Bitter employee suspected in foiled credit card racket
Saturday August 09 2008
Breda Heffernan
A DISGRUNTLED former employee of an Irish retailer may have been responsible for stealing credit card details of up to 100 customers in a potentially costly internet scam.
The information is thought to have been stolen several months ago -- with fraudsters waiting until this week to try to use the card numbers.
However alarm bells were triggered when they carried out a series of "test" transactions worth only €1 or €2 on an American website on Wednesday night. The Irish Payment Services Organisation (IPSO) said that if the banks' monitoring systems had not picked up the unusual transactions, the criminals would have begun using them to make more costly purchases.
All major banks have been affected by the security breach and are trawling through customers' credit card records to trace which retailer's database was hacked. So far there are three or four possibilities, all of which are small Irish internet retailers.
"The banks have to back track through all of the transactions because the compromise happened a couple of months ago . . . This could have been a major incident if it had not been noticed and the cards blocked," explained Una Dillon, heard of cards at IPSO.
Details
"The chances are that it's just one retailer. It could have been a disgruntled staff member who stole the details and then waited a few months to use them. Generally retailers here are above board. You usually find that the owner or the manager knows nothing about it and it's a staff member who only worked there for a couple of weeks," she added.
Ms Dillon said it would be extremely rare for people to use their credit cards to make purchases of such a low value. She said it was undoubtedly a "test transaction" before a higher value purchase would have been made.
All of those customers affected have already been contacted by their credit card issuer which has cancelled the cards and will be issuing new ones in the coming days. However Ms Dillon urged all credit card customers to check their account balances regularly.
"It is also a good opportunity to raise awareness among retailers that they should make sure they are complying with security standards and to update them if necessary."
The criminals had the credit card numbers and expiry dates of up to 100 customers. However they did not have the three-digit security code found on the back of the card and would therefore have been limited in where they could use it online.
Colm Murphy, technical director with security specialists Espion IT, said we are only seeing the "tip of the iceberg" as regards cybercrime because companies are not legally compelled to report security breaches to the Data Protection Commissioner. "If we had a mandatory system of reporting then, a couple of months ago when this information was stolen, these 100 customers could have been informed and could have been monitoring their credit card accounts.
"More and more organisations are starting to do online business in earnest, they are moving systems that were traditionally internal and allowing them to be accessed through the internet. Once you move online the whole risk starts to increase exponentially.
"Very large organisations have to follow strict rules -- the Payment Card Industry Data Security Standard, which is set by Visa and Mastercard. But the problem is that standard only applies to large organisations who process large volumes of transactions," he added.
- Breda Heffernan
