Net thieves find new way to nab cash
Merchant accounts switched to cash with stolen credit cards
By Bob Sullivan
Feb. 12 — Internet thieves have seized on a powerful new way to turn stolen credit card numbers into stolen cash, MSNBC.com has learned. Instead of stealing merchandise by charging it on a stolen credit card, the simple scam involves breaking into Internet merchant computers and virtually “returning” merchandise. Funds issued as credits to hacker-controlled debit cards can then be withdrawn at cash machines. MSNBC.com has learned criminals are stealing $1,000 at a time this way from unsuspecting merchants who use Authorize.Net credit card processing, the largest online payment processor. Authorize.net denies the practice is widespread, or even terribly effective.
GETTING CREDIT card numbers has never been hard for Internet criminals — chat rooms are full of thousands of such numbers, lifted from various unsecured Internet sites. But the numbers themselves have very little value. Using them to buy merchandise is risky, for example, as it involves a shipping address, which can be traced.
But MSNBC.com has learned that computer criminals armed with stolen card numbers and access to a Web merchant’s payment processing system — the virtual equivalent of the card-swipe terminals that sit at real-world cash registers — have found a new way to turn stolen numbers into cash.
In one example demonstrated to MSNBC.com, a criminal made off with more than $5,000 in minutes.
At the root of the scheme is a merchant’s ability to issue credits, which are effectively payments from merchant to consumer. In some cases, merchants can issue credits to account numbers that differ from the account that was originally charged — and that’s how the criminals move money from one stolen credit card to a second card, then liquidate the balance on that card.
It’s known as a credit-back scheme, and it once was a popular strategy for real-world criminals. In 1997, a tiny Toronto frame shop was bilked out of $248,000 this way, according to published reports. In that case, criminals broke into the store and manually refunded hundreds of legitimate store charges to their own debit cards during one frantic late night. They raced to refund nearly every charge the store had billed in recent months.
But criminals using a virtual merchant terminal operate with considerably less time restriction; that’s one reason the tactic is becoming popular, according to a 14-year-old New York City resident who demonstrated it for MSNBC.com. The source, who requested anonymity, spoke to MSNBC.com after he contacted CardCops.com to warn merchants about the fraud scheme. CardCops.com offers amnesty to anyone wishing to reveal details of ongoing Internet fraud
“This is passing around a lot. I have friends who are doing it. They better close it out fast, or they’re going to lose a lot of money,” he said. “People doing $1,000, even $3,000 at a time. They don’t see there’s risks anymore.”
Another reason the scam is popular is that criminals have discovered several ways to access powerful merchant accounts that route charges through Authorize.net, the largest Internet payment processing company. According to a recent company press release, 120,000 merchants use Authorize.net, performing 8 million transactions valued at $600 million during a recent three-month period. Authorize.Net is operated by InfoSpace Inc.
Prakash Kondepudi, the executive vice president of Infospace, said his company routinely screens out refunds to credit card accounts without an associated charge. But in some cases, acquiring banks allow such refunds, and that may be why isolated thefts occur. Even then, Kondepudi said, the transactions are flagged and usually the acquiring bank “arrests” the transaction.
Still, sources MSNBC.com spoke with said theft attempts were successful.
Only a user name and password protect Authorize.net merchant accounts, and hackers have figured out that merchant user names are revealed in the source code of “checkout pages” when Web sites use Authorize.net to process payments.
Kondepudi admits that’s true, but only for a minority of merchants who use the least secure method for implementing Authorize.Net payment processing.
“We try to educate them on the risks ... but there are some, maybe hundreds or even thousands who may use (less-secure) methods,” he said. “We have large number of resellers, they might not communicate this to the merchants.”
Armed with the login name, intruders merely have to guess at the correct password, which is trivial if the password is a word that’s in a dictionary.
“My friend made a cracker program that cracks Authorize passwords,” the 14-year-old source said.
In some cases, the password is the same as the login name, he said, and then demonstrated his ability to access a merchant account for “Superhero2000.com” that way. Attempts to reach representatives of Superhero2000.com were unsuccessful.
One real-world victim of the credit-back scheme, Maryland resident Chuck Sinkoske, said his wife found four surprise charges for $600 on her Visa bill in early January. Her bank simply asked that she challenge those charges but didn’t cancel the card.
Two weeks later, Visa called and said a suspicious $1,500 charge had been rung up on the card.
That charge had been made, and then refunded to a different card, at SuperHero2000.com.
“It’s turned me off to this whole Internet thing,” Sinkoske said. “I’m very leery of the whole thing. And I was the one who said to my wife, ‘Don’t worry about it.’ If they can’t control this, it’s a serious problem.”
Dan Clements, who runs CardCops.com, thinks that Authorize.Net is a big part of the problem. He has another anonymous informant who claims hackers can access the firms’ systems without even knowing a merchant password — simply by using a merchant login name. It is possible, if hackers know a certain script used by Authorize.Net merchants, Clements said.
For proof, he points to a week-old white paper published by the company, which recommends using “password required mode.”
“When an account is designated as Password Required no transaction can be processed without providing the password. This mode prevents transactions from being done with only the login ID,” the paper says.
Kondepudi said he couldn’t immediately comment on that procedure.
Clements contacted Authorize.net on Feb. 3 to express his concerns, but the company hasn’t yet responded. Since only Web merchants — and not the payment processor — are liable for credit-back fraud, he thinks Authorize.net has been sluggish to address its security problems.
Two years ago, the company was criticized as slow to fix a security flaw that revealed merchant login names and passwords in URL addresses as merchants browsed the Authorize.net site.
“I think it would be brutally expensive for them to fix this,” he said. “We come out with flaws, and companies stonewall and deny. Then a newbie merchant who has an account for two months is going to get screwed.”