| |
|
|
|
|
|
|
IT’S “BRUTE FORCE” credit
card thievery. Remember “war-dialing” from the movie “War Games?” In that
film, a hacker dials sequentially through phone numbers, looking for a
computer modem to connect to. It would be too tedious for a human, but
computers are great at that kind of work.
The same principle applies to this latest credit card stealing scam,
which perhaps will come to be called “war-carding.”
“A hacker can just keep running credit card numbers until it
comes back approved. Ninety-five percent, even more, come back declined,”
said Scott Zielinski, a Web site consultant for Sebenza Studios. Several
of his customers have been victimized, he said.
Behind each scam is a criminal’s ability to pose as a merchant
requesting authorization for a credit card purchase from Authorize.Net,
the Internet’s largest payment gateway system. Tom Arnold, chief software
architect at Authorize.Net, confirmed that criminals have been attacking
the system, and that his company has been working with law enforcement to
track them down. |
|
|
Advertisement
|
|
“We here at Authorize.Net ... are well aware of the specifics of the
issues striking several of the merchants. In chat rooms, hackers are
talking about it, and we are monitoring that, ” he said.
Merchant Brian Harlin said the suspicious activity at his
store began in February.
“Hackers got into
the Authorize.Net system and began charging random card numbers 1 cent to
see if the card numbers were valid numbers,” he said. “Over the course of
one weekend, the hackers tested over 13,000 card numbers on my account
alone. I was charged for each transaction by Authorize.net and the card
processing company for close to $7,000 which they conveniently withdrew
from my account at the end of the month.” Some of the money has been
refunded, but $4,800 is still missing, Harlin
said. |
|
|
|
The pattern
hasn’t always been exactly the same, suggesting more than one group of
credit card thieves is at work. James Moore said his merchant customers
started having problems three weeks ago.
“My
client got 7,000 transactions sent through his Authorize.Net account for
odd amounts of money, i.e. $.02, $1.50, .37,” Moore said. “This is not the
first time this has happened to users. Anyway my client received a bill
from his bank for $4,500, $0.35 for every transaction.”
Some merchants have complained that Authorize.Net is to
blame, because only a login name — and not a password — is required on
many systems to “run” a credit card check. Once criminals get a merchant
ID, they can test as many card numbers as they want.
Arnold confirmed that some systems are configured that way,
and said the company is moving quickly to cancel victimized merchant IDs.
Part of the problem, he said, was a reseller that was issuing
easy-to-guess ID accounts. But he also blamed the configuration issues on
Web host providers, who often don’t make it easy to password-protect
merchant accounts.
“I personally think that
such an option should not be allowed at all and believe that it is clearly
the fault of Authorize.Net if their customers may let their accounts be
unprotected,” said Ivo Truxa, security specialist for Web design firm
Truxoft.com. “It is as if a bank offered you to rent a safety box, gave
you the choice to take one without doors.” |
|
|
|
|
Web developer Jim Rogers, whose client received a $4,500 bill for
fake charges recently, said he was frustrated that Authorize.Net knew the
scam was a possibility, but didn’t warn him.
“I am really fed up with that company at this point,” he said. “My
biggest problem was it was never disclosed. They never mentioned you may
want to set it up this way, or do this to protect yourself.”
Arnold said his firm is evaluating victims on a
case by case basis, and would consider refunding the Authorize.Net portion
of transaction fees connected to the scam.
According to a recent company press release, 120,000 merchants use
Authorize.Net, performing 8 million transactions valued at $600 million
during a recent three-month period. Authorize.Net is operated by InfoSpace
Inc.
This isn’t the first time
Authorize.Net has fallen prey to criminals. Two months ago, MSNBC.com
revealed that criminals were using Authorize.Net merchant accounts to
issue refunds to their own credit cards — without corresponding charges.
Authorize.Net said at the time the practice wasn’t widespread, but later
indicated in an e-mail to its merchants that its refund system would be
shut down for two days to perform maintenance.
|
|
|
.gif){kind=spacer}
Report tracks toxic cell phones
.gif){kind=small}