[ISN] Payment processor fears credit card crooks

InfoSec News isn at c4i.org
Tue Apr 4 03:02:20 EDT 2006


http://news.com.com/Payment+processor+fears+credit+card+crooks/2100-7349_3-6057305.html

By Joris Evers 
Staff Writer, CNET News.com
April 3, 2006

A major online payment provider said Monday that its processing
service had been used in an attempt to charge money to stolen credit
and debit cards.

Several Web hosting companies that use the Authorize.Net service to
accept credit cards online saw a sudden spike in transactions over the
weekend. The transactions, most for $500 and $700, were billed to
Visa, MasterCard and American Express cards that belong to people
across the U.S., representatives for three Web hosts told CNET
News.com.

"These hackers got their hands on high quality data, and they used
merchants of ours to run that data through the merchant's Web site,
which goes through our platform," said David Schwartz, a spokesman for
Authorize.Net in American Fork, Utah. The company says more than
130,000 merchants use its online payment service.

The Web hosting companies discovered the unusual charges through
e-mail alerts that Authorize.Net sends after each transaction. Close
to 3,000 suspicious transactions were pushed through the merchant
accounts of three companies with which CNET News.com spoke, and more
likely happened at other Web hosts, these three companies said.

Unclear, however, is where the weakness in the transaction chain is,
whether it was at the level of the payment processor or the Web hosts.  
Also unclear is where the culprits obtained the card information they
used in the transaction attempts.

On Sunday morning, in about an hour-and-a-half time period, fraudsters
ran close to 1,500 transactions through the Authorize.Net account of
Defender Technologies Group, a Web host in Ashburn, Va., said Tom
Kiblin, the company's CEO. "It was just under $1 million that got put
through on our account," he said. Kiblin says he has reported the
matter to the U.S. Secret Service.

Lance Conway, president of Viper Logic in Palm Springs, Calif., and
Lisa Willman, billing manager at Vortech in Orlando, Fla., have
similar stories. Viper's account was used on Friday to charge $700 to
almost 800 cards, Conway said. At Vortech, that same amount was billed
on Friday to about 400 cards, Willman said.

In all cases, the information that was put through the system included
a card number, expiration date, name and address, representatives for
the Web hosts said.

The episode is another example of credit card and debit card
insecurity. Recently, a crime spree forced banks across the nation to
replace hundreds of thousands of debit cards. Last year a cyber
break-in at a payment processor exposed names, account numbers and
verification codes for 40 million credit cards.

The three Web hosting companies have all voided the fraudulent
transactions, which took up significant time, the company
representatives said. Nevertheless, some consumers noticed that their
banks had put holds on their credit cards or even charged their debit
cards, and they called the Web hosting companies for clarification.

"We try to explain to them: 'No we're not thieves, we're not stealing
your money, your credit card information was stolen,'" said Kiblin.  
His company, Defender Technologies, has fielded calls from about 100
cardholders, he added.

Conway at Viper Logic received about 30 calls over the weekend, and
his phone was ringing often on Monday as well, he said. "What a
nightmare. We're just a small company; there are only eight of us
here."

Though the attackers already had control over a database of credit
card numbers, Authorize.Net and the Web hosting companies are pointing
fingers as to who is to blame for allowing the mass charges to the
accounts. The Web hosts say there are no traces of transactions on
their servers, so fraudsters must have accessed Authorize.Net
directly.

But Authorize.Net denies any blame.

"Authorize.Net did not suffer from any sort of security breach
whatsoever," Schwartz said. "If someone commits fraud in a physical
store using a stolen credit card, the merchant would never hold the
manufacturer of the card-swipe terminal accountable for that fraud. In
the e-commerce world, a payment gateway is the equivalent."

The Web hosting companies may have left open a door to the payment
processing service, possibly through their online shopping carts,
Schwartz speculated.

Opinions also differ on why someone would want to send large amounts
of money into the accounts of the Web hosts.

"It looks like somebody was fishing with a credit card list, trying to
validate credit cards," said Kiblin. "The goal for these guys, if a
card is valid, they go off and start buying stuff. All these guys that
got hit are going to see other charges."

But for that to be true, the transaction amounts are too high,
Schwartz said. "Usually, when hackers try to validate whether a card
is good or not, they will do an authorization attempt for a dime. If
it goes through, they know they have got a good card number, and when
it is rejected it is going to reject whether it is a dime or $700," he
said.

Avivah Litan, an analyst with Gartner, agreed. She suspects the
culprits had figured out the Authorize.Net system and intended for the
money to go into the merchant account only to siphon it out later. But
they were tripped up by the e-mail notifications Authorize.Net sends
to its users.

"It was on a weekend; they always do this stuff on weekends, when no
one is around watching these systems. If there were no e-mail alerts,
the money would have gone into the merchant account and they would
have redirected it into their account and no one would have known,"  
Litan said. "They got caught with their pants down."

Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.





More information about the ISN mailing list