GS Logo
The Green Sheet, Inc

Please Log in

A Thing A Call To Action For Authorize.Net

Links Related
to this Story:


A Call To Action For Authorize.Net

A uthorize.Net officials want to set the record straight about what happened to the payment processor's merchant database. MSNBC.com originally reported that hackers used passwords to access merchant accounts and virtually return merchandise for funds (Green Sheet, March 25, 2002 issue, 02:03:02). In such "credit-back" schemes, funds are issued as credit to fraudulent debit cards, which in turn are accessed through ATMs. Credit-back schemes are not new criminal activities. What is new is the fact that they're being perpetrated virtually.

But the MSNBC story wasn't entirely correct, says Roy Banks, Vice President of Authorize.Net.

"We have never been hacked," he says. "MSNBC reported that someone gained unauthorized access and compromised the database. That is absolutely erroneous. There was no unauthorized access. No one compromised card numbers or consumer information."

Instead, Authorize.Net contends that hackers were successfully guessing merchant log-in IDs. Just how was this guessing game played? "It's hard for us to validate if a merchant was irresponsible with a password," says Banks. "Either they gave it to somebody who they thought was trustworthy or somebody successfully guessed it."

According to Banks, the hackers attempted to run authorizations against credit card numbers to commit card fraud. MSNBC reported the fraud was in the thousands of dollars. Authorize.Net has a different figure.

"The spirit of the story was that we had been compromised," says Banks. "We know accounts were only compromised in regard to guessing log-in IDs. We don't know if they guessed passwords. We are only aware of one instance where there actually was a credit run, and only one unauthorized credit was issued. It was a very small dollar amount. It only happened once."

In this instance, once was enough. Authorize.Net sprang to action. Within hours of discovery, Authorize.Net sent e-mail messages to its merchants reassuring them that immediate and reasonable efforts to protect the platform were in force and that it continued to be a safe haven for commerce.

Over the course of the next few weeks, Authorize.Net continued its campaign to combat the attempted fraud and eliminate future attempts. Credit policy was changed.

"We increased the logic and rules for running credit so you could not run a credit for an amount greater than an original authorization, and it had to be tied to one already in the system," says Banks. "Prior to this, merchants could run credits without previous authorizations. Merchants move from gateway provider to provider, and you don't want to impair their business by not running a debit that took place in another system. Because of the nature of this problem, we made a decision to do it this way from now on."

Authorize.Net then put together a document titled "Best Security Practices White Paper," which discussed all of the features available on the processor's platform allowing merchants to increase their processing security. It is available at www.authorize.net.com.

The MSNBC investigative story stated that Authorize.Net had "flaws in its system." Was that true?

"It's hard for me to comment when I don't understand that statement," says Banks. "It's almost reckless. What is the reporter insinuating? We have built our system in such a way that we are making efforts to responsibly process merchant transactions. We are constantly improving our system to adapt to the needs of the marketplace. Part of that is increasing our security."

Banks continued, "We are singularly focused in taking steps to make this industry proactive in commerce. We now have a risk-management department that is basically focused on monitoring and reporting irregular activities throughout the system. That department works with law enforcement and various card associations, such as Visa and Master Card. We've also hired an FBI veteran with 24 years [of experience in] dealing with white-collar crimes who is leading our risk-management efforts."

Authorize.Net is smart to bring in a seasoned professional. There is no rhyme or reason to this type of criminal behavior. There's no pattern. Random areas throughout the country are all targets of these hackers. According to Banks, most hackers are based in Eastern Europe and the Middle East.

"It fits the profile pattern of this type of activity," says Banks.

There have been no arrests in the case. How does Authorize.Net deal with merchants affected? "We evaluate on an individual-by-individual basis," says Banks. "If there is a problem recognized, we deal with the merchant individually and then make a determination."

One startling aspect of this story is that when the MSBNC reporter who broke the story contacted Authorize.Net for a comment, it was the first time Authorize.Net became aware of any fraud scenario.

Another interesting aspect is why Authorize.Net is choosing to speak out at this later date. It seems to be a question of timing and priorities.

"When the story broke, we didn't need to make a public statement to the world," says Banks. "It was our merchants we needed to contact, and we did with the white paper as well as several e-mail communiqu‚s to resellers as well as merchants as to what we were doing. The court of public opinion was not our focus. Our customers are. If we had to do it all over again, we would have handled it exactly the same."

Obviously, the bottom line is: What was the overall merchant reaction to the story?

"Basically, we have had the support of our merchants," says Banks. "We reassured them of our efforts. We informed them we are committed to safe service. We haven't had any noticeable change to them using our systems. We've had a couple of calls and were honest and forthright in dealing with them." . According to Banks, the company's bottom line was unaffected: "Our business continues to be strong. We see healthy growth and appreciate the merchants sticking with us and contribute that to the efforts we've made to date and to the efforts of our resellers as well. We're working with several partners and are setting an example with our commitment to working with various value chain partners. It's been a good experience. We've learned a lot about issues of security."

What is the message to take away from this? "It's not positive when you have this type of activity, but if you have to take something positive from it, it's a wakeup call to the industry to work more closely together. Authorize.Net is committed to making our platform a safe place for our merchants. We are looking forward to the future and our ability to help shift the focus of the industry more toward security and safe commerce."

   

BACK

NEXT

INDEX

 Copyright 2002 The Green Sheet, Inc.