[ISN] Massive credit card heist suspected

From: InfoSec News (isnat_private)
Date: Mon Sep 16 2002 - 03:11:25 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - September 13th 2002"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    By Bob Sullivan MSNBC
    Sept. 13, 2002
    A Los Angeles-based Internet company said that 140,000 fake credit
    card charges, worth $5.07 each, were processed through its transaction
    system Thursday, in a computer scam that may have affected as many as
    25 companies. The apparent fraud suggests that a computer criminal may
    have obtained a sizable list of stolen credit card numbers and was
    testing them for validity, credit card fraud expert Dan Clements said.
    PAUL HYNEK, CEO of Web site operator Spitfire Novelties, said its
    credit card transaction processor, Online Data Corp, approved some
    62,000 of the apparently false charges, valued at over $300,000.
    Hynek said Online Data representatives revealed to him Friday morning
    that about 25 of the payment processors other e-commerce customers had
    suffered similar problems Thursday.
    But Online Data president John Rante said late Friday that he was not
    sure that any other e-commerce sites were hacked.
    The false charges started showing up at Spitfires TalkingTP.com Web
    site at 1 p.m. PT Thursday, Hynek said, but the company didnt realize
    what was happening until early evening. By Friday morning, credit card
    holders who had noticed fraudulent charges on their accounts were
    peppering Spitfire with questions.
    The phone was ringing every 20 or 30 seconds ... with people asking
    who the hell are you, said Russ Colby, Spitfires president. Spitfire,
    a small e-commerce company that generates five to 30 transactions a
    day, suddenly was deluged with credit card authorizations.
    There wasnt a system in place to say, youve generated 140,000 charges,
    thats more than your normal volume, Hynek said.
    Online Data is a reseller of Verisign Inc. credit card payment gateway
    services, according to Verisign spokesperson Janine Dunne, who
    declined to say how many merchants were impacted by the apparent
    fraud, but did indicate Spitfire wasnt the only company hit.
    While Verisign actually performed the authorizations, Dunne blamed the
    reseller, Online Data, for the incident. She said the company issued
    poor passwords to its customers.
    We encourage resellers to assign strong passwords. The issue here
    appears to be the nature of passwords assigned to merchants, she said.
    But Rante said the merchant was to blame for not changing its password
    often enough.
    All of us need to change our passwords, Rante said. We issue a starter
    password just like most companies do. We strongly urge the merchant to
    go in and change their password. This merchant failed to change their
    password and they were hacked.
    Hynek told MSNBC.com the merchant password issued to him by Online
    Data was OnlneAp16501. He said he thought the alphabetic part of that
    password stands for Online app, which might be easy for a hacker to
    Darrell Bethune was one of many victims who noticed the $5.07 charge
    Friday while checking his credit card statement online.
    I live in Canada and havent been to Los Angeles in years, he said.
    While some $300,000 in charges were approved by Verisigns systems, the
    firm actually halted the transactions before they were settled,
    meaning the $316,000 was never actually credited to Spitfires merchant
    account. In fact, the criminals were probably only testing the cards
    to see if they were valid.
    Running cards through the authorization process is worthwhile to
    criminals, because they now have some 60,000 valid cards to sell on
    the black market, according to Clements, a credit card fraud expert
    who operates CardCops.com.
    About 80,000 of the cards run throughout Spitfires systems were
    declined, Hynek said, meaning more than half the stolen cards were
    outdated or had already been canceled.
    This is not the first time credit card thieves have used hacked online
    merchant accounts to test cards. In April, MSNBC.com reported that
    thieves were using brute force methods to test thousands of card
    numbers through hacked Authorize.net merchant accounts, posting tiny 5
    and 10-cent charges. In one such incident, 13,000 pre-authorizations
    attempts were made in a single weekend.
    'Brute force' card theives attack
    Its not clear how many apparently stolen cards were run through the 25
    other Online Data merchants that Hynek said were also compromised.
    Also unclear is what happens next. Apparently, word of the 62,000
    valid stolen cards hadnt filtered down to credit card issuers yet.
    When Bethune spotted the false charge, he called his credit card bank,
    Wells Fargo, and asked to have his card canceled. The bank hadnt yet
    heard about the alleged heist.
    Its not clear what responsibility Verisign has right now, said
    Clements. The credit card companies would sure be interested in that
    list ... these are cards that are clearly targeted for fraud.
    Dunne said Verisign had alerted credit card companies about the
    compromised cards, but declined to provide further details.
    eric wolbrom, CISSP			Safe Harbor Technologies
    President & CIO				190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000		Katonah, NY 10536
    Fax   914.767.3911				http://www.shtech.net
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 06:05:37 PDT