Wednesday, December 3, 2008

Major Credit Card Hack Starting?

Credit Card Hackers in New Attack?

It's the last thing cash-strapped banks need right now: Holders of credit and debit cards are reporting an epidemic of unauthorized charges on their bills.

Could this be a sign of a massive card-fraud operation in the making?

A company called Adele Services, based in Melville, N.Y., has been charging cards small amounts — 21 to 29 cents. Such charges are usually attempts by card fraudsters to test whether a particular card number is valid.

The range of complaints suggests the people behind the Adele charges have gotten their hands on a sizable database of credit cards.


Here's some more on this breaking news from ars technica:


"A wave of unauthorized microtransactions is currently sweeping the accounts of a number of US credit card holders, though the size andscope of the fraud scheme have not yet been determined. Beginning on oraround November 20, consumers apparently began to notice smallcharges—typically for 19-29¢—appearing on their bank statements oronline account information. These small withdrawals or deposits aretypically test fees, sent to verify account authenticity. Paypal, for example, makes two small deposits in a user's bank account in order to verify its authenticity.

While legitimate companies will reverse the fee (or occasionally let you keep the extra quarter), thieves use the transactions to verify that a credit card number is good. If the deposits complete successfully, the hacker knows he's got a live card (or a live card number). The next step, at least usually, is to burn through the account's balance as quickly as possible before anyone notices what's happening.


Beginning on or about November 20, various card holders began complaining online about unauthorized microtransactions that were suddenly showing up on their accounts. The charges fit the model described above, and were labeled as coming from Adele Services. Adele Services appears to be a dummy corporation; the 1-800 number listed as the customer contact point is disconnected and there's no official
website.

The company may not officially exist, but that hasn't stopped it from continuing to test accounts. It's impossible to state how many card holders have been pinged in this manner, but the number of online reports is growing steadily.

Theories on which company's security was breached abound, although the mob of sages has collectively ruled out PayPal, given the number of non-PayPal users affected. Amazon seems to be a current favorite, based on the fact that a number of the irate forum posters recently shopped there. The factual likelihood that any number of random people have recently shopped at Amazon given the size of that company, and the time of year is much higher than some of the more fervent posters would like to admit.

For the time being, it's a good idea to keep a close eye on the day-to-day activities of your credit/debit account. If you want to be on the safe side, take a moment and review your financial institution's rules on contesting charges. The rules of this procedure can vary significantly from bank to bank. If you've been hit by these types of unknown charges (whether from Adele or another company), please let us know about it. 

At this point, there's nothing much more than circumstantial evidence of a data breach. Such breaches can be disastrous when they occur, as TJ Maxx demonstrated back in 2007. It's possible that whoever is running Adele is working off randomly generated numbers, however; we won't know until more information becomes available
."

Large-scale hacks have happened before; the worst was in 2005, when hackers obtained a file of 40 million card numbers from CardSystems, a credit-card processor. While most consumers worry about shopping with Internet retailers, online card databases are rarely the problem. In 2007 insecure cash registers at TJ Maxx and Marshalls stores exposed 45.7 million cards.

Disqus for ePayment News