HAARLEM (07/24/2000) - Full details of hundreds of credit cards are out in the open. At the time of writing Monday, all customer orders of a U.S.-based electronic commerce site, with pornography as the best selling item, were openly available online without any protection.
The site lists information on more than 800 orders, all placed last year. Over 600 of these were paid by credit card. The numbers and expiration dates of the cards can be viewed by anyone. Order details also include the customers name, mailing address and the items ordered.
The company, which according to Network Solution Inc.'s WHOIS-database is based in Akron, Ohio, has a global clientele. Most buyers are from the U.S. and Canada, others come from Europe, South-America and Asia.
One of the customers is an employee of Europol, a European law enforcement organization based in the Netherlands. The employee, who is not an investigator but a member of the Europol IT-department, ordered a video CD entitled "Tiny Women And Massive Erections." He had it sent to his work address. The e-mail address he gave when placing the order ends with @europol.eu.int.
The e-commerce Web site is no longer operational, and instead of a virtual shop, visitors are met by a directory listing. Clicking through the various directories gives access to different parts of the store. Besides pornography the Web shop also sold jewelry and security items like pepper spray. Every directory has a sub-directory named orders, in which information about individual orders is stored.
It is possible that many of the credit cards are still valid. Of the 600 cards, about 60 have not yet expired, including the card used by the Europol employee.
With the expired cards it is fairly easy to guess the new expiration date. Many credit card companies send their customers new cards with the same number and add two years to the expiration date.
This large scale breach of privacy is also politically sensitive. Some of the orders were sent to Pakistan, Saudi-Arabia, Dubai and Singapore. People that possess pornography in these Islamic countries can face harsh penalties, which could explain why one customer requested his purchase of two X-rated DVD-discs to be stripped of any marks identifying the discs as porn. "They should look like raw DVDs or CDs," the purchaser entered as a "special instruction."
Credit card companies have been informed, as has the registered operator of the online shop, according to the Dutch Security Information Network, which first alerted WebWereld to the security problem. A spokeswoman for MasterCard in the Netherlands said specialists are investigating the case.
The Dutch Security Information Network can be reached via the Web at http://www.dsinet.org/.