Search | View Active Threads | View New Posts
Current Time: 07:03 PM


+ Reply to Thread
Results 1 to 5 of 5
  1. #1
    Join Date
    Sep 2002

    Massive credit card heist suspected

    PAUL HYNEK, CEO of Web site operator Spitfire Novelties, said its credit card transaction processor, Online Data Corp, approved some 62,000 of the apparently false charges, valued at over $300,000.
    Hynek said Online Data representatives revealed to him Friday morning that about 25 of the payment processor’s other e-commerce customers had suffered similar problems Thursday.
    But Online Data president John Rante said late Friday that he was “not sure” that any other e-commerce sites were hacked.
    The false charges started showing up at Spitfire’s Web site at 1 p.m. PT Thursday, Hynek said, but the company didn’t realize what was happening until early evening. By Friday morning, credit card holders who had noticed fraudulent charges on their accounts were peppering Spitfire with questions.
    “The phone was ringing every 20 or 30 seconds ... with people asking ‘who the hell are you,’” said Russ Colby, Spitfire’s president. Spitfire, a small e-commerce company that generates five to 30 transactions a day, suddenly was deluged with credit card authorizations.
    “There wasn’t a system in place to say, ‘you’ve generated 140,000 charges, that’s more than your normal volume,’” Hynek said.
    Online Data is a reseller of Verisign Inc. credit card payment gateway services, according to Verisign spokesperson Janine Dunne, who declined to say how many merchants were impacted by the apparent fraud, but did indicate Spitfire wasn’t the only company hit.
    While Verisign actually performed the authorizations, Dunne blamed the reseller, Online Data, for the incident. She said the company issued poor passwords to its customers.

    “We encourage resellers to assign strong passwords. The issue here appears to be the nature of passwords assigned to merchants,” she said.
    But Rante said the merchant was to blame for not changing its password often enough.
    “All of us need to change our passwords,” Rante said. “We issue a starter password just like most companies do. We strongly urge the merchant to go in and change their password. This merchant failed to change their password and they were hacked.
    Hynek told the merchant password issued to him by Online Data was “OnlneAp16501.” He said he thought the alphabetic part of that password stands for “Online app,” which might be easy for a hacker to guess.
    Darrell Bethune was one of many victims who noticed the $5.07 charge Friday while checking his credit card statement online.

    “I live in Canada and haven’t been to Los Angeles in years,” he said.
    While some $300,000 in charges were approved by Verisign’s systems, the firm actually halted the transactions before they were “settled,” meaning the $316,000 was never actually credited to Spitfire’s merchant account. In fact, the criminals were probably only testing the cards to see if they were valid.
    Running cards through the authorization process is worthwhile to criminals, because they now have some 60,000 valid cards to sell on the black market, according to Clements, a credit card fraud expert who operates
    About 80,000 of the cards run throughout Spitfire’s systems were declined, Hynek said, meaning more than half the stolen cards were outdated or had already been canceled.
    This is not the first time credit card thieves have used hacked online merchant accounts to test cards. In April, reported that thieves were using “brute force” methods to test thousands of card numbers through hacked merchant accounts, posting tiny 5 and 10-cent charges. In one such incident, 13,000 pre-authorizations attempts were made in a single weekend.

    It’s not clear how many apparently stolen cards were run through the 25 other Online Data merchants that Hynek said were also compromised.
    Also unclear is what happens next. Apparently, word of the 62,000 valid stolen cards hadn’t filtered down to credit card issuers yet. When Bethune spotted the false charge, he called his credit card bank, Wells Fargo, and asked to have his card canceled. The bank hadn’t yet heard about the alleged heist.
    “It’s not clear what responsibility Verisign has right now,” said Clements. “The credit card companies would sure be interested in that list ... these are cards that are clearly targeted for fraud.”
    Dunne said Verisign had alerted credit card companies about the compromised cards, but declined to provide further details.

  2. #2
    Join Date
    Sep 2002
    MA, USA
    Does anyone know Online Data's website?

  3. #3
    Join Date
    Sep 2002

  4. #4
    Join Date
    Sep 2002
    MA, USA

  5. #5
    Join Date
    Sep 2002
    Say thanks to Google
    All I did was search for "Online Data Verisign"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts


Domain Escrow Services Domain Registrar, Marketplace and Revenue Optimizer

Industry Events

7-9 January 2018
Affiliate Summit West
Paris Hotel Las Vegas

28-31 January 2018
NamesCon Global 2018
Tropicana Hotel Las Vegas

12-12 October 2017
NamesCon China
Shanghai, China


How do you invest in domains?
to see the Poll results!
Domain Tools | Domain Directory | Registrar Stats | Domain Glossary | Industry Events | FAQ | Members | Terms | RSS | Link To Us | Advertise | Contact Us
Other Related Trellian Services:
Above Domain Parking Manager   |    Free Search Toolbar   |    Free Webpage Builder   |    Keyword Research   |    Search Engine Submission   |    SEO Tools
Copyright © 2002 a Trellian Company 2014 Bronze Sponsor - Internet Commerce Association