I'm dropping this here, because I didn't know if it would be better suited to the 'running a webhost' or 'security' forum, or where it would be seen by anyone who might be affected. (Mods: Feel free to move if there is a more appropiate section!)

I saw this one MSNBC earlier today, and at first didnt' really think about it... until I saw it a 2nd time and really read it.. and I noticed the bits about Authorize.Net...

http://www.msnbc.com/news/705531.asp?0dm=C17NT

Needless to say, If I was using Authorize right now, I'd be a tad bit worried?

Authorize.net suspended their crediting system today. Here's what they had to say:

The ability to run credits through the Authorize.Net system is temporarily suspended. We are
adding additional features and business rules to the credit process to reduce the potential of
an unauthorized credit from being processed through your Authorize.Net account. This action
is being taken as part of our ongoing efforts to assist merchants in protecting themselves against
fraud. We expect to enable this newly enhanced credit feature within the next 48 hours.

-Dan

MSNBC. What a bunch of clowns.

I suppose the problem is worth mentioning, but as the article itself points out there's nothing new about creditback schemes. It's one of the oldest tricks in the credit card fraud book.

And then when they quote a specific example in the article, it's not at all the kind of scenario they're warning about:

"One real-world victim of the credit-back scheme, Maryland resident Chuck Sinkoske, said his wife found four surprise charges for $600 on her Visa bill in early January. Her bank simply asked that she challenge those charges but didn’t cancel the card."

Huh?!? That has nothing to do with the rest of the article. Charges on a stolen credit card number aren't the problem they're supposedly warning about, credits to a card owned by the perpetrator of the fraud are! Their "real-world" victim was hit by run-of-mill card theft, not by "the credit-back scheme" -- which hits only the card issuer and a merchant; not any particular card holder.

I think it relates (in theory) because what they are saying is that she had charges on her card, which (they don't exactly go into this...) were then refunded to another card. That would be my guess, or else you're right, it has nothing to do with the article.

Here ya go:
http://www.authorizenet.com/files/creditreturnsummary.pdf

-Dan

Authorize.net did some updates on this and here's a quote from an email I received: "We are pleased to announce the release of the new and improved Credit Return feature. As part of our
ongoing effort and commitment to help Merchants protect themselves from fraud, we have enhanced the
method and requirements by which Merchants can issue Credit Returns through their TotalPay Payment
Gateway account."

and a link that will tell you the most: http://www.authorizenet.com/files/creditreturnsummary.pdf

Didn't notice the message above, o-well.