Massive credit card heist suspected

[InfoSec News <isn () c4i org>]

Forwarded from: "eric wolbrom, CISSP" <eric () shtech net>

http://www.msnbc.com/modules/exports/ct_email.asp?/news/807675.asp


By Bob Sullivan MSNBC
Sept. 13, 2002

A Los Angeles-based Internet company said that 140,000 fake credit
card charges, worth $5.07 each, were processed through its transaction
system Thursday, in a computer scam that may have affected as many as
25 companies. The apparent fraud suggests that a computer criminal may
have obtained a sizable list of stolen credit card numbers and was
testing them for validity, credit card fraud expert Dan Clements said.
         
PAUL HYNEK, CEO of Web site operator Spitfire Novelties, said its
credit card transaction processor, Online Data Corp, approved some
62,000 of the apparently false charges, valued at over $300,000.
        
Hynek said Online Data representatives revealed to him Friday morning
that about 25 of the payment processors other e-commerce customers had
suffered similar problems Thursday.
       
But Online Data president John Rante said late Friday that he was not
sure that any other e-commerce sites were hacked.
        
The false charges started showing up at Spitfires TalkingTP.com Web
site at 1 p.m. PT Thursday, Hynek said, but the company didnt realize
what was happening until early evening. By Friday morning, credit card
holders who had noticed fraudulent charges on their accounts were
peppering Spitfire with questions.
        
The phone was ringing every 20 or 30 seconds ... with people asking
who the hell are you, said Russ Colby, Spitfires president. Spitfire,
a small e-commerce company that generates five to 30 transactions a
day, suddenly was deluged with credit card authorizations.
        
There wasnt a system in place to say, youve generated 140,000 charges,
thats more than your normal volume, Hynek said.
        
Online Data is a reseller of Verisign Inc. credit card payment gateway
services, according to Verisign spokesperson Janine Dunne, who
declined to say how many merchants were impacted by the apparent
fraud, but did indicate Spitfire wasnt the only company hit.
        
While Verisign actually performed the authorizations, Dunne blamed the
reseller, Online Data, for the incident. She said the company issued
poor passwords to its customers.
        
We encourage resellers to assign strong passwords. The issue here
appears to be the nature of passwords assigned to merchants, she said.
        
But Rante said the merchant was to blame for not changing its password
often enough.
        
All of us need to change our passwords, Rante said. We issue a starter
password just like most companies do. We strongly urge the merchant to
go in and change their password. This merchant failed to change their
password and they were hacked.
        
Hynek told MSNBC.com the merchant password issued to him by Online
Data was OnlneAp16501. He said he thought the alphabetic part of that
password stands for Online app, which might be easy for a hacker to
guess.
        
Darrell Bethune was one of many victims who noticed the $5.07 charge
Friday while checking his credit card statement online.
          
I live in Canada and havent been to Los Angeles in years, he said.
        
While some $300,000 in charges were approved by Verisigns systems, the
firm actually halted the transactions before they were settled,
meaning the $316,000 was never actually credited to Spitfires merchant
account. In fact, the criminals were probably only testing the cards
to see if they were valid.
        
Running cards through the authorization process is worthwhile to
criminals, because they now have some 60,000 valid cards to sell on
the black market, according to Clements, a credit card fraud expert
who operates CardCops.com.
        
About 80,000 of the cards run throughout Spitfires systems were
declined, Hynek said, meaning more than half the stolen cards were
outdated or had already been canceled.
        
This is not the first time credit card thieves have used hacked online
merchant accounts to test cards. In April, MSNBC.com reported that
thieves were using brute force methods to test thousands of card
numbers through hacked Authorize.net merchant accounts, posting tiny 5
and 10-cent charges. In one such incident, 13,000 pre-authorizations
attempts were made in a single weekend.

'Brute force' card theives attack
        
Its not clear how many apparently stolen cards were run through the 25
other Online Data merchants that Hynek said were also compromised.
        
Also unclear is what happens next. Apparently, word of the 62,000
valid stolen cards hadnt filtered down to credit card issuers yet.
When Bethune spotted the false charge, he called his credit card bank,
Wells Fargo, and asked to have his card canceled. The bank hadnt yet
heard about the alleged heist.

Its not clear what responsibility Verisign has right now, said
Clements. The credit card companies would sure be interested in that
list ... these are cards that are clearly targeted for fraud.

Dunne said Verisign had alerted credit card companies about the
compromised cards, but declined to provide further details.

 
_______________________________________________________________________
eric wolbrom, CISSP                     Safe Harbor Technologies
President & CIO                         190 Goldens Bridge Ct.
Voice 914.767.9090 ext. 6000            Katonah, NY 10536
Fax   914.767.3911                              http://www.shtech.net
_______________________________________________________________________




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.