Authorize.Net says it has 'learned' from attack

Authorize.Net will use lessons learned from last week's distributed denial-of-service attacks to harden its defenses, company officials said. But that's of little comfort to people like David Hoekje, president of PartsGuy.Com, an online heating and air conditioning parts dealer based in Traverse City, Mich.

This is his busy season, and being cut off from one of the Internet's biggest credit card processing services left him dead in the water for days. By Thursday morning, he said service had only been partially restored. "This is a week where I should have been able to do enough business to carry me through to spring," Hoekje said. "My sales are just gone."

He added, "This is the first time I've taken a hit like this, and what I've learned is that the network needs major infrastructural improvements. Having a server on the Web to conduct business is just a poor way to do things. There has to be some architectural changes so a service like this won't be so vulnerable in the future."

Glen Zimmerman is spokesman for Burlington, Mass.-based Lightbridge Inc., which purchased Authorize.Net in March. He said the company is working with the FBI and outside consultants to minimize disruptions to its customers, which number about 90,000. While the company is regaining control, he acknowledged intermittent attacks persist.

"We've minimized the impact of each attack and have quickly restored services," he said. "But we're still having some problems, and we ask our customers to bear with us while we continue to work on it." Zimmerman said the company has put together a capital improvements plan to make the network more ironclad against future attacks. He declined to go into further detail, saying he doesn't want potential attackers to know what they're planning.

Roy Banks, general manager of Authorize.Net, said security has always been a priority and that protection was in place. The problem is the attackers caught the company off guard with their methods. "We've invested heavily in defense, and we thought we were prepared," he said. "But the nature of this attack was something we had never experienced."

Banks said Authorize.Net has "learned a great deal" from the past week, and will incorporate those lessons into the next round of security upgrades. "The tactics of these people are evolving," he said. "Our security will evolve so we can stay ahead of them in the future."

Hoekje hopes so. "As far as my customers are concerned, when my site is down it only reflects on me," he said.

Tom Corn, vice president of business development for Cambridge, Mass.-based security firm Mazu Networks, said distributed denial-of-service attacks are particularly serious because they take more sophistication and coordination to pull off than typical outbreaks.

"You're dealing with multiple zombie machines that are targeting this one site," he said. "The fact that this is a DDoS against a financial institution is not a good sign for the future. These guys monitor their victims during the attack and adjust their tactics as the victims try to make their own adjustments. It's difficult to recover from something like that."

Information security experts have long worried about the rapid rise of financially motivated attacks. Zimmerman said FBI officials told him such attacks have picked up since June. Corn noted that since April, at least two other credit card sites have been attacked.

"The big lesson is this: If you rely on these big businesses, you have to ask them questions about how secure they are, not just what their rates are," Corn said.