Net Music customers lose cards

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

I don't know is this is Y2K related but I have noticed a lot of credit card hacking around the world. So will post for the record.

Net Music Customers Lose Cards AmEx, Discover react to hacker attack

Todd Wallack, Chronicle Staff Writer Wednesday, January 19, 2000

In one of the largest credit card recalls ever, Discover and American Express are canceling the account numbers of anyone who ever shopped at CDUniverse, a popular online music store that was recently penetrated by a hacker.

Discover Financial Services is reissuing more than 10,000 credit cards. American Express refused to say how many it was reissuing, but it has many more customers than Discover.

Two weeks ago, an unidentified hacker believed to be Russian boasted to reporters that he had seized 300,000 credit card numbers from the site and posted 25,000 on a Web site, apparently after the music retailer refused his demand for money. The site was shut down shortly afterward.

The response by Discover and American Express is unusual because, generally, companies only reissue cards when they know a card number has been stolen or a customer reports suspicious transactions. But in this case, American Express and Discover said they wanted to act pre-emptively, since they weren't sure exactly which credit card numbers may have been stolen.

``I don't know about any other mass reissuance of credit cards like this,'' said Anita Boomstein, a New York lawyer specializing in credit cards and e-commerce. ``What this demonstrates is that (credit card firms) are trying to address as swiftly as possible a very big problem, which is fraud.''

American Express spokeswoman Judy Tenzer said, ``We felt it was the right thing to do.''

Discover and American Express are calling customers whose cards are being canceled. Both firms said it usually takes a week or two to receive new cards in the mail, but the companies will send them overnight if the customer asks.

A Visa spokesman noted that Visa doesn't issue the credit cards. Instead, Visa will let the issuing banks decide what steps to take. MasterCard, like Visa, also issues cards though banks and other partners.

San Francisco's Wells Fargo identified 600 of its Visa and MasterCard numbers in the CDUniverse database but hasn't detected any unusual charges with those cards and, therefore, decided not to reissue them, spokesman Dave Remund said.

He added that cardholders need not worry, because even if there were any attempts to fraudulently use the cards in the future, cardholders wouldn't be responsible for the payments. He said Wells Fargo wouldn't be on the hook either, because the hacker doesn't have access to the credit card itself -- only the number. In cases where unauthorized charges come up, he said the merchants will generally have to eat the costs.

Chase Manhattan and First USA, two major Visa and MasterCard issuers, didn't return calls seeking comment.

Boomstein estimated that the decision might cost Discover and American Express $1 per card but noted that the action will protect them from picking up the tab if any of the cards were stolen and subsequently misused. It will also reassure customers worried about the widely publicized incident.

`It's very good public relations,'' said Boomstein, a partner with Hughes, Hubbard & Reed in New York.

The FBI is trying to use information provided by Connecticut's CDUniverse to track down the hacker. American Express and Discover spokesmen said they knew of only a few cases where the credit cards were fraudulently used after the incident.

Security experts say other Web sites have occasionally been penetrated, though normally companies keep the incidents quiet.

``Some Web sites you've heard of'' have been successfully attacked, said Arthur Coviello, chief executive of RSA Security Inc.

RSA, a Massachusetts firm that sells encryption software, only knows about the incidents because it was asked to provide software to help beef up the security afterward, Coviello said.

It's unclear how many times credit cards numbers have been stolen online. Just yesterday, the Associated Press reported that a hacker broke into Visa's computers and threatened to release sensitive information unless it received $10 million. But Foster City's Visa told AP the information was stolen last July from its European headquarters in London and consisted of old files that posed no threat to customers.

The company received a ransom demand in early December but refused to pay anything, instead notifying Scotland Yard and the FBI.

For the most part, customers don't have to worry, experts said. American Express, for instance, said it will always cover any losses when a customer is victimized by online fraud.

Credit cards generally are scrambled when sent from a user's computer to the Web site. The problem, experts said, is that information sometimes isn't secure enough when it is stored on the merchants' computers linked to the Net.

Both Discover and American Express said they are working with CDUniverse to make sure the problem doesn't happen again. ``We are going to have the leading technology out there,'' said Brett Brewer, spokesman for EUniverse, the merchant's parent company. ``We want to be absolutely as safe as possible.''

http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/01/19/BU9822.DTL&type=business

-- Martin Thompson (mthom1927@aol.com), January 19, 2000


Moderation questions? read the FAQ