• FreeAdvice has a new Terms of Service and Privacy Policy, effective May 25, 2018.
    By continuing to use this site, you are consenting to our Terms of Service and use of cookies.

merchant account hacking

Accident - Bankruptcy - Criminal Law / DUI - Business - Consumer - Employment - Family - Immigration - Real Estate - Tax - Traffic - Wills   Please click a topic or scroll down for more.

Livewire2

Junior Member
What is the name of your state (only U.S. law)? South Carolina


A couple of weeks ago a hacker(s) gained access to my merchant account's transaction key (not sure how) and started running thousands of stolen credit card information (30,000 in about 8 hours). Each time a card was tested, it charged the card $1. Apparently they set up a computer system to run the cards in order to quickly separate the good from the bad so they could sell the good on the black market. From the credit card holders end of things it looks as if my company made an unauthorized charge of $1. As soon as the first person called to inquire about the charge, I contacted Authorize.net (payment gateway provider), and they shut everything down immediately after seeing the charges continuing to roll through while we were on the phone. I immediately went through and voided the roughly 3,000 or so transactions that actually made it through, but now Authorize.net is wanting to charge me .05 per attempted transaction. The next day, the actual credit card processor E-Online Data called and mentioned something about how it looked like there was some fraudulent activity on my account. I explained everything and how I had contacted Authorize.net the day before and had voided all the charges that went through. They then informed me how I would still owe them .17 per transaction. None of these transactions ever went through the storefront of my website as we don't offer anything for $1. Nothing on my administration or storefront pages indicated these transactions had ever occurred, it was only after I called Authorize.net did I have any idea something strange was going on. Long story short, being Authorize.net is the actual gateway weren't they somewhat negligent in allowing this type of hacking to go on unnoticed until I called them. After doing some online research, I found where 3 years prior a MSNBC article "Brute Force" credit card thievery was written about the same exact scenario happening with Authorize.net merchants. Being they were aware of this type of hacking long before it happened to me, why weren't there minimum safeguards in place to prevent such types of high volume hacks. You would think after about 20 or 30 attempts in a minute or two, bells would start ringing and flags would start waving indicating something might not be on the up and up. Why did it not raise any eyebrows until I actually called and inquired about what I thought was one isolated event? If Authorize.net had stopped the transactions or at the very least questioned them early on, they never would've made it to the credit card processor. So basically both Authorize.net and E-Online Data together are wanting well over $7,000 out of me. What is the best and cheapest way to handle all this? My company is an LLC with no assets but the website itself. I can pay them off personally, but other than the hacker, I truly believe Authorize.net is negligent for not doing a better job preventing it especially since they obviously knew about this type of hacking at least three years earlier. Of course if the merchant still ends up paying Authorize.net whenever it occurs, there's no reason they would want to stop such activity as it is rather profitable. Once they send things to collections what happens then? Does the price they're wanting to charge become somewhat more negotiable? Between this and having to deal with a bunch of angry folks wondering why I charged them $1 (when I didn't), my mind is about fried. Any advice is much appreciated. Also feel free to copy this topic to a different forum if it belongs in a different location. Thanks, William
 


quincy

Senior Member
What is the name of your state (only U.S. law)? South Carolina


A couple of weeks ago a hacker(s) gained access to my merchant account's transaction key (not sure how) and started running thousands of stolen credit card information (30,000 in about 8 hours). Each time a card was tested, it charged the card $1. Apparently they set up a computer system to run the cards in order to quickly separate the good from the bad so they could sell the good on the black market. From the credit card holders end of things it looks as if my company made an unauthorized charge of $1. As soon as the first person called to inquire about the charge, I contacted Authorize.net (payment gateway provider), and they shut everything down immediately after seeing the charges continuing to roll through while we were on the phone. I immediately went through and voided the roughly 3,000 or so transactions that actually made it through, but now Authorize.net is wanting to charge me .05 per attempted transaction. The next day, the actual credit card processor E-Online Data called and mentioned something about how it looked like there was some fraudulent activity on my account. I explained everything and how I had contacted Authorize.net the day before and had voided all the charges that went through. They then informed me how I would still owe them .17 per transaction. None of these transactions ever went through the storefront of my website as we don't offer anything for $1. Nothing on my administration or storefront pages indicated these transactions had ever occurred, it was only after I called Authorize.net did I have any idea something strange was going on. Long story short, being Authorize.net is the actual gateway weren't they somewhat negligent in allowing this type of hacking to go on unnoticed until I called them. After doing some online research, I found where 3 years prior a MSNBC article "Brute Force" credit card thievery was written about the same exact scenario happening with Authorize.net merchants. Being they were aware of this type of hacking long before it happened to me, why weren't there minimum safeguards in place to prevent such types of high volume hacks. You would think after about 20 or 30 attempts in a minute or two, bells would start ringing and flags would start waving indicating something might not be on the up and up. Why did it not raise any eyebrows until I actually called and inquired about what I thought was one isolated event? If Authorize.net had stopped the transactions or at the very least questioned them early on, they never would've made it to the credit card processor. So basically both Authorize.net and E-Online Data together are wanting well over $7,000 out of me. What is the best and cheapest way to handle all this? My company is an LLC with no assets but the website itself. I can pay them off personally, but other than the hacker, I truly believe Authorize.net is negligent for not doing a better job preventing it especially since they obviously knew about this type of hacking at least three years earlier. Of course if the merchant still ends up paying Authorize.net whenever it occurs, there's no reason they would want to stop such activity as it is rather profitable. Once they send things to collections what happens then? Does the price they're wanting to charge become somewhat more negotiable? Between this and having to deal with a bunch of angry folks wondering why I charged them $1 (when I didn't), my mind is about fried. Any advice is much appreciated. Also feel free to copy this topic to a different forum if it belongs in a different location. Thanks, William
You can report the hacking to South Carolina's Attorney General.

Here is a link on how to report complaints for investigation: http://www.scag.gov/contact-us
 
Last edited:

single317dad

Senior Member
One major consideration will be your contract. What does the contract with Authorize.net say in regards to your responsibility for the security of your merchant key? Do you have a contract with anyone else?

The criminals in this case are probably beyond the reach of criminal or civil remedies (they usually are), so this will probably come down to a civil dispute between you and your payment processor(s). Your options are:

- Pay the bill and move on quietly
- Pay the bill under protest and seek reimbursement, including legal remedies
- Refuse to pay the bill, in which case you'll lose your payment processor(s) and be sued
- Attempt to assist in the apprehension and prosecution of the criminals, and rely on criminal or civil restitution to make you whole. This is a long shot.
 

Livewire2

Junior Member
Thanks for the responses. I contacted South Carolina Attorney General, and they basically directed me to the FBI. In all reality, the hackers are long gone and having them caught and prosecuted is highly unlikely. Authorize.net is reviewing my particular case and is suppose to be in contact with what they decide. E-online will have to wait until then as well, but they may be doing just that as I haven't heard anything out of them since this first happened. Although they are separate companies, they are interlaced with each other. Once I see where this looks like it's going, I'll request our agreements from both and go from there.


William
 

quincy

Senior Member
Thanks for the responses. I contacted South Carolina Attorney General, and they basically directed me to the FBI. In all reality, the hackers are long gone and having them caught and prosecuted is highly unlikely. Authorize.net is reviewing my particular case and is suppose to be in contact with what they decide. E-online will have to wait until then as well, but they may be doing just that as I haven't heard anything out of them since this first happened. Although they are separate companies, they are interlaced with each other. Once I see where this looks like it's going, I'll request our agreements from both and go from there.


William
Sounds like a plan. :)

Thanks for getting back to us, William.
 

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential
data-ad-format="auto">
Top