Home page logo

isn logo Information Security News mailing list archives

Databases Exposed at Online Credit-Card Security Firm
From: InfoSec News <isn () c4i org>
Date: Mon, 25 Jun 2001 04:51:48 -0500 (CDT)


By Michael Mahoney
E-Commerce Times 
June 22, 2001 

Databases at online credit card processing and security provider
Anacom Communications were illegally accessed this week, Anacom's
parent company ZixIt Corporation confirmed Thursday.

ZixIt said that it took control of the entire Anacom premises and
began forensic data analysis on the breach Monday night. In addition,
the company said, the U.S. Federal Bureau of Investigation (FBI) was
brought in to begin a criminal inquiry.

ZixIt director of corporate communications Paul LaBelle told the
E-Commerce Times that ZixIt was informed earlier in the week that
fraudulent transactions were taking place using the merchant accounts
on the Anacom network.

"We pulled the plug and immediately informed all the merchants and the
credit card associations they would have to use services from other
providers in the interim," LaBelle said.

Lots of Questions

On Wednesday, outside forensic data experts officially confirmed that
both the intrusions and fraudulent transaction processing had
occurred. ZixIt management said it has started the process of
notifying credit-card companies about the accounts that may have been
improperly accessed.

LaBelle said that ZixIt did not yet have any information regarding the
outcome of the investigation, such as how long the accounts were
exposed or how the breach occurred. ZixIt also said the breach did not
involve any of ZixIt's own data centers or e-mail technologies.

Anti-Fraud Specialists

Anacom is the developer and owner of the WebCharge, WebCheck and
Internet Fraud Screening (IFS) payment processing gateways and
technologies, according to several Web sites that use its services.

Anacom's merchant account application, e-ZStart, contains multiple
Internet fraud filters that each credit card must pass through prior
to approval of a transaction. These filters include a negative
credit-card database, a fraudulent Internet protocol (IP) and e-mail
address filter, and proprietary data encryption.

Visits to Anacom.com throughout the day found the Web site

How Serious?

Although online breaches of security are taken seriously by consumers,
corporations and law enforcement, the frequency of actual online
credit-card fraud is greatly exaggerated, according to a recent report
from Jupiter Media Metrix.

The Jupiter report said that attention focused on online security
incidents has led consumers to erroneously believe that fraud is
approximately 12 times more prevalent on the Internet than off, which
is not the case.

In order to reduce misunderstanding about the risks of online fraud,
Jupiter recommends that companies classify security incidents, such as
the Anacom occurrence, into one of three levels of severity: threat,
breach and fraud.

Based on the initial reports from ZixIt, it appears the Anacom
incident might fit into the fraud category, which is defined as a
situation in which security is compromised, unauthorized access to
private records has occurred, and there has been actual misuse of the
credit data.

ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com 

  By Date           By Thread  

Current thread:
  • Databases Exposed at Online Credit-Card Security Firm InfoSec News (Jun 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]