What is the name of your state (only U.S. law)? South Carolina
A couple of weeks ago a hacker(s) gained access to my merchant account's transaction key (not sure how) and started running thousands of stolen credit card information (30,000 in about 8 hours). Each time a card was tested, it charged the card $1. Apparently they set up a computer system to run the cards in order to quickly separate the good from the bad so they could sell the good on the black market. From the credit card holders end of things it looks as if my company made an unauthorized charge of $1. As soon as the first person called to inquire about the charge, I contacted Authorize.net (payment gateway provider), and they shut everything down immediately after seeing the charges continuing to roll through while we were on the phone. I immediately went through and voided the roughly 3,000 or so transactions that actually made it through, but now Authorize.net is wanting to charge me .05 per attempted transaction. The next day, the actual credit card processor E-Online Data called and mentioned something about how it looked like there was some fraudulent activity on my account. I explained everything and how I had contacted Authorize.net the day before and had voided all the charges that went through. They then informed me how I would still owe them .17 per transaction. None of these transactions ever went through the storefront of my website as we don't offer anything for $1. Nothing on my administration or storefront pages indicated these transactions had ever occurred, it was only after I called Authorize.net did I have any idea something strange was going on. Long story short, being Authorize.net is the actual gateway weren't they somewhat negligent in allowing this type of hacking to go on unnoticed until I called them. After doing some online research, I found where 3 years prior a MSNBC article "Brute Force" credit card thievery was written about the same exact scenario happening with Authorize.net merchants. Being they were aware of this type of hacking long before it happened to me, why weren't there minimum safeguards in place to prevent such types of high volume hacks. You would think after about 20 or 30 attempts in a minute or two, bells would start ringing and flags would start waving indicating something might not be on the up and up. Why did it not raise any eyebrows until I actually called and inquired about what I thought was one isolated event? If Authorize.net had stopped the transactions or at the very least questioned them early on, they never would've made it to the credit card processor. So basically both Authorize.net and E-Online Data together are wanting well over $7,000 out of me. What is the best and cheapest way to handle all this? My company is an LLC with no assets but the website itself. I can pay them off personally, but other than the hacker, I truly believe Authorize.net is negligent for not doing a better job preventing it especially since they obviously knew about this type of hacking at least three years earlier. Of course if the merchant still ends up paying Authorize.net whenever it occurs, there's no reason they would want to stop such activity as it is rather profitable. Once they send things to collections what happens then? Does the price they're wanting to charge become somewhat more negotiable? Between this and having to deal with a bunch of angry folks wondering why I charged them $1 (when I didn't), my mind is about fried. Any advice is much appreciated. Also feel free to copy this topic to a different forum if it belongs in a different location. Thanks, William
A couple of weeks ago a hacker(s) gained access to my merchant account's transaction key (not sure how) and started running thousands of stolen credit card information (30,000 in about 8 hours). Each time a card was tested, it charged the card $1. Apparently they set up a computer system to run the cards in order to quickly separate the good from the bad so they could sell the good on the black market. From the credit card holders end of things it looks as if my company made an unauthorized charge of $1. As soon as the first person called to inquire about the charge, I contacted Authorize.net (payment gateway provider), and they shut everything down immediately after seeing the charges continuing to roll through while we were on the phone. I immediately went through and voided the roughly 3,000 or so transactions that actually made it through, but now Authorize.net is wanting to charge me .05 per attempted transaction. The next day, the actual credit card processor E-Online Data called and mentioned something about how it looked like there was some fraudulent activity on my account. I explained everything and how I had contacted Authorize.net the day before and had voided all the charges that went through. They then informed me how I would still owe them .17 per transaction. None of these transactions ever went through the storefront of my website as we don't offer anything for $1. Nothing on my administration or storefront pages indicated these transactions had ever occurred, it was only after I called Authorize.net did I have any idea something strange was going on. Long story short, being Authorize.net is the actual gateway weren't they somewhat negligent in allowing this type of hacking to go on unnoticed until I called them. After doing some online research, I found where 3 years prior a MSNBC article "Brute Force" credit card thievery was written about the same exact scenario happening with Authorize.net merchants. Being they were aware of this type of hacking long before it happened to me, why weren't there minimum safeguards in place to prevent such types of high volume hacks. You would think after about 20 or 30 attempts in a minute or two, bells would start ringing and flags would start waving indicating something might not be on the up and up. Why did it not raise any eyebrows until I actually called and inquired about what I thought was one isolated event? If Authorize.net had stopped the transactions or at the very least questioned them early on, they never would've made it to the credit card processor. So basically both Authorize.net and E-Online Data together are wanting well over $7,000 out of me. What is the best and cheapest way to handle all this? My company is an LLC with no assets but the website itself. I can pay them off personally, but other than the hacker, I truly believe Authorize.net is negligent for not doing a better job preventing it especially since they obviously knew about this type of hacking at least three years earlier. Of course if the merchant still ends up paying Authorize.net whenever it occurs, there's no reason they would want to stop such activity as it is rather profitable. Once they send things to collections what happens then? Does the price they're wanting to charge become somewhat more negotiable? Between this and having to deal with a bunch of angry folks wondering why I charged them $1 (when I didn't), my mind is about fried. Any advice is much appreciated. Also feel free to copy this topic to a different forum if it belongs in a different location. Thanks, William