Attacks disrupt some credit card transactions

Flood of data interrupts Authorize.net's credit card processing for Internet merchants, leaving the company scrambling.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Online credit card processor Authorize.net on Wednesday acknowledged that large-scale data attacks have disrupted credit card processing for its Internet merchants over the last week.

The service, a business unit of data-processing company Lightbridge, experienced intermittent outages due to a flood of data from a large number of computers on the Internet, what's known as a distributed denial-of-service (DDoS) attack.

"We are focused on putting an end to the DDoS attack," said David Schwartz, a spokesman for Authorize.net. "We are working to implement industry-leading defenses...to eliminate the threat of DDoS attacks."

The start of the attack, on Sept. 15, coincided with the company laying off 12 percent of its work force. But retribution was not considered as a motive for the attack, because the company had received an extortion letter before the layoffs were announced, Schwartz said. He added that the company is cooperating with federal law enforcement to investigate the attacks and find the source.

The outages have caused the service's customers to lose business, according to e-mail messages sent to CNET News.com.

"I can't tell you how much business we have lost," said Jason Oliver, vice president of client technical services at Web application maker Snapbridge Software. "I, for one, will consider moving my business from them."

Snapbridge uses Authorize.net's service to allow its customers to buy software with a credit card. Potential buyers were stymied and may not have returned to buy later, Oliver said.

The executive took Lightbridge to task for not notifying its customers immediately. The first notice his company received from Authorize.net regarding the outage came nearly a week after the software seller first started having credit card-processing problems.

"You would think such a large and public company (Lightbridge) would have measures in place to defend their network," Oliver said. "I just can't let this go without holding them accountable."

Authorize.net's Schwartz said the service does not comment on internal business issues.

Online extortion has become increasingly common; companies that don't pay demands are faced with a flood of data attacks that disrupt their Internet service, said Tom Corn, vice president of product marketing at denial-of-service defense firm Mazu Networks.

"We have seen a huge escalation," Corn said. "We have seen this in online gaming sites, in Web hosting and (to) some extent in financial services."

Corn said denial-of-service attacks are no longer just the problem of Internet service providers. Companies that rely on the Internet need to make their own plans to deal with such attacks, he said.