Cybercrime

Hacker Breaches Payments Site Webcertificate.com

hacker

Online payments provider Ecount confirmed to the E-Commerce Times on Monday night that a hacker or hackers breached security at its Web payment site, Webcertificate.com.

“We have reason to believe someone inappropriately accessed data,” Ecount chief executive officer and president Matt Gillin told the E-Commerce Times.

According to Gillin, Ecount can only confirm that 25 out of its over 750,000 customer accounts were improperly accessed, but he added that the company’s investigation is ongoing.

Gillin said that the company was “100 percent certain” that no Webcertificate accounts were used improperly. As part of Ecount’s response to the hack attack, Gillin said that Ecount is reissuing account numbers for all of its customers, even though Internet security was breached for only a small number of the accounts.

Webcertificates are MasterCard-branded stored value cards that are accepted by e-tailers that accept MasterCard. In addition to using the cards online, consumers can pay an extra fee and purchase a plastic card for use offline.

Marketed as online gift cards, Webcertificates can be purchased online using a credit card or earned as a reward at a number of Internet sites, including MyPoints.com.

Card Numbers Elsewhere

Gillin said that earlier this week, there were indications of a hack attempt at Webcertificate that prompted an investigation by Conshohocken, Pennsylvania-based Ecount and its third-party security firm.

Based on the investigation, the company determined that a hacker had gained access to account information and was attempting to retrieve credit card numbers. However, Gillin stressed that no customer credit card numbers were at risk, because Webcertificate does not store credit card numbers on its servers.

“He believes he has credit card numbers, but what he has are Webcertificate numbers,” Gillin said.

Because no credit card numbers were stolen, Gillin said that in Ecount’s eyes, the “hack attempt failed.”

Motive: Extortion?

Gillin believes the motive behind the attack was extortion, and said that Ecount was working with law enforcement to identify the person behind the hack attack.

Extortion has been the motive in other hacker attacks on e-tailers. In December 1999, a Russian teenager stole approximately 300,000 card numbers from CDUniverse.com and posted them online when the e-tailer refused to meet his US$100,000 extortion demand.

Customer Notification

Ecount sent e-mail to all Webcertificate customers Monday notifying them that new customer account numbers and passwords would be issued.

“You’re receiving this new account number as a security precaution because we have reason to believe that some Webcertificate account information may have been inappropriately accessed,” the e-mail reads. “We want to be perfectly clear: it is your Webcertificate information, not your credit card information, which may have been accessed.”

The e-mail also advised consumers that “before making these changes, we evaluated your transaction history and confirmed that your account has been used properly and only by you.”

Quick Response

Gillin said that all Webcertificate customers who had purchased plastic cards would be receiving new cards in the mail shortly.

Ecount won praise for its quick response from posters at the MyCoupons Internet message boards.

One poster wrote: “I think this was a very good thing for them to do considering from some companies we would just get a ‘we’re not responsible for this … blah blah blah …’ So instead of waiting until more hacking happened, they went ahead and took action to prevent it.”

12 Comments

  • I also received this email twice. Now I have these strange $39.00 charges coming out of my bank acct. They are ACH and my bank can not trace them. I AM almost sure they are unrelated, but of course these old emails came to mind when I found strange charges to my acct. I AM going to the bank tomorrow to cancel the charges. Has anyone ACTUALLY had money taken? Again, these are probably unrelated, but I AM curious if anyone lost money. I have emailed webcertificate.com but I AM waiting to get a response.

    • Simon,

      I got an identical email this morning (well, with my name and address, of course).

      I’m not worried though, since 1) the company reset all the account numbers as soon as they knew they’d been hacked 2) I only had $5 in my account and 3) Pretty much anyone can find out my street address anyway.

      I went to the Webcertificate Help page and sent them an email, pasting in a copy of Mr. Zilterio’s email, headers and all, and I recommend that you do the same. Hopefully they will at least complain to his ISP and get his account canceled!

        • I got the same message from Mr. Zilterio. Anyone else notice that his website is

          just a front for one of a million register-your-domain-here sites?

          I’m sending the message to [email protected], and I’d encourage everyone

          else to do the same (as an earlier poster also said).

          • I got the message from Zilterio today as well. Note that the article here is dated August 28, 2001. Makes me wonder if we’re “round two” of the hacking…like maybe it was only 25 people at the end of August, but it’s who knows how many now. As for the “credit card number”, I knew right away that it wasn’t really my credit card number, but I have no idea if it was my “webcertificate Master Card” number since I don’t know what it is. I do believe the expiration date quoted in the email corresponded with the expiration date assigned to me by webcertificate. I’m really upset, even though there was only spare change on my webcertificate account, because my home addy is unpublished and generally can’t be gotten by just anybody. And I haven’t received *anything* from webcertificate, no notice of what’s going on, and not even an email that they said I would receive when I tried to log on. I tried to log on and it wouldn’t let me and it said they were sending me a new temporary password that would allow me to log on, but I’ve gotten nothing. Grrrr!

            Becky

          • Yes, I received the message today, months after it was originally posted by webcertificate. Only 25 accounts accessed? What a lie. And they had all the right info.

  • Sorry, I think eCount and WebCertificate are negligent for not posting a notice on their sites regarding the break-in and not notifying ALL of their customers.

    I received an email from the hacker but I have not heard a thing from eCount or Webcertificate.

    Big Thumbs Down for 2001 eCommerce goof of the year!

  • I got the notice this afternoon but Mr. Zilterio didn’t have my correct credit card number. He did, however, have my current address. But I’m curious how many of you just assumed that it was your credit card number and didn’t check?

  • A word to the wise… If an e-commerce site claims to be “100% secure” don’t give them any of your private info! Especially credit card numbers!

    Anyone who claims to be “100% secure” is either lying or incompetent. There is no such thing as a 100% secure server, they are running all sorts of third-party software that they have never audited for security flaws.

    Conspicuously absent from their website and the response as reported in this article is the remedy. What exactly have they done to fix the problem? We have only their word that they did anything, and of course they don’t say how they were hacked. The only reasons I can think to not say how you were hacked would be because A) you haven’t fixed the hole yet, or B) you’re embarrassed/afraid of liability for your own incompetence.

  • I received the following email this morning (cleansed to protect myself):

    >> Dear Simon Gales

    >>

    >> I hate to inform you that your account

    >> has been hacked on webcertificate.com and

    >> ecount.com. These sites have very weak

    >> security protection system and the database

    >> with credit cards and other personal information

    >> is not protected at all. Your personal details:

    >>

    >> 111 Spartacus court

    >> Cary NC 11111 US

    >>

    >> Your credit card information:

    >>

    >> 1111111111111111

    >> expiration time: 11/11/11 1:11:11 PM

    >>

    >> We offered them our help many times. But top

    >> management of webcertificate.com and ecount.com

    >> don’t care about their customers – you. They

    >> care only about their money.

    >>

    >> zilterio

    >> http://www.zilterio.com

    >>

    While I certainly don’t condone Mr. Zilterio’s methods, it does appear that confidential information WAS stolen from WebCertificate.com’s site.

    Has anyone else gotten an email like this, how many of us are there?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Lori Enos
More in Cybercrime

E-Commerce Times Channels