A recent report describes how criminals are using an Internet payment gateway to check for valid credit card numbers. The criminals use a stolen merchant's account to check thousands of random card numbers, and the merchant is charged for each failed transaction. Presumably, the criminals then run up substantial charges on the tiny percentage of card numbers that got validated.
The major weakness here is that the merchant accounts are only secured with a user name and password, or sometime even only a password, making it easy for criminals to get access. Merchants are blaming the payment gateway company.
There is a lesson here for the review of the Electronic Transactions Ordinance: if there is a weak (and easy) authentication option, people will want to use it, demand to use it, will use it, even when it is inappropriate.