http://www.wired.com/news/print/0,1294,65039,00.html
Wired News
Hack Attack Gums Up Authorize.Net
By Noah Shachtman
Story location: http://www.wired.com/news/infostructure/0,1377,65039,00.html
01:56 PM Sep. 21, 2004 PT
Hackers have crippled one of the internet's biggest credit card processors,
and tens of thousands of online merchants are losing business while the
company struggles to recover.
Since last Wednesday, Authorize.Net has been relentlessly pounded by
distributed denial of service, or DDoS, attacks. The massive, coordinated
waves of internet traffic have repeatedly overwhelmed the company's
servers. Authorize.Net's customers have had to improvise: Some are
confirming their credit card orders over the phone, others have gone with
little or no sales for nearly a week.
"I'm losing four grand a day in revenue," said David Hoekje, president of
PartsGuy.com, an online heating and air conditioning parts dealer. "My year
is a bell curve, and we're on the upwards slope now. This is 5 percent of
my year, gone."
As of Tuesday afternoon, there still seemed to be no end in sight to the
hacker strikes against Authorize.Net. Security experts say that there's
little a company can do to defend itself against these kinds of attacks.
But company officials insist they're trying. "We're actively trying to
deal with it. And we're working hard to minimize the disruptions to our
merchants," Authorize.Net marketing director David Schwartz said. The
company has turned to the FBI, as well as outside consultants, for help, he
added.
With about 90,000 customers, Authorize.Net is one of the internet's
best-known, most widely used credit card processing services, focusing
mostly on smaller merchants. Earlier this year, the firm was bought by the
Burlington, Massachusetts, online payment and fraud-detection firm
Lightbridge for $82 million.
But since the sale, Lightbridge has been hit by a series of body blows. In
August, CEO Pamela Reeve resigned; last week, the company announced it was
laying off 65 people -- a 12 percent cut in its workforce. And now, "these
unforeseen and malicious DDoS attacks," as a company message called them.
"We know how hard it is," said Michael Adberg, co-founder of WeaKnees.com.
The site, which sells TiVo upgrades and DirecTV installations, was itself
the target of a DDoS attack last October. "But we're surprised that such a
large company wasn't better prepared than we were."
He added, "They have really let us down."
For the moment, Adberg and his associates have been phoning customers who
place orders over the website, confirming their information and only later
processing their payments with Authorize.Net.
"But there will be a few customers who we'll ship their orders, and we
won't charge them," Adberg said. "Maybe 10 percent will slip through the
cracks."
The lost revenue is only part of the problem, however. Even if sales are
saved, the company image can be scuffed by such a move.
"Imagine placing an order with Amazon, but not being able to pay online,
and then having to call a customer support person so they can charge you,"
said a network chief at one of Authorize.Net's customers.
The payment processor has been able to take care of some transactions,
through slight modifications to its domain name. But these tactics have
only been partially effective. And, in the long run, wholesale changes to
web addresses are bad for business, explains Drew Copley, a senior research
engineer at eEye Digital Security. "You can lose money, lose customers,
because they can't find you."
Information from attacking PCs can be slowed down; internet protocol
addresses of other offending computers can be blocked. But, in the face of
a large-scale strike, there's little that can be done, observed Copley, who
built one of the first DDoS tools for Windows.
"When you get 10,000, 50,000 computers all firing at once, for attacks
like that, there is no simple solution," he added.
--
-----------------
R. A. Hettinga