[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Hacker Breaches Payments Site Webcertificate.com
From:       InfoSec News <isn () c4i ! org>
Date:       2001-08-29 12:28:37
[Download RAW message or body]

http://www.ecommercetimes.com/perl/story/13147.html

By Lori Enos
E-Commerce Times 
August 28, 2001 

Online payments provider Ecount confirmed to the E-Commerce Times on
Monday night that a hacker or hackers breached security at its Web
payment site, Webcertificate.com.

"We have reason to believe someone inappropriately accessed data,"
Ecount chief executive officer and president Matt Gillin told the
E-Commerce Times.

According to Gillin, Ecount can only confirm that 25 out of its over
750,000 customer accounts were improperly accessed, but he added that
the company's investigation is ongoing.

Gillin said that the company was "100 percent certain" that no
Webcertificate accounts were used improperly. As part of Ecount's
response to the hack attack, Gillin said that Ecount is reissuing
account numbers for all of its customers, even though Internet
security was breached for only a small number of the accounts.

Webcertificates are MasterCard-branded stored value cards that are
accepted by e-tailers that accept MasterCard. In addition to using the
cards online, consumers can pay an extra fee and purchase a plastic
card for use offline.

Marketed as online gift cards, Webcertificates can be purchased online
using a credit card or earned as a reward at a number of Internet
sites, including MyPoints.com.

Card Numbers Elsewhere

Gillin said that earlier this week, there were indications of a hack
attempt at Webcertificate that prompted an investigation by
Conshohocken, Pennsylvania-based Ecount and its third-party security
firm.

Based on the investigation, the company determined that a hacker had
gained access to account information and was attempting to retrieve
credit card numbers. However, Gillin stressed that no customer credit
card numbers were at risk, because Webcertificate does not store
credit card numbers on its servers.

"He believes he has credit card numbers, but what he has are
Webcertificate numbers," Gillin said.

Because no credit card numbers were stolen, Gillin said that in
Ecount's eyes, the "hack attempt failed."

Motive: Extortion?

Gillin believes the motive behind the attack was extortion, and said
that Ecount was working with law enforcement to identify the person
behind the hack attack.

Extortion has been the motive in other hacker attacks on e-tailers. In
December 1999, a Russian teenager stole approximately 300,000 card
numbers from CDUniverse.com and posted them online when the e-tailer
refused to meet his US$100,000 extortion demand.

Customer Notification

Ecount sent e-mail to all Webcertificate customers Monday notifying
them that new customer account numbers and passwords would be issued.

"You're receiving this new account number as a security precaution
because we have reason to believe that some Webcertificate account
information may have been inappropriately accessed," the e-mail reads.
"We want to be perfectly clear: it is your Webcertificate information,
not your credit card information, which may have been accessed."

The e-mail also advised consumers that "before making these changes,
we evaluated your transaction history and confirmed that your account
has been used properly and only by you."

Quick Response

Gillin said that all Webcertificate customers who had purchased
plastic cards would be receiving new cards in the mail shortly.

Ecount won praise for its quick response from posters at the MyCoupons
Internet message boards.

One poster wrote: "I think this was a very good thing for them to do
considering from some companies we would just get a 'we're not
responsible for this ... blah blah blah ...' So instead of waiting
until more hacking happened, they went ahead and took action to
prevent it."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.

[prev in list] [next in list] [prev in thread] [next in thread]