A Los Angeles-based Internet company said that 140,000 fake credit card charges, worth $5.07 each, were processed through its transaction system Thursday, in a computer scam that may have affected as many as 25 companies. The apparent fraud suggests that a computer criminal may have obtained a sizable list of stolen credit card numbers and was testing them for validity, credit card fraud expert Dan Clements said.
Paul Hynek, CEO of Web site operator Spitfire Novelties, said its credit card transaction processor, Online Data Corp, approved some 62,000 of the apparently false charges, valued at over $300,000.
Hynek said Online Data representatives revealed to him Friday morning that about 25 of the payment processor’s other e-commerce customers had suffered similar problems Thursday.
But Online Data president John Rante said late Friday that he was “not sure” that any other e-commerce sites were hacked.
The false charges started showing up at Spitfire’s TalkingTP.com Web site at 1 p.m. PT Thursday, Hynek said, but the company didn’t realize what was happening until early evening. By Friday morning, credit card holders who had noticed fraudulent charges on their accounts were peppering Spitfire with questions.
“The phone was ringing every 20 or 30 seconds ... with people asking ‘who the hell are you,’” said Russ Colby, Spitfire’s president. Spitfire, a small e-commerce company that generates five to 30 transactions a day, suddenly was deluged with credit card authorizations.
“There wasn’t a system in place to say, ‘you’ve generated 140,000 charges, that’s more than your normal volume,’” Hynek said.
Online Data is a reseller of Verisign Inc. credit card payment gateway services, according to Verisign spokesperson Janine Dunne, who declined to say how many merchants were impacted by the apparent fraud, but did indicate Spitfire wasn’t the only company hit.
While Verisign actually performed the authorizations, Dunne blamed the reseller, Online Data, for the incident. She said the company issued poor passwords to its customers.
“We encourage resellers to assign strong passwords. The issue here appears to be the nature of passwords assigned to merchants,” she said.
But Rante said the merchant was to blame for not changing its password often enough.
“All of us need to change our passwords,” Rante said. “We issue a starter password just like most companies do. We strongly urge the merchant to go in and change their password. This merchant failed to change their password and they were hacked.
Hynek told MSNBC.com the merchant password issued to him by Online Data was “OnlneAp16501.” He said he thought the alphabetic part of that password stands for “Online app,” which might be easy for a hacker to guess.
Darrell Bethune was one of many victims who noticed the $5.07 charge Friday while checking his credit card statement online.
“I live in Canada and haven’t been to Los Angeles in years,” he said.
While some $300,000 in charges were approved by Verisign’s systems, the firm actually halted the transactions before they were “settled,” meaning the $316,000 was never actually credited to Spitfire’s merchant account. In fact, the criminals were probably only testing the cards to see if they were valid.
Running cards through the authorization process is worthwhile to criminals, because they now have some 60,000 valid cards to sell on the black market, according to Clements, a credit card fraud expert who operates CardCops.com.
About 80,000 of the cards run throughout Spitfire’s systems were declined, Hynek said, meaning more than half the stolen cards were outdated or had already been canceled.
This is not the first time credit card thieves have used hacked online merchant accounts to test cards. In April, MSNBC.com reported that thieves were using “brute force” methods to test thousands of card numbers through hacked Authorize.net merchant accounts, posting tiny 5 and 10-cent charges. In one such incident, 13,000 pre-authorizations attempts were made in a single weekend.
It’s not clear how many apparently stolen cards were run through the 25 other Online Data merchants that Hynek said were also compromised.
Also unclear is what happens next. Apparently, word of the 62,000 valid stolen cards hadn’t filtered down to credit card issuers yet. When Bethune spotted the false charge, he called his credit card bank, Wells Fargo, and asked to have his card canceled. The bank hadn’t yet heard about the alleged heist.
“It’s not clear what responsibility Verisign has right now,” said Clements. “The credit card companies would sure be interested in that list ... these are cards that are clearly targeted for fraud.”
Dunne said Verisign had alerted credit card companies about the compromised cards, but declined to provide further details.