Spitfire, which normally receives up to 30 orders a day for its talking toilet paper dispensers and miniature book products, said that its account generated 140,000 purchases last Thursday. The company claims that its on-line credit card transaction processor, Online Data, approved approximately 62,000 false charges worth $5.07 each, while about 80,000 cards declined to process the transaction.
Online Data is a reseller VeriSign's credit card payment gateway services, which actually performed the authorisations. Spitfire alleges that VeriSign initially approved $300,000 in false charges, but stopped the transactions before they were completed so no money was actually transferred in the scheme.
Both Spitfire and VeriSign said they believe fraudsters got the credit card numbers by cracking the passwords of the affected merchants and were testing the validity of these numbers.
According to a report by MSNBC news, VeriSign blames Online Data for the incident, for issuing poor passwords to customers such as Spitfire, which would be easy for fraudsters to guess.
However, Online Data appeared to blame its customers, saying that they are issued with a starter password and encourages merchants to change the password. Online Data says this was not done by the merchants.