You might call it the least creative way to steal credit card numbers — but it works, and it’s costing merchants thousands of dollars. In the past several weeks, computer criminals have taken to running thousands of nickel and dime charges through merchant accounts, picking credit cards numbers at random. Most are declined. But the few that are authorized mean the criminal has struck gold. Meanwhile, merchants are footing a big bill, paying up to 35 cents for each attempt. One told MSNBC.com that 13,000 attempts were made in a single weekend, adding up to a hefty $4,550 bill.
IT’S “BRUTE FORCE” credit card thievery. Remember “war-dialing” from the movie “War Games?” In that film, a hacker dials sequentially through phone numbers, looking for a computer modem to connect to. It would be too tedious for a human, but computers are great at that kind of work.
The same principle applies to this latest credit card stealing scam, which perhaps will come to be called “war-carding.”
“A hacker can just keep running credit card numbers until it comes back approved. Ninety-five percent, even more, come back declined,” said Scott Zielinski, a Web site consultant for Sebenza Studios. Several of his customers have been victimized, he said.
Behind each scam is a criminal’s ability to pose as a merchant requesting authorization for a credit card purchase from Authorize.Net, the Internet’s largest payment gateway system. Tom Arnold, chief software architect at Authorize.Net, confirmed that criminals have been attacking the system, and that his company has been working with law enforcement to track them down.
“We here at Authorize.Net ... are well aware of the specifics of the issues striking several of the merchants. In chat rooms, hackers are talking about it, and we are monitoring that, ” he said.
Merchant Brian Harlin said the suspicious activity at his store began in February.
“Hackers got into the Authorize.Net system and began charging random card numbers 1 cent to see if the card numbers were valid numbers,” he said. “Over the course of one weekend, the hackers tested over 13,000 card numbers on my account alone. I was charged for each transaction by Authorize.net and the card processing company for close to $7,000 which they conveniently withdrew from my account at the end of the month.” Some of the money has been refunded, but $4,800 is still missing, Harlin said.
The pattern hasn’t always been exactly the same, suggesting more than one group of credit card thieves is at work. James Moore said his merchant customers started having problems three weeks ago.
“My client got 7,000 transactions sent through his Authorize.Net account for odd amounts of money, i.e. $.02, $1.50, .37,” Moore said. “This is not the first time this has happened to users. Anyway my client received a bill from his bank for $4,500, $0.35 for every transaction.”
Some merchants have complained that Authorize.Net is to blame, because only a login name — and not a password — is required on many systems to “run” a credit card check. Once criminals get a merchant ID, they can test as many card numbers as they want.
Arnold confirmed that some systems are configured that way, and said the company is moving quickly to cancel victimized merchant IDs. Part of the problem, he said, was a reseller that was issuing easy-to-guess ID accounts. But he also blamed the configuration issues on Web host providers, who often don’t make it easy to password-protect merchant accounts.
“I personally think that such an option should not be allowed at all and believe that it is clearly the fault of Authorize.Net if their customers may let their accounts be unprotected,” said Ivo Truxa, security specialist for Web design firm Truxoft.com. “It is as if a bank offered you to rent a safety box, gave you the choice to take one without doors.”
Web developer Jim Rogers, whose client received a $4,500 bill for fake charges recently, said he was frustrated that Authorize.Net knew the scam was a possibility, but didn’t warn him.
“I am really fed up with that company at this point,” he said. “My biggest problem was it was never disclosed. They never mentioned you may want to set it up this way, or do this to protect yourself.”
Arnold said his firm is evaluating victims on a case by case basis, and would consider refunding the Authorize.Net portion of transaction fees connected to the scam.
According to a recent company press release, 120,000 merchants use Authorize.Net, performing 8 million transactions valued at $600 million during a recent three-month period. Authorize.Net is operated by InfoSpace Inc.
This isn’t the first time Authorize.Net has fallen prey to criminals. Two months ago, MSNBC.com revealed that criminals were using Authorize.Net merchant accounts to issue refunds to their own credit cards — without corresponding charges. Authorize.Net said at the time the practice wasn’t widespread, but later indicated in an e-mail to its merchants that its refund system would be shut down for two days to perform maintenance.