Forwarded from: "eric wolbrom, CISSP" <ericat_private> http://www.msnbc.com/modules/exports/ct_email.asp?/news/807675.asp By Bob Sullivan MSNBC Sept. 13, 2002 A Los Angeles-based Internet company said that 140,000 fake credit card charges, worth $5.07 each, were processed through its transaction system Thursday, in a computer scam that may have affected as many as 25 companies. The apparent fraud suggests that a computer criminal may have obtained a sizable list of stolen credit card numbers and was testing them for validity, credit card fraud expert Dan Clements said. PAUL HYNEK, CEO of Web site operator Spitfire Novelties, said its credit card transaction processor, Online Data Corp, approved some 62,000 of the apparently false charges, valued at over $300,000. Hynek said Online Data representatives revealed to him Friday morning that about 25 of the payment processors other e-commerce customers had suffered similar problems Thursday. But Online Data president John Rante said late Friday that he was not sure that any other e-commerce sites were hacked. The false charges started showing up at Spitfires TalkingTP.com Web site at 1 p.m. PT Thursday, Hynek said, but the company didnt realize what was happening until early evening. By Friday morning, credit card holders who had noticed fraudulent charges on their accounts were peppering Spitfire with questions. The phone was ringing every 20 or 30 seconds ... with people asking who the hell are you, said Russ Colby, Spitfires president. Spitfire, a small e-commerce company that generates five to 30 transactions a day, suddenly was deluged with credit card authorizations. There wasnt a system in place to say, youve generated 140,000 charges, thats more than your normal volume, Hynek said. Online Data is a reseller of Verisign Inc. credit card payment gateway services, according to Verisign spokesperson Janine Dunne, who declined to say how many merchants were impacted by the apparent fraud, but did indicate Spitfire wasnt the only company hit. While Verisign actually performed the authorizations, Dunne blamed the reseller, Online Data, for the incident. She said the company issued poor passwords to its customers. We encourage resellers to assign strong passwords. The issue here appears to be the nature of passwords assigned to merchants, she said. But Rante said the merchant was to blame for not changing its password often enough. All of us need to change our passwords, Rante said. We issue a starter password just like most companies do. We strongly urge the merchant to go in and change their password. This merchant failed to change their password and they were hacked. Hynek told MSNBC.com the merchant password issued to him by Online Data was OnlneAp16501. He said he thought the alphabetic part of that password stands for Online app, which might be easy for a hacker to guess. Darrell Bethune was one of many victims who noticed the $5.07 charge Friday while checking his credit card statement online. I live in Canada and havent been to Los Angeles in years, he said. While some $300,000 in charges were approved by Verisigns systems, the firm actually halted the transactions before they were settled, meaning the $316,000 was never actually credited to Spitfires merchant account. In fact, the criminals were probably only testing the cards to see if they were valid. Running cards through the authorization process is worthwhile to criminals, because they now have some 60,000 valid cards to sell on the black market, according to Clements, a credit card fraud expert who operates CardCops.com. About 80,000 of the cards run throughout Spitfires systems were declined, Hynek said, meaning more than half the stolen cards were outdated or had already been canceled. This is not the first time credit card thieves have used hacked online merchant accounts to test cards. In April, MSNBC.com reported that thieves were using brute force methods to test thousands of card numbers through hacked Authorize.net merchant accounts, posting tiny 5 and 10-cent charges. In one such incident, 13,000 pre-authorizations attempts were made in a single weekend. 'Brute force' card theives attack Its not clear how many apparently stolen cards were run through the 25 other Online Data merchants that Hynek said were also compromised. Also unclear is what happens next. Apparently, word of the 62,000 valid stolen cards hadnt filtered down to credit card issuers yet. When Bethune spotted the false charge, he called his credit card bank, Wells Fargo, and asked to have his card canceled. The bank hadnt yet heard about the alleged heist. Its not clear what responsibility Verisign has right now, said Clements. The credit card companies would sure be interested in that list ... these are cards that are clearly targeted for fraud. Dunne said Verisign had alerted credit card companies about the compromised cards, but declined to provide further details. _______________________________________________________________________ eric wolbrom, CISSP Safe Harbor Technologies President & CIO 190 Goldens Bridge Ct. Voice 914.767.9090 ext. 6000 Katonah, NY 10536 Fax 914.767.3911 http://www.shtech.net _______________________________________________________________________ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 06:05:37 PDT