Credit card scam exposes hole in e-commerce security

<br>SAN FRANCISCO (AP) _ A mysterious credit card scam involving more than 100,000 bogus Internet transactions has delivered another alarming reminder about online commerce's security weaknesses. <br><br>Although

Tuesday, September 17th 2002, 12:00 am

By: News On 6

SAN FRANCISCO (AP) _ A mysterious credit card scam involving more than 100,000 bogus Internet transactions has delivered another alarming reminder about online commerce's security weaknesses.

Although no money was actually transferred in the scheme, more than 60,000 of the illicit transactions received authorization codes during a con job exposed late last week.

The authorization codes verified the validity of those account numbers, opening the door for more widespread theft had the ruse not been detected.

All the affected account numbers have been deactivated and investigations have been opened by federal authorities, said John Rante, president of Online Data Corp., a Chicago-based credit card processor that authorized the bogus transactions.

``People have nothing to be concerned about,'' Rante said. ``We are cooperating with the authorities and we will catch the people behind this.''

It's unclear how many account numbers and merchants accounts were targeted in the ruse.

Spitfire Ventures, a startup whose novelty items include a talking toilet paper holder, received 140,000 credit card submissions in 90 minutes on Sept. 12 and 62,477 were authorized at dlrs 5.07 each, said Paul Hynek, the company's chief executive.

Los Angeles-based Spitfire discovered the fraud after getting swamped with calls from worried credit card holders swept up in the scam.

``The scary part is that more than 60,000 people had their credit card accounts violated and a lot of them don't even know about it,'' Hynek said.

Online Data pegged the number of bogus transactions at 104,000. All the transactions involved just a few cents or dollars.

Spitfire's Web site usually processes five to 30 daily transactions, but the Sept. 12 surge in activity didn't immediately trigger security concerns.

Mountain View-based Verisign, the online security firm that handled the transactions, said fewer than 20 merchants received bogus credit card purchase requests. But Hynek said he was told by Online Data that 25 merchants got hit.

Last week's wave of bogus credit card transactions could be a sign of an even bigger problem if the crooks got the numbers by hacking into the customer database of a major Internet merchant.

``The bigger story is where the thieves got this information,'' said Dan Clements, who follows credit card fraud for Cardcops.com. ``It's possible that the thieves found a hole in a database that still needs to be plugged. They could still be mining for credit card numbers.''

The scheme's method indicates the culprits relied on a computer program to spit out randomly generated account numbers in search of authorization codes to verify their existence, Rante said. ``I'm pretty confident that this didn't originate with a block of stolen credit cards.''

The scam's successful retrieval of so many authorization codes exposed cracks in the online credit card processing system.

The credit card processors say the breach probably wouldn't have happened if the perpetrators hadn't been able to crack the affected merchants' passwords.

``This underscores the importance of using strong passwords,'' said Verisign spokesman Tom Galvin.