Thought this thread was worth an update. Authorizenet has taken strong steps and made changes that seem to have stopped this problem in its tracks for my clients. They are a solid company and are handling this episode very well in my book.
I've been involved with credit card sales and fraud for over 20 years and this has been some of the finest support I've experienced.
One of the important safeguards is accepting transactions from authorized addresses only. The problem?
Not all browsers handle referers properly, and I'm not just talking about the old relics here - Netscape 6.1 (fortunately not that big a market) is quite buggy at handling referers with form submission - a common purchasing situation online.
So, our only recourse right now is to deny online purchase to people using browsers that don't accurately send referers. Not a big deal so far, but I'm not happy about denying service to someone using a relatively new, mainstream browser.
It's time for the browser companies to get very sharp. Security issues can cripple online commerce altogether. Referer handling, HTTPS, SSL, P3P, TLS - flawless support here is mandatory. Hackers are criminals, and usually not of the dumb variety.