Databases Exposed at Online Credit-Card Security Firm

Databases at online credit card processing and security provider Anacom Communications were illegally accessed this week, Anacom's parent company ZixIt Corporation confirmed Thursday.

ZixIt said that it took control of the entire Anacom premises and began forensic data analysis on the breach Monday night. In addition, the company said, the U.S. Federal Bureau of Investigation (FBI) was brought in to begin a criminal inquiry.

ZixIt director of corporate communications Paul LaBelle told the E-Commerce Times that ZixIt was informed earlier in the week that fraudulent transactions were taking place using the merchant accounts on the Anacom network.

"We pulled the plug and immediately informed all the merchants and the credit card associations they would have to use services from other providers in the interim," LaBelle said.

Lots of Questions

On Wednesday, outside forensic data experts officially confirmed that both the intrusions and fraudulent transaction processing had occurred. ZixIt management said it has started the process of notifying credit-card companies about the accounts that may have been improperly accessed.

LaBelle said that ZixIt did not yet have any information regarding the outcome of the investigation, such as how long the accounts were exposed or how the breach occurred. ZixIt also said the breach did not involve any of ZixIt's own data centers or e-mail technologies.

Anti-Fraud Specialists

Anacom is the developer and owner of the WebCharge, WebCheck and Internet Fraud Screening (IFS) payment processing gateways and technologies, according to several Web sites that use its services.

Anacom's merchant account application, e-ZStart, contains multiple Internet fraud filters that each credit card must pass through prior to approval of a transaction. These filters include a negative credit-card database, a fraudulent Internet protocol (IP) and e-mail address filter, and proprietary data encryption.

Visits to Anacom.com throughout the day found the Web site unavailable.

How Serious?

Although online breaches of security are taken seriously by consumers, corporations and law enforcement, the frequency of actual online credit-card fraud is greatly exaggerated, according to a recent report from Jupiter Media Metrix.

The Jupiter report said that attention focused on online security incidents has led consumers to erroneously believe that fraud is approximately 12 times more prevalent on the Internet than off, which is not the case.

In order to reduce misunderstanding about the risks of online fraud, Jupiter recommends that companies classify security incidents, such as the Anacom occurrence, into one of three levels of severity: threat, breach and fraud.

Based on the initial reports from ZixIt, it appears the Anacom incident might fit into the fraud category, which is defined as a situation in which security is compromised, unauthorized access to private records has occurred, and there has been actual misuse of the credit data.