Welcome to the eCommerce Report Australian ecommerce network
Our latest print edition was
Volume 16, Number 1, 2009 		Today's date is:  


Click on the button to sign-up for a free weekly email update
click here to sign-up for a free weekly email alert





 

Bottle Domains says card fraud a co-incidence, but gave lists of customers cards to banks anyway

Neither Andrew Stevens, the general manager of Melbourne based Bottle Domains, nor his boss - Nick Bolton, owner of Australian Style Investments – believe that any of Bottle’s customers’ credit cards have been hit by fraud.
We know that for a fact because, after checking with Bolton, Stevens has finally answered questions put by eCommerce Report about the recent hacking of Bottles’ customer database.

It took a while to get Stevens answers, because, as he told us by email, he had to get them OK’d by Nick Bolton. And Bolton has been, of course, very busy this past week in Court actions connected with his attempt to wind-up Brisbane’s toll-road builder – BrisConnections.

But now that the answers are in, it is clear that both Stevens and Bolton are in denial.

“We do not believe there was any fraudulent use of a customer credit card as a result of this breach… [and] Any speculation from banks contrary to what I have said, especially relating to credit cards listed in our system being linked to fraudulent transactions, is entirely unfounded, and I believe nothing more than a coincidence.”

Stevens repeated the claim made on the company’s web-site that the hacker had formerly been a staff member of another Australian domain name registrar.

“This was by no means a random attack” he said. “They had access to privileged information under confidentiality agreements and had intimate knowledge of the workings of the system.”

Stevens said that Bottle had now replaced the system that had been hacked, and that the new system is compliant with the Payment Card Industry (PCI) security standard.

But he effectively conceded that Bottle’s systems had not previously been PCI compliant.

“I think you will find that very few, if any competitors within Australia are 100% PCI compliant.”

Stevens confirmed that Bottle had commissioned a security audit by Australian company, Vectra corporation, and said that Vectra had been recommended by the industry domain name regulator, au Domain Administration.

eCommerce Report understands that auDA not only recommended Vectra, but insisted on the security audit in the immediate aftermath of the hack being discovered.

Moreover postings to an online board run by Cove Business Technology, who claim to be Bottle’s largest re-seller, suggest that auDA had had Bottle disconnected from the AusRegistry database for 2 weeks. During that time Bottle customers were unable to manage their accounts.
But Bottle managed to keep going, including registering new domain names, using the AusRegistry connection of Nick Boltons other accredited Registrar business – Explorer.Net

Stevens refused to comment on any questions connected with auDA, and claimed that there is no evidence to suggest that all the company’s customers records back to 2003, some 60,000 in total, have been stolen.

Of course, the evidence is readily available at the web-site where the hacker tried to sell the data. Moreover we have published screen grabs from that site.

Also curious is Stevens claim that Bottle has given a list of its customer card data to the issuing banks so that “they could prudently monitor for any irregular activity.”

There are many, many card issuing banks in Australia and it seems unclear how a list could be given to them all.

More probably, if this was in fact done, the list would have been given to Bottle’s bankers at Westpac.

In any event, both banks and Australian Federal Police officials have told eCommerce Report that the list they’ve got was provided by the joint federal and state police operation – the Australian High Technology Crime Centre.

So although Stevens claims that “credit card data was voluntarily given to financial institutions as a precaution” it seems very likely that police requested the data or, even worse, got it from the hacker himself.

For more information go to www.auda.org.au www.bottledomains.com.au www.australianstyle.com.au www.ahtcc.org.au www.cove.com.au www.ausregistry.com.au www.explorer.net.au www.brisconnections.com.au www.vectra-corp.com

For more information go to
syd.icann.org
www.auda.org.au
www.ausregistry.com


 

Google

 

  Top Page

diary subscribe now contact us back to the home page links page

©Copyright  Technosocial Research Services  All Rights Reserved
mail@ecommercereport.com.au