Welsh Credit Card Hacker Avoids Jail Sentence

The self-proclaimed “Saint of E-Commerce,” a 19-year-old Welsh teenage hacker named Raphael Gray, was sentenced Friday in a Wales court to threeyears of psychiatric and community service rehabilitation for posting thehacked credit card details of thousands of people to the Web, according to reports in the London Register.

Gray, who also went by the hacker name “Curador,” pled guilty in March to two charges of obtaining services by deception and six charges of intentionally accessing sites containing credit card details. The offensesfell under the UK’s Computer Misuse Act of 1990.

According to the U.S. Federal Bureau of Investigation (FBI), Gray stole more than 23,000 credit card numbers from multiple e-commerce sites worldwide, with losses in fraudulent charges estimated to be above US$3 million.

It took the FBI and Welsh authoritiesover a month to track down and raid the premises of “the Saint,” whooperated out of his parents’ home in a small Welsh town.

Motive and Means

Gray has maintained from the beginning that his motivation for the hacks wasto prove how insecure e-commerce sites are.

“Maybe one day people will set up their sites properly before they starttrading because otherwise this won’t be the last page I post to the Net,”Gray said on his Web site. “If your site is broken into, you should spendmore time asking why and not who.”

At the Gates

Gray also claimed to have stolen the credit card details of Bill Gates,which several other news sources stated he posted to his Web sites and usedto send a shipment of Viagra to the Microsoft chief. However, the London Register said the alleged Gates details were obviously phony.

Visits to a mirror version of Gray’s site on Attrition.org revealed that the Gates’ data was probably not accurate. The site states: “The number does not look valid but orders had beentaken on this card at the site I got it from so judge for yourself.”

Gray’s efforts to expose e-commerce security flaws also reportedly led tothe closure of several of the sites he hacked.

Defense Not Heard

According to the Register, Gray’s defense prior to pleading guilty was thatbecause there was no way he could establish that his access to the creditcard numbers was authorized, it could not be proven to be unauthorized — which would mean that no hacking had actually taken place.

However, these arguments, which could potentially have led to a significant line of defense for hackers, were never tested in court due to Gray’s eventual guilty plea.

The defense said that a head injury suffered by Gray four years ago, as well as chronic low self-esteem, were among the reasons behind his actions.

Published sources said that Gray appeared not to regret what he had done.

“I would do it all again but another time I would choose to ensure that Iacted legally,” he told the UK’s Press Association news agency.