A US online payment provider has admitted its processing
service was used in an attempt to charge money to stolen credit and
debit cards.
Several web hosting companies that use the Authorize.Net service
to accept card payments online saw large numbers of attempted
thefts last weekend.
The transactions were for amounts of up $700 (£400) and involved
cards from Visa, MasterCard and American Express.
Authorize.Net acts as a gateway for online transactions, making
sure the right merchant receives the correct amount from each card
company once a customer’s account is billed.
About 130,000 merchants are supported by the Authorize.Net
system, but it was their e-commerce web hosting companies that were
wrongly credited with the fraudulent cash amounts.
Thousands of unauthorised transactions led to millions of
dollars ending up in the accounts of the web hosting companies.
The fraudsters, using stolen card numbers and other information,
are believed to have planned to divert the money to the web hosts,
before moving it onto other accounts.
They may also have carried out the online transactions to test
which card details worked. Those that went through may now be used
for future online purchases of goods.
The transactions were voided by the web hosting companies when
they started to receive thousands of automatic e-mail notifications
from Authorize.Net pinpointing the suspicious payments.
It is unclear where the fraudsters got the credit card
information from or where the security breach lay.
Authorize.Net deies any breach, and says its systems were simply
reacting to instructions from the web hosting companies.