April 3, 2006 7:27 PM PDT

Payment processor fears credit card crooks

A major online payment provider said Monday that its processing service had been used in an attempt to charge money to stolen credit and debit cards.

Several Web hosting companies that use the Authorize.Net service to accept credit cards online saw a sudden spike in transactions over the weekend. The transactions, most for $500 and $700, were billed to Visa, MasterCard and American Express cards that belong to people across the U.S., representatives for three Web hosts told CNET News.com.

"These hackers got their hands on high quality data, and they used merchants of ours to run that data through the merchant's Web site, which goes through our platform," said David Schwartz, a spokesman for Authorize.Net in American Fork, Utah. The company says more than 130,000 merchants use its online payment service.

The Web hosting companies discovered the unusual charges through e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of three companies with which CNET News.com spoke, and more likely happened at other Web hosts, these three companies said.

Unclear, however, is where the weakness in the transaction chain is, whether it was at the level of the payment processor or the Web hosts. Also unclear is where the culprits obtained the card information they used in the transaction attempts.

On Sunday morning, in about an hour-and-a-half time period, fraudsters ran close to 1,500 transactions through the Authorize.Net account of Defender Technologies Group, a Web host in Ashburn, Va., said Tom Kiblin, the company's CEO. "It was just under $1 million that got put through on our account," he said. Kiblin says he has reported the matter to the U.S. Secret Service.

Lance Conway, president of Viper Logic in Palm Springs, Calif., and Lisa Willman, billing manager at Vortech in Orlando, Fla., have similar stories. Viper's account was used on Friday to charge $700 to almost 800 cards, Conway said. At Vortech, that same amount was billed on Friday to about 400 cards, Willman said.

In all cases, the information that was put through the system included a card number, expiration date, name and address, representatives for the Web hosts said.

The episode is another example of credit card and debit card insecurity. Recently, a crime spree forced banks across the nation to replace hundreds of thousands of debit cards. Last year a cyber break-in at a payment processor exposed names, account numbers and verification codes for 40 million credit cards.

The three Web hosting companies have all voided the fraudulent transactions, which took up significant time, the company representatives said. Nevertheless, some consumers noticed that their banks had put holds on their credit cards or even charged their debit cards, and they called the Web hosting companies for clarification.

"We try to explain to them: 'No we're not thieves, we're not stealing your money, your credit card information was stolen,'" said Kiblin. His company, Defender Technologies, has fielded calls from about 100 cardholders, he added.

Conway at Viper Logic received about 30 calls over the weekend, and his phone was ringing often on Monday as well, he said. "What a nightmare. We're just a small company; there are only eight of us here."

Though the attackers already had control over a database of credit card numbers, Authorize.Net and the Web hosting companies are pointing fingers as to who is to blame for allowing the mass charges to the accounts. The Web hosts say there are no traces of transactions on their servers, so fraudsters must have accessed Authorize.Net directly.

But Authorize.Net denies any blame.

"Authorize.Net did not suffer from any sort of security breach whatsoever," Schwartz said. "If someone commits fraud in a physical store using a stolen credit card, the merchant would never hold the manufacturer of the card-swipe terminal accountable for that fraud. In the e-commerce world, a payment gateway is the equivalent."

The Web hosting companies may have left open a door to the payment processing service, possibly through their online shopping carts, Schwartz speculated.

Opinions also differ on why someone would want to send large amounts of money into the accounts of the Web hosts.

"It looks like somebody was fishing with a credit card list, trying to validate credit cards," said Kiblin. "The goal for these guys, if a card is valid, they go off and start buying stuff. All these guys that got hit are going to see other charges."

But for that to be true, the transaction amounts are too high, Schwartz said. "Usually, when hackers try to validate whether a card is good or not, they will do an authorization attempt for a dime. If it goes through, they know they have got a good card number, and when it is rejected it is going to reject whether it is a dime or $700," he said.

Avivah Litan, an analyst with Gartner, agreed. She suspects the culprits had figured out the Authorize.Net system. They may have intended the money to eventually be directed into a merchant's account outside Authorize.Net, where they could siphon it out later. But they were tripped up by the e-mail notifications Authorize.Net sends to its users.

"It was on a weekend; they always do this stuff on weekends, when no one is around watching these systems. If there were no e-mail alerts, the money would have gone into the merchant account and they would have redirected it into their account and no one would have known," Litan said. "They got caught with their pants down."

See more CNET content tagged:
Authorize.net, debit card, Web hosting company, hosting company, Web hosting

14 comments

Join the conversation!
Add your comment
Why don't they just use a damn PIN system like bank card...
Why don't they just do that...
Posted by tony_z (32 comments )
Reply Link Flag
Pins dont work and Gartner analysist is 100% off base.
A PIN is not going to stop a phisher. They're already asking for your CC#, etc when they send these scams out. It will just mean the people doing this start asking for the pin to "verify" their account, etc.

Also... the Gartner "analyst" is 100% wrong regarding using the Authorize.net system to go into the merchant's accounts and redirect it. Authnet is the middle man here. They're simply the gateway that takes the money and passes it to the Merchant's merchant account provider.

There is in fact nowhere online for you to change where funds that are supposed to go into the merchant's account online. Authnet does not even have this info as they don't make deposits into your account. The merchant provider the indiviudal business uses makes the deposit.

When I setup my online merchant account, anytime I wanted to make a change to where my funds were deposited to, I had to send them a voided check and a written authorization to make any kind of change to where funds were deposited. You can't do that kind of thing online.

To say the person who did this thing was just trying to divert money is absolutely foolish. Anyone who has ANYTHING to do with merchant accounts should know that's not possible.
Posted by Randy Calvert (1 comment )
Link Flag
there is the 3 digit # on the back of your card
n/m
Posted by baswwe (299 comments )
Link Flag
to easy
It's to easy to create a password cracking program to figure out a 4 digit pin number. A better choice might be to use a complex password for Internet transactions that include all printable characters on the keyboard. Unless they get into the database. Then were all screwed!
Posted by Michael00360 (58 comments )
Link Flag
A Bunch of ScriptBabies bought a card list from the Russians.
Than the scriptbabies screw up by charging too much.

Stupid scriptbabies. Making things hard for an honest russian to make some money.
Posted by kamwmail-cnet1 (292 comments )
Reply Link Flag
Misleading
The notion that the thieves could redirect money from the merchant account is 100% false. It doesn't work that way. Do you guys do any research at all before publishing a story?
Posted by snacktime (1 comment )
Reply Link Flag
Not misleading
>The notion that the thieves could redirect money
>from the merchant account is 100% false. It
>doesn't work that way. Do you guys do any research
>at all before publishing a story?

The article does not mention anything about fraudsters redirecting monet from merchant accounts to themselves.

It simply mentions transactions apparently emanating from at least 3 merchants to a large number of carholders.
Posted by jfmezei (24 comments )
Link Flag
My card got hit, dammit
There's quite a bit of discussion about what these folks were doing, but what I wnat to know is how I got hit.

I don't click on links in emails
I delete all html emails or emails with pics and attachments and do not read them
Live behind a router firewall
Run ZoneAlarm, Norton, and Microsoft Anti Spyware
Don't give out my card information on the phone.
Pretty much try to live a nice, paranoid, secure web existence, though I do use my card online...
I'm thinking that I have a keylogger or other spyware that's infected my network that none of the sofware I mentioned can detect...

Thoughts?
Posted by murphilator (2 comments )
Reply Link Flag
locking the door with the window open?
But what about when you handed your card to the nice waiter? Or tossed the mail directly into the recycling bin?
Posted by jtroth (3 comments )
Link Flag
Possible
Though I think that what may have actually happened is that a user picked up a nasty bit of spyware that's migrated through the store's network. Funny thing is, I know we got hit, and found a virus, but it disappeared before I could remove it manually. Norton actually couldn't do anything with it...
Posted by murphilator (2 comments )
Reply Link Flag
Totally Misleading and Incorrect
The above report contains too much information that is not credible. ONE when credit cards are processed, they will take ANY ADDRESS, it does not have to be correct. This is known as AVS and it ONLY uses numbers, the street number and the zipcode. The returned results are meaningless except to a merchant to ship products.
TWO The expiration dates also do not matter for most cases as long as they are in the future and the card has not been canceled.
THREE even if the processor used the CVV2 code or Security code on the card ---- Most of the time, the processor does not process that code, so again, the information is not useful.
FOUR Hackers usually would not CHARGE a card for that amount of money, unless they are really stupid. They would perform an Authorization ONLY transaction, which tests if the card is valid.
FIVE If the hackers had access to the merchant accounts, THEN they would not bother with charges to any stolen or created card numbers, They would create REFUNDS to their OWN cards, usually DEBIT cards or CHECK cards.
It is the REFUNDS that are important, not the charges!
Think about it. Why in H would someone try to charge a card, when they live outside this country?
The Russian Hacker case 1999-2002 ERA, used the Merchant Accounts to REFUND money back to their own cards, not charge stolen or other cards.
I know, I helped the FBI track them down.
So, something is rotten in the above story. Either the information it totally fabricated or someone is trying to cover up the actual events.
If the report is just reporting the charges of the cards, then they MISSED the transactions which were refunds. As the charges were designed to create a smoke screen for the obvious rip-off.
So, I would check ALL the transactions and watch out for the refunded cards too, as some cards may be refunded just to cloud the issue.
Imagine that nice little old lady that just got $25,000 into her bank account just so that the data would confuse the investigators. There are far too few people that understand credit card processing and far too many holes to close.
Posted by rem1010 (6 comments )
Reply Link Flag
Story stands up
> ONE when credit cards are processed, they will >
>take ANY ADDRESS

This would depend on the card issuing bank's own systems. Some would verify full address with a percentage/phonetic match system. Remember that credit cards are a worldwide "system" with different issuing bank processing rules in different countries.

Expiration date matters significantly. It is part of the credit card number checksum calculation. The year matters less as long as it matches the even/oddness of the year on the real card.


In terms of the goal of this transactions, there could be many. It could simply be hackers wishing to prove that authorize.net has been compromised and possibly run them out of business.

You need to reread the second paragraph of the article.

[merchant]---[web hosting]---[http://authorize.net|http://authorize.net]---[visa/mastercard]----[merchant_s bank]---[merchant]

The article mentions the web hosting company noticing the suspicious transactions. But it also mentions an apparently honest merchant saying that the crooks used their account to charge money to a lot of cards.

So there are 2 crimes here:
1-stealing cardholder information and using this to run fraudulent transactions

2-stealing merchant account information so that the criminals could run those transactions through.

For (2), logs of authorize.net *should* show what IPs were used to generate those transactions.


Why do this ? On the surface, it appears stupid, but it may in fact be VERY smart.

Say you have 2 merchants who collude with you. You zap transactions on a 998 merchants with $700 transactions. And you put transactions worth 1398.76 and $678.27 on those 2 merchants with whom you are working. Those transactions won't appear to be lumped into the larger hacking attemps, and those those colluding merchants will get their money and split it with the fraudsters.

In other words, by hacking a large number of merchants, you can easyly slip "real" transactions under the carpet and avoid detection.

However, of the criminals were able to obtain merchant account information to be able to submit transactions to authorize.net, it means that authorize.net has a security flaw in their system.


Another possibility: disgruntled ex employee of authorze.net who had warned them of security weaknesses. he gets revenge by doing this act which will destroy authorize.net's reputation since from that article,. it is clear that merchant account information, something which authorize.net should hold confidential between merchant and itself, has been compromised

Where they got the credit card numbers/info is another issue, but it may not necessarily be from authorize.net.
Posted by jfmezei (24 comments )
Link Flag
Oh well!
Oh well, pay peanuts!, get cheap crap security, it is a simple as that!

However, what most people tend to overlook, is that as a shareholder, if you read ,digest and analyse their bottom line figures of the annual reports from all Banks, the real losses that occur in system, are not from frauds, for they are small banana's, but from very bad indiscriminate lending to every tom, dick or harriet that walks through the door! Even the annual FTC report shows that to be so as well!(look at the big Four Bank's annual declared profits and tax paid figures and compare that to FTC losses from fraud within the industry!!)

So it is the old story, to generate the ever increasing profit from a shrinking market, fees and charges increase annually, on an exponential basis to cover all losses, with too many cuts and too many corners taken, and unfortunately, end user merchant and customer security is always the last man, on the list of things to do, due to the high costs of a simple but adequate means to do so! So maybe the next generation multi core 128 bit cpu's may be an answer, and then again may be not!

Question,which is valued the highest "Profits" or "Customer Data Security"?

Ah, the age of "Customer Last", has arrived with a vengance!, for it is always the paying customer who is covering both the hidden cost of poor lending, but all frauds as well, and then paying for up to 80% of the declared profits! Also the Banks have a very large figure, to purposely reduce their tax rate, so it is essentially not in their interest, not to attack losses on frauds, just minimise it on the periphial, for the paying customer is totally covering it, in the additional fees and charges!

So not only is the Bank's paying customer covering all the losses, the general public's government tax rate is increased to compensate for the much reduced taxes received from the Banking Industry! On the retail front at the store we are also billed! A truly vicious circle on the treadmill!

Do they care about their customers, highly unlikey, for they are the sacraficial lambs, scapegoats and sheep to be fleeced, to cover any fraud permeated!, on all fronts!

That's about a half a cents worth, on this diatribe!

Choices, are very cruel in real life!
Posted by heystoopid (691 comments )
Reply Link Flag
Is it even possible to have some kind of advantage over these crooks?
Posted by joelboldman (3 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.