Another from the Hettinga lists. JMR --- begin forwarded text Status: U Date: Tue, 28 Aug 2001 14:18:48 -0500 (CDT) From: William Knowles <[EMAIL PROTECTED]> To: Robert Hettinga <[EMAIL PROTECTED]> Subject: Hacker Breaches Payments Site Webcertificate.com Organization: C4I.org - http://www.c4i.org http://www.ecommercetimes.com/perl/story/13147.html By Lori Enos E-Commerce Times August 28, 2001 Online payments provider Ecount confirmed to the E-Commerce Times on Monday night that a hacker or hackers breached security at its Web payment site, Webcertificate.com. "We have reason to believe someone inappropriately accessed data," Ecount chief executive officer and president Matt Gillin told the E-Commerce Times. According to Gillin, Ecount can only confirm that 25 out of its over 750,000 customer accounts were improperly accessed, but he added that the company's investigation is ongoing. Gillin said that the company was "100 percent certain" that no Webcertificate accounts were used improperly. As part of Ecount's response to the hack attack, Gillin said that Ecount is reissuing account numbers for all of its customers, even though Internet security was breached for only a small number of the accounts. Webcertificates are MasterCard-branded stored value cards that are accepted by e-tailers that accept MasterCard. In addition to using the cards online, consumers can pay an extra fee and purchase a plastic card for use offline. Marketed as online gift cards, Webcertificates can be purchased online using a credit card or earned as a reward at a number of Internet sites, including MyPoints.com. Card Numbers Elsewhere Gillin said that earlier this week, there were indications of a hack attempt at Webcertificate that prompted an investigation by Conshohocken, Pennsylvania-based Ecount and its third-party security firm. Based on the investigation, the company determined that a hacker had gained access to account information and was attempting to retrieve credit card numbers. However, Gillin stressed that no customer credit card numbers were at risk, because Webcertificate does not store credit card numbers on its servers. "He believes he has credit card numbers, but what he has are Webcertificate numbers," Gillin said. Because no credit card numbers were stolen, Gillin said that in Ecount's eyes, the "hack attempt failed." Motive: Extortion? Gillin believes the motive behind the attack was extortion, and said that Ecount was working with law enforcement to identify the person behind the hack attack. Extortion has been the motive in other hacker attacks on e-tailers. In December 1999, a Russian teenager stole approximately 300,000 card numbers from CDUniverse.com and posted them online when the e-tailer refused to meet his US$100,000 extortion demand. Customer Notification Ecount sent e-mail to all Webcertificate customers Monday notifying them that new customer account numbers and passwords would be issued. "You're receiving this new account number as a security precaution because we have reason to believe that some Webcertificate account information may have been inappropriately accessed," the e-mail reads. "We want to be perfectly clear: it is your Webcertificate information, not your credit card information, which may have been accessed." The e-mail also advised consumers that "before making these changes, we evaluated your transaction history and confirmed that your account has been used properly and only by you." Quick Response Gillin said that all Webcertificate customers who had purchased plastic cards would be receiving new cards in the mail shortly. Ecount won praise for its quick response from posters at the MyCoupons Internet message boards. One poster wrote: "I think this was a very good thing for them to do considering from some companies we would just get a 'we're not responsible for this ... blah blah blah ...' So instead of waiting until more hacking happened, they went ahead and took action to prevent it." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --- You are currently subscribed to e-gold-list as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED] Did you know that e-gold Ltd. stores more gold on behalf of customers than many countries? See http://www.gold.org/Gra/Gra1.htm and the e-gold Examiner at http://www.e-gold.com/examiner.html for details.
