the FBI's cyber crimes arm, warned Thursday that Internet retailers and online banking firms should be more vigilant in protecting their data. They said well-known security holes should be fixed.
Over the past year, they said, there has been an increase in thefts of credit card numbers and a similar increase in the fraudulent use of credit cards in Russia.
"The investigations have disclosed several organized hacker groups in eastern Europe, specifically Russia and the Ukraine, that have penetrated U.S. e-commerce computer systems," the FBI said.
The FBI broke from its policy of not discussing pending investigations because bureau officials said they believed it necessary to alert the public even though the announcement could compromise their work.
Hundreds of companies have fallen victim, officials said, adding there are more than 40 ongoing investigations in 20 states.
The scheme was said to involve organized crime groups outside the United States.
The hackers are using well-known holes in their targets' websites and transaction software, and the infrastructure center is asking companies to patch holes more quickly.
It is a hassle for customers to change their credit cards after they have been used on compromised e-commerce sites, but companies are even more at risk, security experts say.
Individual liability is capped by law at $50 if fraudulent charges are made on a card, but a company loses consumer confidence and almost assuredly loses the business of the stolen card's holder.
"E-commerce sites have got to realize that they are fiduciaries of other peoples' information," said Mark Rasch, legal counsel for Predictive Systems, a computer networking firm. "They've got credit cards, names, addresses and buying habits. They have to take that responsibility more seriously."
NIPC director Michael Vatis said in January that the bureau periodically sees organized criminal groups make extortion demands related to hacker attempts. It is not known if any of the criminals are sponsored by a government, although that possibility is part of the FBI's investigation.
In December 1999, a hacker claimed to have stolen the card numbers of 300,000 CD Universe customers. The hacker, using the name Maxim, said he was a 19-year-old from Russia. He released thousands of the numbers when the company refused to pay a $100,000 ransom.
Western Union shut its website for five days in September 2000 after hackers stole the card numbers of more than 15,000 customers.
Last December, another Russian hacker stole more than 55,000 cards from creditcards.com, which processes transactions for online merchants. About 25,000 card numbers were posted online when a $100,000 extortion demand was ignored.
