How Credit-Card Numbers Are Stolen on the Web LONDON — The credit-card details of thousands of Britons are being sold in Internet chat rooms by criminals who hack into company computer systems and steal information in order to commit identity fraud. Every day at least 400 credit-card numbers, along with other personal information including three-digit security codes, PINs and dates of birth, are sold by the gangs, The Times has learned. Other pieces of information routinely taken include phone numbers, e-mail and street addresses and mother's maiden names. A credit card number sells for $1, while a card with a three-digit code fetches $5. Additional security information, such as a mother's maiden name, can add $10 to a card's value, and a working PIN can push the price up as high as £100 ($175). The thieves target both companies whose customers buy online and those that take orders by more conventional means, demonstrating that it is not just Internet-based companies that are at risk, but any organization that holds personal information about consumers. The Times contacted 14 customers whose details had been passed to it by a U.S. company that monitors such chat rooms. They were astonished when a reporter read out their credit-card numbers. The names had been taken from unidentified British servers. By calling the individuals on each list and checking which purchases they had made on the day the details were stolen, The Times was led to two reputable companies — one a supplier of travel goods based in Amesbury, Wiltshire, with a database of more than 20,000 customers, the other a computer sales company in Sheffield. Neither company was aware that its systems had been targeted. The names were among hundreds that were sold during a single night's trading in the chat rooms. The British government's Serious Organised Crime Agency said that cybercrime was "among its priorities" but declined to comment on the methods and resources being used to combat it. Alun Michael, the e-Commerce Minister, said: "These findings are disturbing and we will look at them very seriously." Banks are planning to address the problem by issuing card numbers which are valid for single transactions only, meaning that if the number is subsequently stolen from a company database, the risk to the cardholder is substantially reduced.