Merchant: FBI probes major credit card scam

Computerworld - The CEO of a Los Angeles-based novelty company, Spitfire Ventures Inc., said the FBI is investigating a major credit card scam involving 140,000 fraudulent credit card transactions at the company's Web site, TalkingTP.com.
Spitfire's CEO, Paul Hynek, said he was told by the company's credit card processor, Online Data Corp. in Westchester, Ill., that the scam may have affected as many as 25 other companies. But Online Data President John Rante said he believes only 15 to 20 merchants were affected and that a total of 100,000 fraudulent credit card transactions were involved.
The FBI couldn't be reached for comment.
According to Hynek, Online Data approved more than 60,000 of the false charges, worth $5.07 each, on Sept. 12. Online Data is a reseller of Mountain View, Calif.-based VeriSign Inc.'s credit card payment gateway services, which actually performed the authorizations.
Although about $300,000 in charges were approved by VeriSign, the company stopped the transactions before they were completed, so no money was ever transferred to Spitfire, according to Hynek. However, the authorizations let the thieves know that those credit cards were valid.
As soon as Online Data became aware of the problem, Rante said, the company worked closely with VeriSign to notify the credit card companies, which then deactivated the cards. Rante said the credit card companies are cooperating with federal authorities investigating the fraud.
If the scam hadn't been detected, Hynek said, thousands of dollars in fraudulent charges could have been racked up before cardholders became aware of any problem.
Spitfire, whose products include a talking toilet paper holder, learned of the scam when customers who noticed false charges on their accounts began calling the company, Hynek said.
Hynek, Rante and VeriSign spokesman Tom Galvin all said they believe thieves most likely got the credit card numbers by cracking the passwords of the affected merchants.
But Dan Clements, a credit fraud expert at Malibu, Calif.-based CardCops.com, disagreed.
"The real story here hasn't been told yet," he said. "Since they had 140,000 cards, they probably have a lot more."
Clements said he believes the crooks may have exploited a hole in the customer database of a large Internet merchant that didn't properly secure its Web site.
According to Clements, during their investigations, the credit card companies involved will pull information on the accounts of some of the affected cardholders looking for common denominators.
"Say, if Amazon.com showed up on all their statements, then that's most likely where the credit cards came from," he said. "These numbers were not randomly generated.This was not a crapshoot."

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.