Hackers cash in on e-commerce bug

A small online company misses an e-mail warning about flaws in its shopping cart software. Customers' credit card numbers are stolen. Who takes the blame?

In April, a devastating bug was found in shopping cart software called "PDG" that exposed all customer records on about 4,000 Web sites. The FBI issued a public warning directed at the software's customers, but a small e-commerce Web site named SawyerDesign.com didn't notice.

Within days, computer criminals had a field day, racking up thousands of dollars of charges on victims cards at gambling sites, buying phone cards and downloading pricey software. Here's a look at the chaos caused in people's lives by one simple technology mistake.

"I had a nightmarish situation last month, there were $6,000 in charges. This month, $2,000. Most at gambling sites, and places like Firecash.com, cash services," said Hunter Culberson of Tullahoma, Tenn. "Visa has credited me, but it has been a nightmare. . . . The bad thing is my wife told me no more Internet purchases from our house, which is a main vehicle for my shopping. "

The "nightmare" centers around a Kansas City, Mo., sports memorabilia display company named SawyerDesign.com and e-commerce shopping software called PDG. In April, PDG Software Inc. revealed that computer criminals had figured out a way to easily break into its software and raid customer accounts--the trick was so easy, it involved discovering only a single URL. The flaw was so severe that PDG went to the FBI, which issued an alert saying "hackers are actively exploiting it" and "the vulnerability has already resulted in compromise and theft of important information, including consumer data."

But SawyerDesign.com's operators, Regal Plastic Supply, missed the warning. Within a few days, and up until this weekend, computer criminals had a field day with the site, raiding its database liberally. The flaw was fixed after MSNBC.com notified the company.

Assessing blame for the incident is a bit dicey. PDG Software issued a fix right away. And the company contacted the FBI and sent two e-mails describing the urgency of the problem to every customer who had purchased PDG .

But Regal Plastic Supply never received the e-mail because it bought the software from a reseller. It's also easy to understand how Regal never noticed the warning on the FBI's National Infrastructure Protection Center Web site.

And since the company garners only a trickle of transactions from the sports memorabilia display case site--its main business is real-world plastic supply--it's not surprising that the firm doesn't have a full-time system administrator applying patches to the $1,000 shopping cart software.

That, however, is little comfort to the 100 or so victims of the Sawyerdesign.com heist, who started seeing charges on their credit cards starting last month. Nearly all of them had credit cards riddled with fraud charges, but none of them had any idea how their card numbers were stolen until contacted by MSNBC.com this weekend.

"I tried to use my credit card and was told it was over max," John Hagerty said. "I contacted my bank and found that more than $4,000 had fraudulently been charged on my credit card. I had to contact these companies to whom the charges were billed, and had them send credits to my account. I still have a few to clear up."

'We thought we had bought the best available software'
Brenn McMillan, who works in production at Regal Plastic Supply, figures his company is also a victim.

Sawyerdesign paid $1,000 for software that was flawed and wasn't alerted to the problem.

"We thought we had been very on top of (the Web site). Well there was an update a month ago, the FBI was involved and we weren't told," he said. "We thought we had bought the best available software. We had no idea the shopping cart was accessible to every (computer criminal)."

PDG President David Snyder did not exactly point the finger back at Regal, but he did say his firm did everything it could to publicize the flaw and the need to install a patch.

"We had never had contact with Sawyerdesign before this, since a reseller sold them the package," he said. "The best we can do is publicize it...we told resellers they needed to contact their customers directly."

The victims aren't responsible for the bad charges, and most are now well on the way to clearing the purchases off their credit. In some cases, the card-issuing bank noticed the fraud first and actually called the victim, then took care of the problems in one simple step. But others must sign and mail sworn statements for each charge they choose to contest, a laborious process.

Amy Pisani of Ft. Lauderdale, Flor., had run two cards through the SawyerDesign.com system and both were compromised by computer criminals. Among the loot taken were a host of telephone cards, a "significant" purchase at Borders.com and a car stereo. But what bothers Pisani the most is the hassle.

"They say it takes 60 days to investigate. Meanwhile, I'm still dealing with affidavits and getting the charges off my card. Frankly, it's a pain in the butt. And I don't like seeing the charges on my bills," Pisani said. "I found out about this on May 5 and I'm still taking care of this, still making phone calls. It's frustrating."

Other victim's stories:
"I first learned of the problem when a merchant (Access Phone) called me to try to verify that I wanted to set up a long distance phone account over the Internet. Of course I knew nothing about it. The lady said that the address listed for the credit card was not the same as whoever was trying to use it and that sets up a red flag to them. Thank goodness for that. We had just under $2,000 charged in 2 days before we caught it," wrote Mark Ainsworth;

"The card was a cash-check card so all the stolen monies, and $400-plus came out of my account, which of course kicked in my ready reserve at 15 percent interest...the card has been canceled," wrote John Calhoun; "I noticed charges on my card about 5 days after he began his shopping spree. It is very interesting what this person has been purchasing (calling card minutes, web site domain names, digital camera). However, the majority of his purchases are from long distance phone companies," wrote Perry Chappell;

"Two weeks ago, WACHOVIA notified me via snail mail that there was a possible fraud alert on my card and I immediately snuffed it and have received another one. Damage control will soon be under way. Thanks to you, I can now isolate every transaction from the 27th of June till present and will screen for any bad charges. Still, charges are so cryptic...and one cannot tell what state the charges originate or even some of the actual business names in those charges. I will glean over everything...you can bet on it," wrote Michael R. Brasch.

But even if all the fraudulent charges are cleared from victims' accounts, flawed e-commerce software and unapplied software patches can leave a bad taste in customers' mouths and lingering doubts about what else was taken in the heist.

"Unfortunately, my credit card company had already contacted me in reference to this situation," wrote Michael Lerner. "My credit card number was used to make a lot of fraudulent purchases, fortunately, I won't be held responsible for those purchases. However, I can't help but be concerned about my other personal information that was exposed; so often lately I have heard of people's identities being stolen/used. I guess at this point all we can do is hope that no other damage has been done."