Experts: Chat rooms a haven for hackers

Anonymously stealing, trading personal information

(CNN) -- Computer security expert Chad Harrington regularly surfs Internet Relay Chat (IRC), one of the oldest chat technologies on the Web. The IRC networks have names like Dalnet and EFnet, but he agrees that another name works just as well: eBay for hackers.

"Once the hacker or someone in the underworld has personal information, credit card numbers, social security numbers, address, whatever it may be," says Harrington, once the hacker "has that information and wants to sell it, often they'll go to a hacker chat room, a place on the Web using an Internet Relay Chat which provides them some anonymity and allows them to mention that they have this personal information and they want to trade."

The ability for hackers to go onto the Internet and chat up fellow hackers is as old as the Net itself. But with identity theft becoming a more popular form of fraud, according to the Federal Trade Commission (FTC), more attention is being paid to chat rooms that serve as flea markets for hackers.

"We know that credit card numbers are bought and sold over the Internet because they have real cash value," says Bruce Schneier, founder and CTO of Counterpane Technologies and a pioneer in network security.

EXTRA INFORMATION Read more about chat-room hackers and identity theft in a chat with Entercept's Chad Harrington

"A lot more credit card numbers are stolen than ever used, but you should assume that right now, in your wallet, there's a credit card number that has been stolen off the Net."

Both Schneier and Entercept Security Technology's Harrington say that your stolen personal information can be swapped or sold in other Web venues. But IRC is largely unregulated -- a Wild West of chat that has a special appeal for hackers.

"Hackers obviously want anonymity when they're looking to trade personal information that they've obtained via identity theft, so Internet Relay Chat is a commonly used mechanism," says Harrington.

Difficult to monitor

The unfettered nature of IRC is also appealing to hackers, says Schneier.

"It's older, it's not tied to Microsoft or AOL or a big company, it's one of the Internet protocols ... so if you're running Windows or Linux or Macintosh or another flavor of Unix, you can use it," says Schneier. "So it's not that it's more suitable for hackers to use, it's just a more basic service and people who are anti-big-corporation are going to be more likely to use something like IRC."

(AOL Time Warner is the parent company of CNN.)

That same aspect of IRC also makes it a tough digital obstacle for law enforcement.

"In the electronic world of the Internet, it's such a vast landscape and there's no way that the FBI and CIA or any law enforcement agency can be involved in watching over the shoulder of every Internet user," says Harrington. "Unfortunately, that's probably what it would have to take to prevent this sort of fraud."

Occasionally the FBI gets lucky. The feds were able to track down the hacker known as "Mafiaboy" when he bragged about his exploits in chat rooms.

And while the FBI's National Infrastructure Protection Center (NIPC) didn't provide any statements to CNN regarding what goes on in Internet Relay Chat, security experts say it's a matter of law enforcement manpower and trying to track down hackers in a very crowded -- and loud -- chat room.