[ISN] Hacker Breaches Payments Site Webcertificate.com

From: InfoSec News (isnat_private)
Date: Wed Aug 29 2001 - 05:28:37 PDT

  • Next message: InfoSec News: "[ISN] CIO pushes network-centric warfare"

    By Lori Enos
    E-Commerce Times 
    August 28, 2001 
    Online payments provider Ecount confirmed to the E-Commerce Times on
    Monday night that a hacker or hackers breached security at its Web
    payment site, Webcertificate.com.
    "We have reason to believe someone inappropriately accessed data,"
    Ecount chief executive officer and president Matt Gillin told the
    E-Commerce Times.
    According to Gillin, Ecount can only confirm that 25 out of its over
    750,000 customer accounts were improperly accessed, but he added that
    the company's investigation is ongoing.
    Gillin said that the company was "100 percent certain" that no
    Webcertificate accounts were used improperly. As part of Ecount's
    response to the hack attack, Gillin said that Ecount is reissuing
    account numbers for all of its customers, even though Internet
    security was breached for only a small number of the accounts.
    Webcertificates are MasterCard-branded stored value cards that are
    accepted by e-tailers that accept MasterCard. In addition to using the
    cards online, consumers can pay an extra fee and purchase a plastic
    card for use offline.
    Marketed as online gift cards, Webcertificates can be purchased online
    using a credit card or earned as a reward at a number of Internet
    sites, including MyPoints.com.
    Card Numbers Elsewhere
    Gillin said that earlier this week, there were indications of a hack
    attempt at Webcertificate that prompted an investigation by
    Conshohocken, Pennsylvania-based Ecount and its third-party security
    Based on the investigation, the company determined that a hacker had
    gained access to account information and was attempting to retrieve
    credit card numbers. However, Gillin stressed that no customer credit
    card numbers were at risk, because Webcertificate does not store
    credit card numbers on its servers.
    "He believes he has credit card numbers, but what he has are
    Webcertificate numbers," Gillin said.
    Because no credit card numbers were stolen, Gillin said that in
    Ecount's eyes, the "hack attempt failed."
    Motive: Extortion?
    Gillin believes the motive behind the attack was extortion, and said
    that Ecount was working with law enforcement to identify the person
    behind the hack attack.
    Extortion has been the motive in other hacker attacks on e-tailers. In
    December 1999, a Russian teenager stole approximately 300,000 card
    numbers from CDUniverse.com and posted them online when the e-tailer
    refused to meet his US$100,000 extortion demand.
    Customer Notification
    Ecount sent e-mail to all Webcertificate customers Monday notifying
    them that new customer account numbers and passwords would be issued.
    "You're receiving this new account number as a security precaution
    because we have reason to believe that some Webcertificate account
    information may have been inappropriately accessed," the e-mail reads.
    "We want to be perfectly clear: it is your Webcertificate information,
    not your credit card information, which may have been accessed."
    The e-mail also advised consumers that "before making these changes,
    we evaluated your transaction history and confirmed that your account
    has been used properly and only by you."
    Quick Response
    Gillin said that all Webcertificate customers who had purchased
    plastic cards would be receiving new cards in the mail shortly.
    Ecount won praise for its quick response from posters at the MyCoupons
    Internet message boards.
    One poster wrote: "I think this was a very good thing for them to do
    considering from some companies we would just get a 'we're not
    responsible for this ... blah blah blah ...' So instead of waiting
    until more hacking happened, they went ahead and took action to
    prevent it."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 08:02:31 PDT