Depending on whom you believe, the breach of a merchant credit card processors Web site by an extortion-minded hacker is either a woeful tale of a company that did not store its data securely or a broader lesson for the industry about the dangers of the Internet.
About four months ago a computer hacker believed to be Russian stole more than 55,000 credit card account numbers from the Web site of an independent sales organization, www.creditcards.com, which handles credit card accounts for online merchants. The thief demanded $100,000 to keep the stolen numbers secret and, when the Los Angeles company did not pay up, posted about 25,000 account numbers online.
The Web site with the stolen numbers has since been taken down, and the Federal Bureau of Investigation is pursuing the thief.
Some industry experts have speculated that Creditcards.com, a privately held company that is sponsored by Humboldt Bank of Eureka, Calif., may have been lax about security. (If a processor is not itself a financial institution, Visa and MasterCard require it to be sponsored by a financial institution.)
This looks real sloppy, said Ken Kerr, a senior research analyst at GartnerGroup Financial Services in Durham, N.C. There have been similar incidents in the past, but as far as I know, this is the first gateway processing business thats gotten hacked.
The incident raises concern about other merchant processors, especially regional companies long-focused on point of sale terminals, that may be rushing to offer Internet payment products without taking sufficient precautions, Mr. Kerr said.
Companies that started with Internet payments, or else very large processors like First Data, are pretty airtight, but if you take a smaller company that started as a POS processor, theyre going to face much more exposure when they move into the Internet, he said.
But some observers said that even large companies with more technology expertise have been hacked. The Western Union division of First Data Corp. shut down its Web site for five days in September after a security breach let hackers steal the credit and debit card numbers of more than 15,000 customers. Last year CD Universe was victimized by a hacker who demanded money after stealing 300,000 credit card numbers.
Gary Heatherington, chief executive officer of the New York software developer Cyota Inc., said that no database is safe. Western Union and a similar infiltration at Microsoft in October proved that theres no way you can prevent theft off the Internet, so long as the gold is there, he said.
Cyotas flagship product, SecureClick, replaces credit card account numbers with disposable one-time-use numbers to try to nullify the sort of theft that beset Creditcards.com, he said.
Holly Cherico, a spokeswoman for the Council of Better Business Bureaus Inc. in Arlington, Va., said that even the most vigilant companies cannot always thwart invasion. Computer hackers are pretty sophisticated people, she said. Even the Pentagons systems are vulnerable.
Though the council, along with Visa USA, has been pushing joint privacy and security certification programs, Ms. Cherico said even these seals of approval are no match for hackers. Even if the companies were compliant with these programs, its not clear whether they would be able prevent something like this, she said.
In the case of Creditcards.com, the less-than-stellar reputation of small independent sales organizations may have contributed to the finger-pointing. Indeed, current and former Creditcards.com customers say they are particularly angry that the processor did not tell them about the theft immediately.
Creditcards.coms decision not to inform 55,000 clients that their credit cards were stolen and available on the Internet was a big mistake, said Bryan Johnson, the founder of Astro-space.com, a former Creditcards.com client.
Mr. Johnson has an ax to grind with Creditcards.com. He said the processor revoked his merchant account because of chargebacks that resulted from a hacking incident, then put his company on a terminated-merchant file, a blacklist in the processing industry that prevented Astro-space from getting another account.
For the last six months, in addition to running Astro-space, which helps small businesses establish themselves online, Mr. Johnson has been running www.against-creditcards.com, a site devoted to bringing the processor down.
Mr. Johnson said Creditcards.coms delay in informing clients about the hacker problem will surely hurt what little reputation they have remaining.
Ihateshopping.net, a current Creditcards.com client, has stopped taking credit card payments since the incident came to light. In a letter posted on its Web site, Ihateshopping.net president Harry Widdifield apologized to customers and said that no customer information from Ihateshopping.net has been compromised.
Michael Butts, the head of operations at Creditcards.com, told msnbc.com that the company contacted the FBI immediately after the extortion threat but that it chose not to inform its customers because it was not apparent whether any fraudulent transaction had occurred.
Creditcards.com, which was opened eight years ago to do mail, telephone, and point of sale processing, did not return telephone calls seeking comment, but Kenneth Musante, the vice president and manager of merchant bank cards at Humboldt Bank, told American Banker, Just as any physical building can be broken into, any Web site can be broken into, and unfortunately thats what happened here. What Creditcards.com should have done a better job with was managing the situation once it occurred.
Humboldt officials learned of the hacker attack from news reports last Monday evening, Mr. Musante said. No Humboldt customers numbers were posted by the hacker, but the bank was disappointed by Creditcards.coms delayed notification to its merchants and to its sponsor, he said.
Dont you think that in a similar situation, you would have liked to have been informed by Creditcards.com? Mr. Musante asked. Evidently, the company believed the FBI had caught the hacker before the customers numbers were posted, he said. They believed the situation was over.
Mr. Musante said it is too soon for the bank to decide whether its sponsorship of the processor will be affected. The banks information technology manager has asked his counterpart at Creditcards.com how the hacker made his way into the database, he said.
Kimberly Hoover, head of the Washington law firm Hoover Partners, said processors that leave their merchants open to fraud are financially responsible for chargebacks because of stipulations in the contracts that the processors make with the merchants banks.
As with any fraudulent transaction, customers will notify the issuing bank, she said. That bank will investigate and charge it back to the merchant. The merchant bank will contact the issuing bank and then in all likelihood the processing entity will end up holding the bag.
Alden Hart, chief technology officer of the Adrenalin Group, a Washington development and consulting firm, said companies can choose how secure they want their data to be by adopting different standards of encryption.
There are three standards, he said. The loosest is having no cryptography at all and just throwing things around in the system in plain text that anyone could read. The middle way is software encryption, where the data are encrypted but by the same computer that handles the rest of the program, so if you breach the system you can find the keys.
