Legal Protection of Your Data | Kennedy Law, P.C.

How Lara Croft Taught Hackers to Steal Credit Card Data

Author: Stephen Kennedy

Date: 12/06/2016

Lara Croft, the CGI character in the popular Tomb Raider video game, unwittingly trained hackers how to steal your credit card data. This is the third blog in a series of four blogs I am writing about how hackers are stealing your money. Today we discuss how Video Game Logic has been applied to assist hackers across the world to steal data.

As you may know from my previous blogs, there are many different ways hackers can get your credit card or ATM information. Historically, the hacker either penetrated your computer security to get your information or, in the alternative, found a way to penetrate an online retailer’s security to collect thousands of user’s credit card data at a time. As individual users and retailers have become more sophisticated in protecting data, the hackers have had to get more creative. In a previous post, I explained how fraudsters are using ATM skimmers to steal your ATM card data and PIN code. The most recent hacking technique does not involve an error by any one specific online merchant but involves what I call implementation of Video Game Logic that allows hackers to pick-up strings of data regarding your credit card in the same way that Lara Croft collects treasure and munitions in Tomb Raider.

Here’s the problem

The difference in security solutions of various online merchant websites introduces an exploitable vulnerability in the online merchant payment system. An attacker can exploit these differences to build a distributed guessing attack which generates usable card payment details. It’s not your computer or your firewall that is at issue, it’s the retailer’s webpage that creates the vulnerability. A merchant may claim that its system is safe, but if it runs on a computer or server-in-the-cloud, it is absolutely vulnerable.

Here’s what the hackers do

In the same way that Lara Croft traveled the world in search of forgotten artifacts and lost cities full of treasure, hackers go from one online retail store to the next collecting strings of data that are eventually used to siphon your credit card funds. The hacker obtains your card number from Merchant A, the expiration date from Merchant B, the card verification value from Merchant C, your zip code from Merchant D, and the street you grew up on from Merchant E, one field at a time. Each generated field can be used in succession to generate the next field by using a different merchant’s website. As merchants try to improve their security by adding more payment fields to be verified on their site, including challenge questions, they inadvertently weaken the whole system by creating an opportunity to guess the value of yet another field. Because there is no uniform credit card data security solution used by online merchants, the merchants inadvertently create a maze that allows a hacker to go from one site to another to collect your data. Just as Lara Croft must navigate from tomb-to-tomb, the hacker goes from site-to-site to collect your data and the treasure it holds.


You should be. Shopping online will (not might, will) result in credit card fraud eventually. This is the new normal. You are living in a Tomb Raider Universe where your credit card information is at risk from a hacker going from one online store to the next applying different hacking techniques to grab one variable of data at a time to eventually steal your money.

Want some good news?

There are a few proven techniques that do not cost money and do not require you to download software. These techniques can limit and even prevent losses from credit card theft while allowing you to order your favorite pizza online, buy holiday gifts from your favorite merchants, and send flowers to a relative. Is it a new app I’m selling? (No, I’m an attorney.) Is it a six-hour online course you can take from your computer? (No, I have trial set in Comanche County, Texas for next week, so there’s no time for that.) Is it a great new firewall or antivirus software? (No, and if you are asking that question, please re-read the third full paragraph above.)

So what is the best way to protect yourself?

There is no single-source solution, sorry to say, but…. In my next blog, I will explain two different methods of shopping online that can limit and possibly prevent losses from your credit and ATM cards while allowing you the freedom to buy from various online retailers. For information regarding our data management legal services, please feel free to call us today.

Share this:
Call Kennedy Law