<http://www.wired.com/news/print/0,1294,65039,00.html> Wired News Hack Attack Gums Up Authorize.Net By Noah Shachtman Story location: http://www.wired.com/news/infostructure/0,1377,65039,00.html 01:56 PM Sep. 21, 2004 PT Hackers have crippled one of the internet's biggest credit card processors, and tens of thousands of online merchants are losing business while the company struggles to recover. Since last Wednesday, Authorize.Net has been relentlessly pounded by distributed denial of service, or DDoS, attacks. The massive, coordinated waves of internet traffic have repeatedly overwhelmed the company's servers. Authorize.Net's customers have had to improvise: Some are confirming their credit card orders over the phone, others have gone with little or no sales for nearly a week. "I'm losing four grand a day in revenue," said David Hoekje, president of PartsGuy.com, an online heating and air conditioning parts dealer. "My year is a bell curve, and we're on the upwards slope now. This is 5 percent of my year, gone." As of Tuesday afternoon, there still seemed to be no end in sight to the hacker strikes against Authorize.Net. Security experts say that there's little a company can do to defend itself against these kinds of attacks. But company officials insist they're trying. "We're actively trying to deal with it. And we're working hard to minimize the disruptions to our merchants," Authorize.Net marketing director David Schwartz said. The company has turned to the FBI, as well as outside consultants, for help, he added. With about 90,000 customers, Authorize.Net is one of the internet's best-known, most widely used credit card processing services, focusing mostly on smaller merchants. Earlier this year, the firm was bought by the Burlington, Massachusetts, online payment and fraud-detection firm Lightbridge for $82 million. But since the sale, Lightbridge has been hit by a series of body blows. In August, CEO Pamela Reeve resigned; last week, the company announced it was laying off 65 people -- a 12 percent cut in its workforce. And now, "these unforeseen and malicious DDoS attacks," as a company message called them. "We know how hard it is," said Michael Adberg, co-founder of WeaKnees.com. The site, which sells TiVo upgrades and DirecTV installations, was itself the target of a DDoS attack last October. "But we're surprised that such a large company wasn't better prepared than we were." He added, "They have really let us down." For the moment, Adberg and his associates have been phoning customers who place orders over the website, confirming their information and only later processing their payments with Authorize.Net. "But there will be a few customers who we'll ship their orders, and we won't charge them," Adberg said. "Maybe 10 percent will slip through the cracks." The lost revenue is only part of the problem, however. Even if sales are saved, the company image can be scuffed by such a move. "Imagine placing an order with Amazon, but not being able to pay online, and then having to call a customer support person so they can charge you," said a network chief at one of Authorize.Net's customers. The payment processor has been able to take care of some transactions, through slight modifications to its domain name. But these tactics have only been partially effective. And, in the long run, wholesale changes to web addresses are bad for business, explains Drew Copley, a senior research engineer at eEye Digital Security. "You can lose money, lose customers, because they can't find you." Information from attacking PCs can be slowed down; internet protocol addresses of other offending computers can be blocked. But, in the face of a large-scale strike, there's little that can be done, observed Copley, who built one of the first DDoS tools for Windows. "When you get 10,000, 50,000 computers all firing at once, for attacks like that, there is no simple solution," he added. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com