Welcome to the eCommerce Report Australian ecommerce network
Our latest print edition was
Volume 16, Number 1, 2009 		Today's date is:  


Click on the button to sign-up for a free weekly email update
click here to sign-up for a free weekly email alert





 

Bank confirms credit card fraud from Bottle Domains hack

One of Australia’s big four banks has confirmed fraud on some of the credit-cards whose details were stolen in the theft of up to 60,000 customers records from Bottle Domains. And another big four bank has confirmed it is watching a list of card accounts at risk, a list sent to it by the Australian Federal Police (AFP) body - the Australian High Tech Crime Commission.

Up to 60,000 cards could be on the list, because that’s the number of customer records claimed to have been stolen from Bottle Domains earlier this year.

As we recently reported, the alleged thief offered the file of customer records for sale on a hackers web-site. Indeed our report last week included screen dumps of the thief’s postings to the web site showing proof of his exploit.

An AFP spokeswoman confirmed that a twenty two year old Perth man was arrested soon after the postings to the website. He appeared in the Perth magistrates court on the 10th February charged with dishonestly dealing in personal financial information.

Remarkably, despite clear evidence that the theft involved a major breach of credit-card security, Bottle Domains customers haven’t yet been told their credit-card details have been stolen.

Arguably, they don’t need to be because domain name industry regulator - au Domain Administration Ltd (AuDA) sent an email to all Bottle Customers informing them of the security breach. And the email warning included a warning to Bottle Customers to keep a watch on their credit-card accounts.

Even so, the email was mostly concerned with the need to change passwords on domain names accounts and registry keys. It could hardly be described as having unambiguously informed Bottle’s customers that their credit-card details have been stolen.

Of course, Bottle and auDA aren’t alone in having failed to warn card-holders of the very real threat to their account security. Banks and card issuers have been very slow to act and some appeared to be totally ignorant of the situation.

Westpac spokesman, David Lording, denied his bank’s customers have been affected at all.

“We’ve looked into this… As far as we’re concerned there’s been no sign of fraud on our customers card accounts.”

Likewise, an ANZ Bank spokeswoman said their investigators had told her the incident was considered “low risk.”

But both the Commonwealth and NAB have confirmed they’ve recently been sent lists of the card accounts at risk.

The NAB issued a statement to eCommerce Report confirming that a small number of the cards involved had already been hit by fraud.

  • NAB has recently received a file from the Australian High Tech Crime Commission containing at risk NAB credit card details.
  • We haven't been contacted directly by the AHTCC before, so we would assume that this may be related to the matter you're investigating.
  • Those cards which may potentially have been compromised are being carefully monitored within our fraud detection system.  
  • A small number of fraud cases have been confirmed. In genuine fraud cases, the customer will not be liable for any stolen funds or fees and charges incurred during that period, as stipulated in the terms and conditions of
    • all NAB cards.

A Commonwealth Bank spokeswoman also confirmed receiving a list of card accounts at risk.

“The Commonwealth Bank was provided with a list of customer account numbers alleged to have been compromised. 

The Commonwealth Bank utilises sophisticated fraud detection software to protect its customers from fraudulent activity and in this case is continuing to monitor those accounts potentially affected.”

Hopefully, the small number of confirmed frauds reported thus far will turn out to have been because the thief got picked up relatively quickly, and therefore didn’t have much time to use his stolen booty.

But it still remains unclear whether he succeeded in actually selling the file and/or whether he was the only person who has had access to it.

Perhaps of equal concern is the fact that the merchant involved, Bottle Domains, one of Nick Bolton’s Australian Style companies, claims to have been compliant with the latest PCIDSS card security standard.

If that is true then the obvious question is how effective these standards are.

It will also be very interesting to see whether the card companies slap a significant financial penalty on Bottle as they are obliged to under PCIDSS.

Likewise it will be interesting to see whether Australia’s official domain name industry regulator takes any action against either Bottle Domains or the other auDA accredited registrar who Bottle has claimed is involved.

Indeed as far as eCommerce Report can make out, Bottle’s general manager, Andrew Stevens has claimed that the theft was perpetrated as a result of Bottle its systems to another registrar.

Stevens’ announcement on the Bottle web-site seems to indicate that an ex-employee of that registrar, knowing that Bottle had the same systems, used his insider knowledge of the system to download Bottle’s entire customer database.

eCommerce Report has repeatedly sought enlightenment from auDA on what action, if any, it proposes to take.

But thus far auDA has failed to respond to any of our enquiries beyond an initial statement that it would be inappropriate to comment whilst the Australian Federal Police is still investigating.

AuDA Public Affairs officer, Paul Szyndler, responding to out latest enquiry, said little more than that auDA would be responding “in due course”.

For more information go to
www.ecommercereport.com.au/story78.php
www.auda.org.au
www.bottledomains.com.au


 

Google

 

  Top Page

diary subscribe now contact us back to the home page links page

©Copyright  Technosocial Research Services  All Rights Reserved
mail@ecommercereport.com.au