CyberCash Denies Fault in Security Breach Case

After coming under heavy scrutiny for an alleged software failure that allowed an unidentified hacker to purloin and publish confidential credit card information on the Internet, CyberCash has issued a terse statement denying that its product contributed in any way to the security breach.

The hacker claimed in a series of e-mails to a New York Times reporter to have rifled through online retailer CD Universe’s files by breaking through the security barrier of CyberCash’s ICVERIFY credit card verification software. He then attempted to extort $100,000 (US$) from CD Universe by threatening to publish the information.

A statement from the Reston, Virginia-based CyberCash declared that “ICVERIFY is a PC-based payment system, not a Web-enabled product, and is not being used by CD Universe on its Web site. Therefore, the credit card information cited in recent coverage could not have come from ICVERIFY.”

Blue Christmas

After CD Universe refused to pay the ransom, the hacker posted some 25,000 of the stolen credit card numbers on a Web site on Christmas Day. Several thousand of the numbers were reportedly downloaded before the site, called Maxus Credit Card Pipeline, was shut down by the FBI early Monday.

CD Universe has acknowledged that it was the victim of an extortion scam and confirmed that it refused to cave into the hacker’s demands.

“Refusing to bow to this new breed of cyber-criminals, we have taken a stand against a new form of online blackmail on behalf of all legitimate e-commerce retailers,” said Brad Greenspan, chairman of eUniverse, CD Universe’s parent company.

The Wallingford, Connecticut-based company is working with the FBI and with major credit card companies and securities firms to prevent further damage as a result of the extortion attempt. CyberCash is directing all inquiries to law enforcement officials or directly to CD Universe.

Food For Thought

The hacker told the New York Times reporter that he had been stealing credit cards since 1997 and was able to use the ICVERIFY program to make a charge on a credit card and then issue a chargeback refund to a second card. He also said that he had been able to get cash from an ATM using similar means.

He sent the reporter a list of 198 credit cards as proof of a theft from what he called a much larger credit card database than that of CD Universe. The reporter verified that several cards were indeed stolen.

The theft will certainly cause concern for consumers and e-tailers alike. Online security has always been an issue, but this instance is the first report of a large-scale theft involving an e-commerce site.

eUniverse is a publicly traded company that also operates interactive game and video sites. The company claims up to 2.8 million unique users a month and had second quarter revenue of $1.8 million and a net loss of $1.5 million.

CyberCash declined to comment further on the controversy, but did remind consumers to “always check their monthly statement for accuracy and immediately report any errors to their issuing bank.”

More Concern For Female Shoppers

The CyberCash security flap comes amid growing evidence that security concerns are causing women to forgo online shopping more readily than men. News about a mass theft of credit card data will only fuel increased concern, because it will confirm fears that credit card data can easily be stolen. However, it remains unclear whether these concerns will have a long-term impact on online shopping by women.