More of this Feature • Part 2: The Attack • Part 3: The Remedy

Related Resources • Database Servers Take the Security Test • SQL Server Resources • Database Security Resources

From Other Guides • Network Security Tutorial • Web Site Security • Electronic Commerce

Elsewhere on the Web • Microsoft Security White Paper • SQL Server Security Checklist

With the holidays rapidly approaching, online commerce transaction totals are reaching all-time highs. Are you doing your gift shopping online this year? If so, have you stopped to consider where your credit card information is actually going? Sure, there's that reassuring lock on the bottom of your browser window. That means everything is safe and secure, right?

Not always. That lock icon indicates that your credit card number is being encrypted while in transit over the Internet and decrypted on the other side. The merchant then usually stores your credit card number in an order processing database -- sometimes without appropriate levels of encryption or other security measures.

Last week an anonymous hacker using the pseudonym Maxus posted the following message on his Internet website:

"Hello, my name is Maxus. I would like to present you a credit cards datapipe. If you press the button you will get a real credit card directly from the biggest online shop database. No kidding."

He wasn't kidding. Users who clicked on the large button in the middle of the screen received detailed information on a randomly selected credit card -- enough to go out and authorize transactions. Internet service providers and law enforcement quickly shut down Maxus' site, but you can still view a mirror image of it.

In an interview with MSNBC, Maxus claimed to have stolen over 55,000 individual credit card records from the databases of CreditCards.com -- a processor of credit cards for hundreds of e-commerce sites. This isn't the first time, either. Officials suspect that Maxus is a member of a four-person hacking group based in the former Soviet Union.

Unfortunately, the CreditCards.com incident is only the most recent in a string of attacks against online databases. In January 2000, hackers assisted MSNBC reporters in the retrieval of 2,500 credit records from another e-commerce site by exploiting a vulnerability in Microsoft's SQL Server database product. Nine months later, a hacker protesting the high fuel taxes in the United Kingdom defaced 168 corporate websites using the same methods.

How did they do it? Read on...

Next page > The Attack > Page 1, 2, 3