[ISN] Databases Exposed at Online Credit-Card Security Firm

From: InfoSec News (isnat_private)
Date: Mon Jun 25 2001 - 02:51:48 PDT

  • Next message: InfoSec News: "[ISN] Steve Gibson really is off his rocker"

    By Michael Mahoney
    E-Commerce Times 
    June 22, 2001 
    Databases at online credit card processing and security provider
    Anacom Communications were illegally accessed this week, Anacom's
    parent company ZixIt Corporation confirmed Thursday.
    ZixIt said that it took control of the entire Anacom premises and
    began forensic data analysis on the breach Monday night. In addition,
    the company said, the U.S. Federal Bureau of Investigation (FBI) was
    brought in to begin a criminal inquiry.
    ZixIt director of corporate communications Paul LaBelle told the
    E-Commerce Times that ZixIt was informed earlier in the week that
    fraudulent transactions were taking place using the merchant accounts
    on the Anacom network.
    "We pulled the plug and immediately informed all the merchants and the
    credit card associations they would have to use services from other
    providers in the interim," LaBelle said.
    Lots of Questions
    On Wednesday, outside forensic data experts officially confirmed that
    both the intrusions and fraudulent transaction processing had
    occurred. ZixIt management said it has started the process of
    notifying credit-card companies about the accounts that may have been
    improperly accessed.
    LaBelle said that ZixIt did not yet have any information regarding the
    outcome of the investigation, such as how long the accounts were
    exposed or how the breach occurred. ZixIt also said the breach did not
    involve any of ZixIt's own data centers or e-mail technologies.
    Anti-Fraud Specialists
    Anacom is the developer and owner of the WebCharge, WebCheck and
    Internet Fraud Screening (IFS) payment processing gateways and
    technologies, according to several Web sites that use its services.
    Anacom's merchant account application, e-ZStart, contains multiple
    Internet fraud filters that each credit card must pass through prior
    to approval of a transaction. These filters include a negative
    credit-card database, a fraudulent Internet protocol (IP) and e-mail
    address filter, and proprietary data encryption.
    Visits to Anacom.com throughout the day found the Web site
    How Serious?
    Although online breaches of security are taken seriously by consumers,
    corporations and law enforcement, the frequency of actual online
    credit-card fraud is greatly exaggerated, according to a recent report
    from Jupiter Media Metrix.
    The Jupiter report said that attention focused on online security
    incidents has led consumers to erroneously believe that fraud is
    approximately 12 times more prevalent on the Internet than off, which
    is not the case.
    In order to reduce misunderstanding about the risks of online fraud,
    Jupiter recommends that companies classify security incidents, such as
    the Anacom occurrence, into one of three levels of severity: threat,
    breach and fraud.
    Based on the initial reports from ZixIt, it appears the Anacom
    incident might fit into the fraud category, which is defined as a
    situation in which security is compromised, unauthorized access to
    private records has occurred, and there has been actual misuse of the
    credit data.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 03:38:35 PDT