Stealing credit card numbers via home Wifi network
The Hong Kong district court heard a computer crime case on 18th June 2007. An African visitor had rented a flat and stole credit card numbers from his neighbor using wireless sniffing, then he used the credit card information to do online shopping. The charge was brought under HK Crime Ordinance Chapter 200 s116 . More detailed information will be available when the judgment is posted online.
The 23-year old defendant was caught since he had used his home address for online shopping and the police were able to trace the delivery records. His ignorance of fraud detection systems and traceability of online shopping transactions seems to suggest that he is not a professional criminal. There are lots of ways to use stolen credit card numbers, buying cash coupons and delivering to an unoccupied house's mail box are common.
According to statistics , credit card fraudis increasing and costs 3 billion USD in 2006, up from 2.7 billion in 2005. Different measures (like adding chips or using an online password) are introduced to protect credit card transactions. However, these new measures are not effective if the network layer is circumvented.
When a malicious user has installed hacker tools on a network, the protection mechanism on the online application layer may not work at all. Man-in-the-middle attacks using fake servers to intercept Internet traffic were the most dangerous.Traditionally, to set up a man-in-the-middle attack or eavesdropping network traffic, the hacker needs to have access to the victim's physical network. However, with the availability of a wireless network, this physical constraint is no longer an obstacle. If the victim uses a non-encrypted wireless network (According to 2006 PISA wireless survey, 45% of wireless networks were not encrypted ), it is relatively easy to obtain his Internet traffic and the personal information transmitted (credit card information being included).
If the wireless network is not encrypted and users uses it to carry out online transactions or send credit card number via email, there is a high risk of stolen credit card information just like the criminal cases described above. If 45% of individually established access points in Hong Kong are not encrypted, what are the percentages of users having wireless security knowledge or awareness?
The 23-year old defendant was caught since he had used his home address for online shopping and the police were able to trace the delivery records. His ignorance of fraud detection systems and traceability of online shopping transactions seems to suggest that he is not a professional criminal. There are lots of ways to use stolen credit card numbers, buying cash coupons and delivering to an unoccupied house's mail box are common.
According to statistics , credit card fraudis increasing and costs 3 billion USD in 2006, up from 2.7 billion in 2005. Different measures (like adding chips or using an online password) are introduced to protect credit card transactions. However, these new measures are not effective if the network layer is circumvented.
When a malicious user has installed hacker tools on a network, the protection mechanism on the online application layer may not work at all. Man-in-the-middle attacks using fake servers to intercept Internet traffic were the most dangerous.Traditionally, to set up a man-in-the-middle attack or eavesdropping network traffic, the hacker needs to have access to the victim's physical network. However, with the availability of a wireless network, this physical constraint is no longer an obstacle. If the victim uses a non-encrypted wireless network (According to 2006 PISA wireless survey, 45% of wireless networks were not encrypted ), it is relatively easy to obtain his Internet traffic and the personal information transmitted (credit card information being included).
If the wireless network is not encrypted and users uses it to carry out online transactions or send credit card number via email, there is a high risk of stolen credit card information just like the criminal cases described above. If 45% of individually established access points in Hong Kong are not encrypted, what are the percentages of users having wireless security knowledge or awareness?
Comments