Slashdot Mirror
Largest Online Credit Card Heist Ever?
Brian writes, "Today InternetNews.com
broke a story about a Russian cracker who claims to
have stolen 300,000 credit cards from CDuniverse.com. After failing in an
attempt to blackmail the company for $100,000 to keep quiet, the cracker
posted the cards at his site."
A couple of paragraphs from the article: ... Maxus appears to move about online using stolen accounts and relays his email through other sites to conceal the originating Internet protocol address, said Smith.
Apprehending Maxus will not be easy, said Richard M. Smith
"It's possible he could have slipped up somewhere along the way, but I think he's pretty free and clear and it's near zero that they will catch him," Smith said.
I would think that this guy would be able to be tracked down. Check out his writing style, scan newsgroups relevant to security and see if there's familiar styles. Also, there was an mp3 file on there. I didn't check it out, but if it is an actual song, that gives insight into what types of music he listens to, and irc and the newsgroups again can be watched in these areas. Plus, the article mentions that he's 18 years old and from russia. That narrows it down a helluva lot. Talk to the ISP's that the ip's were from, and see if they have ANY logs... Caller ID, whatever. Also it appears that he goes by this nick often. Don't know if any of you know of +fravia and +ORC but they had many teachings on stalking on the internet...
So the question is: is there a good possiblility that this guy can be tracked down?
You betcha there is an incentive ... the banks have to eat the charge if they authorized it and the merchant followed procedures .... Banks most definitely do call customers to check on activity they suspect is fraudulent. Not all banks do this. The algorithms they run on accounts look at past and current purchasing patterns, velocity, which merchant is used, and so on. Sometimes instead of calling they just slap a stop code on the account so the next time an authorization request comes in the vendor gets the code meaning "call the charge in, we want to talk to you".
They have external read access on their database... it could (maybe it did?) just as well store creditcard numbers for bog standard phone/mail orders cant it?
I would if lots of sites used it and thought the same. What I would really like to see is a small A1 Orange Book (formally proven) open source operating system. Forget about all the US Gov stuff for A1, just do proofs. It should have process level security such that a CGI which is compromised with a buffer overflow (stuff too big to formally prove) has no access to even other spawned CGI's.
If it's so difficult then maybe there is a need for a third party site that specializes in online transactions. Online vendors would place a link on their page that takes the user to a trusted site. Here they can authorise a payment to the vendor with some confidence (perhaps), and pay one bill at the end of the month by post.
Umm, what exactly does cracking a server to access their database have to do with encryption of data. This was not an issue of weak encryption at all, more an issue of weak security on a server. That is not to say i dont totally agree that strong encryption is necessary, but someone sniffing and decrypting communications would be a better case for that argument to be made, not a server breakin.
Well, the only reason this is possible is that the credit card comanies don't care. Introducting strong cryptography, challange-response protocols and real online banking will make such frauds nearly impossible. All these technologies exist, but why aren't they implemented? Apparently the losses of the credit card companies are not enough to justify the move towards stronger verification schemes. This is also fine with everybody - the card ownerers are not liable for more than $50 of losses and the hackers have an easy source of income.
Do a web search for "digital bearer certificates" and "Robert Hettinga" for some interesting ideas on the future of electronic payment.
do waitresses have palm pilots in your area ?? way cool :)
Although I really do hate your negative way of giving feedback, after reading more interesting comments, I retrieve my comment for it was misinformed and outdated.
On the other hand, your comment almost pissed me off, no wonder you post as AC..
Well, one could always packet sniff to get sensible information, but it must be really long to get a reasonnable quantity of information. But that doesn't mean people aren't doing it, and from my point of view, one could write log parsers to extract CC# from packet sniffing logs very easily.
;)
What really scares me about this news, is that I don't understand why would a company how my CC# in a database? Do you give your CC# to your drugstore just because you shop there once a month?
Aren't there some sort of PGP systems to use CC# information, with the help of CC companies like VISA and MasterCard? If people are ready to invest $billions in online commerce, why can't CC companies (who are right anyways) develop useful open standards to protect consumers? (buzzwords rock
Who said _just_ using a packet sniffer? You're over-simplifying the issue. The way I understood the original message was 'packet sniffing' as a _method_, and not as a simple act. Anyways, most things in life are very complicated, we just like to explain them in simple terms.
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
That looks an awful lot like Redhat -- while The Matrix runs on FreeBSD ;-)
Contrary to the popular belief, there indeed is no God.
> Linus doesn't steal, so why do you think it's Ok for you to?
Ahem. DO you do everything Linux does? Gimme a break. This has _nothing_ to do with Linux or Alan or Stephen or whoever. It's just a question of morlity.
Have a look at SecurEpayment for an idea of how credit cards should be handled. Through the use of an applet only the bank gets to see the customer's credit card number. The card number never goes to the merchant site.
I'm interested to know what people here think about this system. I've been developing PHP3 code that uses this system.
--
Simon
Well, the $50 max liability rule isn't made by the credit card companies. It's Federal law.
Recently similar Federal laws were passed giving similar protection to debit card holders. According to this site, there's a$50 or $500 limit depending on when you report the theft.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Domain names ending in - are illegal. Sorry.
:)
Yes, Amazon stores your cc#. But they also make a BIG deal about the security. I remember that they used to have a blurb on their web site about how the machine that stored the numbers was connected via a one-way gateway to the net, so it could not be hacked into.
Actually, that's not true. He's only making available the ones w/ old dates. These are the ones that will be useless soon unless they are used. He has the other ones, but he's holding onto them. These are the ones with expiration dates that are years away -- there is no urgency to use them, and it will be much safer to use them when some time has passed from this news story.
Oh yes, there's an idea - pay him off to shut up about it, allowing the consumer to be lulled into a false sense of security. They haven't fixed the problem yet - if they haven't yet, and the problem has now been widely publicized, who's to say that even if they HAD paid off the cracker, they'd ever have fixed the problem? Then you have the potential for yet ANOTHER cracker to come along and repeat the same song-and-dance!
Poor idea. Poor, poor idea.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Umm. You seem to not be aware that the majority of credit-card information transfers of the Internet (all, if you count the places where the site builders aren't head cases) are done via SSL. That certainly helps decrease the chances of someone in between snagging your CC info. I don't trust companies that keep your complete CC info for later purchases - for this very reason.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Let me ask Slashdot readers a question. Suppose you could get a version of Linux that ran 25% slower, but was highly secure, secure enough to run trusted applications in a leakproof environment and untrusted applications in a "sandbox". Would you run it? Would you buy it?
Would it even HAVE to be pay-ware? But that's beside the point - I for one, if I were developing an electronic commerce system and wanted it to run on Linux, certainly would consider such a thing. It's just the right way to do such things.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
HELLO? McFly? This isn't an issue of encryption - it's an issue of an Internet-based purveyor of a service storing the credit-card numbers of their patrons in an insecure fashion, in the name of convenience. You could have had 1024-bit encryption end-to-end, but in this case it wouldn't have mattered at all.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Just because it's been done before (and even done frequently) doesn't make it a good idea. It's still a poor idea - just a poor idea that's been carried through on for the sake of keeping one's good name intact.
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
Why? Personally, I don't feel the need to boycott Slashdot, but I still filter out all banner ads from all sites I visit. I own my bandwith and computer monitor and I don't let anybody use my property for purposes I don't approve of. If they want to advertise on my computer screen, they have to offer me a good price for my screen real estate and bandwidth. Short of that, no dice.
--
--
Alot of E-commerce companies put big efforts in making the "shopping experience" as easy and interresting for the user. Wonderful, the company stored your credit card number, you wont have to type it in again when you shop later!
This particularly irritating since both IE5 and Mozilla (soon to be NS5) offer to fill in forms at the click of a button. Also, if the company wants to store anything in their database it should be a one-way hash (MD5 or equiv) of the card number, _not_ the number itself.
--
odds of being killed by lighning and
Odds of being killed by lightning and winning the lottery in the same day: 1 in 2^55
The root of this problem is that credit card companies are being negligent. No credit card transaction should be considered valid without a signature. For meatspace purchases, this could be done with pen and paper. On the Internet, it could be done with public key encryption - the cardholder would put a public key on file with the credit card company that would be used to verify signatures on charge requests. Charge requests with bogus signatures would get denied. Charge requests submitted twice would be denied. Modifying a charge request would invalidate its signature.
Secure, anonymous digital cash is also a solution. It would be nice to see a Free digital cash standard emerge. Digital cash would also eliminate many of the privacy and fraud problems inherant in today's credit card transactions.
However, maybe in the long run this event is good. I think the best way for companies to learn how important security is is to have lots of really irate customers like CDUniverse will have. Also, maybe other companies will look at this and say, "hey...let's make sure our security is beefed up so this doesn't happen to us."
Hopefully people will start realizing that transfer encryption is only a small part of security. Once it arrives, protecting confidential data is a continual process.
--
Mankind has always dreamed of destroying the sun.
I understand that, but 40-bit SSL encryption is nothing to get happy about. It's still an insecure medium allowing a man in the middle attack. This is still less secure than a properly implemented username/password scheme.
The reason that on-line merchants store credit cards on the server is mostly convinience, but partly to prevent the customer from repeatedly sending their credit card number through the insecure medium of the internet.
My electric company works in a similar way. I call them up and agree to pay this month's bill. I don't give them my credit card (which I only provided to them once). The service representative does not have access to my credit card number, they just enter the amount into the system and let it verify with the credit card company. Now granted, someone else might be able pose as me, but they're just paying my electric bill for the next few months.
The idea behind storing the number on a server is to transmit your number once, then send a username/password after that. A man in the middle looking for credit card numbers doesn't see yours, and at least presents him the challange of having to figure out where the username/password was headed and provides some way to track the person who stole it, since he can only buy from that vendor.
In that respect, I'd prefer to use vendors who store my credit information on the server and issue me a password. Of course, that's provided that they don't do something stupid like make the database server internet accessible.
You do not understand. If he is Russian, he, of course, works with blessing of the Goverment. If he were American, he, certainly, would be an individual.
Incidentally, how exectly they figured out this guy is Russian? His own claim or what?
The cards must be entered through a ssl encrypted form. Anyone who would enter their credit card info in an insecure form deserves to be ripped off.
The point of my post is that once they are encrypted properly, you can damn near store the encrypted card numbers in your .sig file - ain't no one gonna decrypt them.
There are several reasons for storing the credit card number on the server. Monthly billing, future purchases, etc. etc.
As for the processor, I can't disclose (under NDA)
--
--
It is stories like this that make people think about the issue.
--
(Off-topic rant - I've had this building up for a long time.) I have decided to join the Amazon boycott. This has resulted in me not buying books at all. I now go to the library instead. I tried Barnes and Noble, and I tried a few web stores.
Barnes and Noble pissed me off the most. It is no wonder people don't shop on their site. It fails to render properly in anything but the latest versions of IE and Netscape. I don't see why a site I go to to buy stuff has to use 15 layers of nested tables. Use anything else, like Opera, which I prefer, and it has all kinds of glitches and table fuckups. That's besides being just plain ugly and using NT.
Boycott Amazon.com! Take a trip to your nearest library.
--
--
--
--
Everyone encrypts CC numbers on the way to the server. But are they encrypting them once they get there? Storing CC numbers is OK if it's done right.
The REAL losses are covered by the big corporations, and I couldn't care less about them. Don't bitch about the lack of security - it doesn't harm any REAL people, only corporations.
That's quite a myopic vision of finance. If the "corporations" lose money, where do you think they make their shortfall from? They increase your bank charges/card charges. Your goods cost more, as the prices are hiked up a few percent to cover fraud. Same for advertising - part of the cost of any 'brand' product you buy is fed back into advertising and making people buy more of that product!
When oh when will people wake up and realise these basic things?
-Exasperatedatron
Actually, I prefer the current situation. Since the system is known to be flawed, I'm only liable for $50 if someone steals my CC number, and in many cases, not even that.
If a secret, proprietary and "secure" system will be put in place, shortly afterwards customers will be liable for all transactions carried out in their name. Once someone figures out how to hack into this newfangled system, we're all in trouble. Good luck explaining to the courts exactly why a complex security system is insecure, and how someone could have presented themselves as you online, and bought those 3 Ferrari's.
Either that, or I'm just paranoid.
When I'm complaining, I'm whining, when I'm celebrating, I'm whining. *sigh*
TomG
The story calls the thief a "cracker". Excellent! :-)
TomG
The difference between online credit card theft, and someone stealing your card at a local store, is the numbers involved. In one day, this guy compromised 25,000 credit cards, and claims to have a few hundred thousand more. There's every reason to believe he does, too, and that next he will post them all to an IRC channel somewhere, and he probably has already shared them with his friends.
Now, if you are Mastercard, Visa, or AMEX--what do you do now?
It's going to cost a LOT of money to replace 300,000 credit card numbers--especially when you can only identify 25,000 off the bat!
If some guy was stealing cards at a store, he would get caught. The CC security guys run complicated statistics to figure out what the common link is between a group of credit card thefts. They'd find out it was this store, put it under surveillance, and arrest the guy.
In the case of the website--they might be able to find this guy, but even if they do he's in Russia, which probably hasn't got a lot of good internet laws on the books they can use to get at him. He'll probably wind up serving a year in jail, or maybe with all these CC's he can come up with the cash to bribe his way out.
As an individual all you can do is take precautions. The biggest one being you should probably have a CC with a low credit limit just for the purpose of internet shopping.
I agree with the previous poster--a scheme which securely transfers money would be preferable to sending CC's over the internet. The risk on the internet is that a breakin compromises hundreds of thousands of CC's at at time, costing the CC companies BIG money, which they will ultimately pass on to you in the form of extra charges.
--
--
"Insert witty quote here."
--
--
"Insert witty quote here."
Judging from the number and content of the comments in Russian, I will bet a lot of that credit card holders will be surprised to see their bills soon. Most shops in Russia do not do a good job verifying cards, and it would be kinda hard to get to them to reimburse the charges. Oh, well, not that I will cry for US credit card companies..
<^>_<(ô ô)>_<^>
But you'd still need a Credit Card database somewheres. So, all you've introduced is more hassle. What they should do, is beef up security, and not be so stupid as they were this time.
--
Insert Witty Sig Here
Whats the point of having a secure connection, and a secure Credit Card database? Those idiots should've made sure the server was secure.
--
Insert Witty Sig Here
I used to be a big supporter of e-commerce, until I found out someone put $400 dollers worth of net material (moslty porn) on my card.( I got it back by the way with the exception of a charge for a bounced check, which my bank (fleet sucks) wouldn't take responcibility for. The problem is these huge handleling companies like the ones shareware and porn ppl use that accept Credit cards without question. When I followed the paper trail the company had my info wrong and a bogus e-mail. when asked if they were going to try tocatch the perp, they said it is a commom occurance and wouldn't be feasable. needless to say I reported them to my local police, and every customer protection agency I could find. Since I purchase all my computer stuff online, and I am an amazon hound (O'Rielly rules) I decided to get a card just for CC transactions which I monitor like a hawk, this is in colaboration with my cC company. I banned all porn handling Companies from it, and changed all my other card numbers on a regular basis. yea I am parranoid, for good reason I think.
yea yea ye aI never copy pasted to word to spell check, so sue me, tacho why don't you code a spell checker into this thing.
I hate this and i'm mad. Credit card protection is crap. whats teh use of absorbing the cost if it all goes back to high intrest rates. Credit card companies should be responcible for coming up with more secure methods. I can purchase anything on say QVC with a valid name CC # and experation date and have it shipped where ever I want. WHY !!!! WHY !!!! WHY !!!! this is crazy. there needs to be a better form of authentication that requires live autherization from the owner and only the owner. Not just a signiture but a unique ID. yea yea big brother, but you kno it's a necessary evil
well yeah, but you'd also need to pay the electric bill :(
;)
So you just get another card to pay the bill
If fraud did not exist, VISA would find itself under competitive pressures to lower its fees and interest rates. The credit industry is cut-throat.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
if you have a decent relationship with your bank, and they're not a bunch of twinks, you should be able to work something out with them should this particular wave of fraud affect you - even if you have a debit card.
Sure, but how many people are that lucky? The point I'm making is that there is no such legal protection, but many people assume that there is because they're familiar with credit cards. Debit cards may look like credit cards, and use the same sale procedures, but legally, they're not the same.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
This article did a suprisingly good job of correctly using the term "cracker". I for one would like to congratulate InternetNews.com for NOT includeing the word hacker in their story. Good job.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
This guy's got it exactly right. WTF designs a system that stores sensitive data on a net accessable host? At least offload the data to a separate system that's a bit more difficult to access. And if you let some company store all the credit card info needed to charge a purchase to your card, you are a fool. You don't trust some guy in a restaurant? Well, somebody has to have privs to read that CC database...and that DB sticks arround for a looooong time....not a day or two like a paper slip.
Blar.
Well, it can't be happening that often for them. Reason I say this? The most you are liable for on a creditcard is $50, anything larger than this is their loss. So, unless we are being nickel-and-dimed in a cunning low key way (which would take a long time to return a profit and thus be vulnerable to audits) the risk/loss would be too great for the credit companies. They would be upping the amount we are liable for considerably. Perhaps I'm just naive. Why is the liability so high? ;)
So. What kind of dipshit e-commerce company keeps their customer database ONLINE? Gee. That takes a REAL BIG CRANIUM.
Card numbers should either be removed as soon as the transaction is complete, or at least logged to a secure system. The machines performing transactions should be highly isolated.
Something like this should NEVER happen.
Then it's a good thing i keep my bank account already cleaned out before somebody breaks into it... ;-)
C.
C.
(Sorry for the shouting. I just had to get it out.)
Could anyone tell me why that company would put 300'000 credit card numbers on an online server, connected to the Internet, probably in plaintext? That's kind of tempting a little too much Murphy's laws.
Just imagine if a country/state placed its power grid controls on a server on the Net? Would that be reasonable? However secure a sysadmin thinks his machine is, that's his first responsibility to warn that new holes are discovered every day on every OS...
CDuniverse.com is totally irresponsible [i.e. should be held VERY liable for any damage that insues]: if you think of it, they were not only toying with a couple of credit card numbers; they were toying with a value of 900M$ (if you give a - very pessimistic - 3000$ mean value to each credit card number). Or 9M$ if only 1% of the credit limits are used.
I seriously think someone should look into that seriously, and hold CDuniverse.com responsible for damages that would ensue. Unfortunately, there is so many blunders (and avoidable) mistakes done in the IT field that I would not be able to recommend holding them 100% responsible for the damages. Not before a couple of years pass, at least...
C.
C.
One can't help but the wonder how the pick pocket was able to get a cash advance. Did your mother in law have the pin printed on the card or something? If so, that's dumb, dumb, dumb.
This is the first of what will me many similar stories.
It is important to note, that no credit card customer had to pay a single cent for their stolen cards. Without a signature, all charged transactions could have
been reversed.
The thing that gets me, is that this will separate the smart companies from the dumb.
Or, perhaps the forward thinking, from the offended.
Here is an 18 year old russian. (perhaps)
He is likely unemployed, and has since learned more skills than any single person at CDuniverse.com. He knows how to check security systems, and
make systems secure, as well as hide his idenitity. Skilled and experienced beyond 99% of the tech population.
All he is asking for is $100,000. why? just a random number.. that sounds like a lot of money.
What CDuniverse.com did -- nothing.. then call the feds when they called his bluff. -- stupid.
What they should have done -- OFFERED HIM A JOB !!!
i am not kidding. this is a good kid. if he was bad, he would have used them for himself.
he would have given them out on IRC without telling anyone.
if he was bad, or dumb, he would not have gone through the trouble of contacting CDuniverse.com several times to ask them to allow him to fix the hole.
He simply wanted regcongintion of his greatness, and to be paid for it.
CDuniverse.com however was offended... and didn't think some 18 year old russian could hurt their bussiness. Now it is out all over the news, and i'll bet
their sales are down.
They likely could have paid him $40k a year to work on contract.. but no, they would rather loose.
Companies are afraid of the internet because 18 year old freaks know WAY more than they do... but instead of hiring them, they choose to ignore them...
bad decision in my books.
your opinion?
what do you expect to happen ?
they have a huge database just sitting there.
its just waiting to be hacked and
I love the panic that comes from credit card number theft in an on-line context. To the worrisome masses that own and use credit cards but don't use them to purchase stuff online:
Have you ever used your card to pay for a meal at a restaurant and the server walks away with your card and comes back a couple minutes later? It is the same risk, you don't know if you card number is being copied down by someone whilst out of your possession.
Any decent credit card company offers protection against fraud anyway - some specific to online transactions like Amer ican Express for example. I'm an AMEX card owner have unfortunately taken advantage of this benefit in the past and they took care of EVERYTHING.
Perhaps I'm oversimplifying the situation, but I see it no different than in the off-line world of financial transactions - no more less risky. Buy freaking gold bullion of you can't handle it.
Speak truth to power.
(transfer the money, not the card number)----- With the new smart cards comming out (like the American Express Blue card), that's exactly what will be done. No card numbers will be sent. The money will be transfered from the card through AMEX to the site.
The two most common things in the Universe are hydrogen and stupidity. -- Harlan Ellison
They could charge the cards to *themselves*. Also, I know someone who used CC numbers he got off IRC to create Xpics acount with his referal numbers. He only did it a couple times though, we convinced him it was a "bad" idea...
"Suble Mind control? why do html buttons say submit?",
ReadThe ReflectionEngine, a cyberpunk style n
My mother-in-law had her wallet lifted by a female pick-pocket (who, incidentally, looks NOTHING like my mother-in-law) who ran up a $5000 tab on it in about two hours. This was through a combination of cash advances and purchases. When my mother-in-law realized her wallet had been stolen she called the card companies and had her accounts frozen.
For the past four months she's been fighting the card companies with police reports, video (from the ATM where the cash advances were made), and the obviously forged signatures. They claim the entire $5000 is her responsibility, despite overwhelming evidence to the contrary.
DON'T believe it when you hear that you're only responsible for $50--the CC companies are in the business of making MONEY, and they'd rather get their $5000 and lose you as a customer (and they can afford much better lawyers than you can, so forget lawsuits) than eat the $4950 worth of theft. They can always find more suckers to sign up.
-----------------------
To understand recursion, one must first understand recursion.
If you must give in to the you elitest flaming side, could you at least list a refrence to either an individual example of such a book or a more complete listing of books in that vein?
Thanks...
--
Gellor
I'm sure that it does hurt Microsoft in some way.
The point I was trying to make was that it could happen to ANY web server. I happen to think that IIS is a pretty good web server, all things considered. It's unfortunate that to some people "News for Nerds" means "News for people so caught up in anti-Microsoft sentiment that they can't see to forest for the trees."
Every web server has its strengths and weaknesses. Lets understand them all.
Sorry, I wasn't attacking you in general. The fact is all servers have problems when overloaded, including slashdot's.
Hard to believe my post got listed as a Troll, and yours (and in fact the original post as well!) didn't.
Of course I didn't bash Microsoft or praise Linux in my post, so I guess I can understand why after all.
Oh, and by the way... ANY e-commerce site could be a target for this sort of activity, no matter WHAT software they are using. The skill of the operators/implementors has quite a bit to do with the security of the site.
Thanks for the information.
And 300000 numbers were stolen? Either the story has a bug, or this help page is out of date...
Are there any links online to records of credit card fraud online? How do those figures compare with real world fraud?
Micah
Take some time next month to learn what "open source" actually means.
I have seen the future, and it is inconvenient.
Borders.com and, of course, ora.com
Although it'd be nice if O'Reilly could tell you whether something was on backorder when you ordered it, rather than via email at an unspcified later time...
itachi
Your assumption being that without fraud, Visa would lower our bills. HAH! Fat Chance of *THAT* happening!
peace
Mike
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
IMHO, the easiest way to avoid problems like this is to simply not have a credit card. Of course, I'm not referring to simply this situation, in which the database was stolen, but in general, in the physical world and in the world of the internet. However, as we all know, that wouldn't be so fun because if you want to order something online, you have to have a credit card. Hence, risk. If you want to charge something in a store/restaurant/hotel/etc. that you are physically at, you have to have a credit card. Hence, risk. oh well
I know we all knew that, but.. the thing is, like you said, if you're going to have a card, just go ahead and use it online and off. you have the same risk either way, no?
Insert mind here.
The cc companies don't wear the burdun of credit card fraud. Merchants are responsible for paying back the card holder. Even if you have no evidence, you only need to state that you did not make the purchase and the merchant must return any payment it has received from the credit card issuer. It is then up to them to try to track down where the goods were delivered and retreive them.
How we know is more important than what we know.
This suggestion is also totally useless.. To retreive a credit card number you need to do a manual insert/removal of the key which is probably kept in a locked box in a safe, with an alarm system on it, right? Well if I want to manually retreive a credit card number, all I have to do is ring my banking representative, give the reference code on the transaction and my bank issued authorization password and they will give me all the information about the transaction. The only legitimate reason that merchants have to keeping credit cards is so they can do reversals. When someone buys something the merchant charges the card instantly. If by some freak occurance the merchant doesnt have enough stock (they should not be charging the card unless they know they have enough stock), the merchant needs to be able to give a refund. The merchant is going to have to contact the customer and tell them that there isn't enough stock, so at that point they can get the customer's credit card number and do a manual charge back.. without us having to store the credit card details. Alternatively they could just send a cheque to the customer. Which is probably a better idea because if a merchant does more than 5 to 10 chargebacks a week they go onto a merchant fraud hotlist at the bank. More than 20 and they are likely to have their merchant account suspended.
How we know is more important than what we know.
Well the key won't be stored on a server, usually an employee PC... finding on which PC, and in which directory, if any, is the private key is a tedious task. Plus, the key could be stored on a removable media that is not always in the drive (floppy/CD). Plus, you still need a password to open the private key, so even with the private key file the hacker still has to "unlock" it (at least that's how GnuPG and PGP work). IMHO this is still ultra-high security overall.
Whats the point of having a secure connection, and a secure Credit Card database? Those idiots should've made sure the server was secure.
I agree on that, but since no system is 100% secure, having an encrypted database provide a last and ultimate security, should the system be cracked someday.
Process the CC# thru PGP before storing it... the hackers may get the encrypted CC#, but won't be able to do anything with it.
But how do they store their CC# in their database ? In plain text, it seems... the weak point.
And how are the CC# stored ? Plain text ? Encrypted ? If this is plain text then your security is null, as this is a really weak point. Encrypting the database is the ultimate protection, one that protects you even if your whole system is cracked.
SSL 3.0, RC4 with 40 bit encryption (Low); RSA with 512 bit exchange
.{redmist}.
-------------------------------------------------
-------------------------------------------------
just turn off javascript in your preferences.
the autorefresh is a javascript line.
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
heres my semi-informed answer
when you get the cc number, proccess it immediately, and don't keep it anywhere on your system
of course then your proccessor could always be hacked, but thats a different story isn't it?
Need a Catering Connection
hmmm why would you pay interest on your credit card? is an aweful big waste of money
same goes for an annual fee, i recently got my first credit card, no annual fee, and no way i'm going to pay interest
Need a Catering Connection
hmmm, which credit card proccessor that will process cards like that for a cost that the people who use the service i set up (not that i set it up well or anything, but i get $7.50/hr and only work part time....) will be willing to pay, and i'll take a look at it.
also re storing credit cards on the server, as far as i know, there is _no_ reason to do that for a one time purchase thing anyhow, which is what a lot of the customers are selling
Need a Catering Connection
ok point taken
Need a Catering Connection
If you wanted to put $10 on each of those credit cards you'd be $3M ahead. That's no small job.; }return(0);}
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
OFTC: By the community, for the community
hehe it's funny that with all our security thingies and 128 RSA encryptions, a simple contract proves to be safer than al lthat :)
mvg,
Kris "dJOEK" Vandecruys
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
Security improvements, and fixing exploits aside, it is the law that needs to be changed. I would like to see the introduction of higher penalties for this sort of crime, and the law has to be international.
Already in Australia it is a penalty of 2 years imprisonment for obtaining access to data without authority, and 10 years of imprisonment to damage, insert or delete data without authority.
However, I believe that the majority of credit card #'s that are stolen or taken advantage off w/out the owners knowledge over the internet are taken by kiddies and their credit card # generators. Most sites are secure and are not broken into by hackers. If (the myth that) most sites were broken into was true... someone with a fair amount of brains would have cracked a college application website and got ssn #'s and addresses and other crap and done a whole lot more damage to a person, or cracked an online banking service by now and screwed over thousands.
The intent of the people stealing credit card numbers is usually not to damage people, but is for personal gain. Simply, they want the money. They won't get a free Rio, or whatever else they want by getting someone's address, hunting them down and killing them. As well, college application information is usually not stored online, but rather sent via secure form and stored locally at the college.
Personally, I doubt that this guy did what he says he did. Had he done it, Interpol/Russian Cops would have gotten involved right away and tossed him in the chink - or at least payed the blackmail $.
Apparently, you do not understand much about the current state of Russia. If you, for example, were to send $5 to Russian relatives, it would make it maybe as far as the main post office in Moscow, not sure if they check all the mail before that or after it. The Mob has an amazingly large pull over that country now, and of every $1 that America sends in foreign Aid, I believe the mob gets about 60 cents of it.... They really are in no state to waste their time paying $100,000 dollars to some Hacker, or trying to apprehend him.
---------------
Yes! That guy!
From the original message:
:-/
then buy one box per credit card
That is stealing, as this would be using other people's credit card numbers. "you could," sure, but I don't really want the Linux community to be associated with a band of thieves in a public forum
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The only way people are going to learn that they need better security (encrypted credit databases, certificate based 'internet' cards) is for stuff like this to happen. While I feel bad for the people who had their credit cards ripped by lame people who saw the site, I do think this was very cool of the hacker to do. He could've dumped the database and sold it to God knows who, but instead he put it out for the whole internet to see. Doing this draws attention to the problem and obviously gets the hole fixed.
If I (the retailer) have the signature the CC company pays.
If I don't have it, they pay only 90%.
I (the customer) only pay if they have my (valid) signature.
ciao
Anti
On the other side of the screen it all looked so easy.
While there is some merit to this, it also all depends on your bank.
A couple months ago, my car insurance company read a $197 check as $797, which bounced and caused an overdraft in my account. They said, "oops, sorry" and sent the check through again, and it cleared. In the midst of all these colossal screw-ups, my bank recalled the extra $600 to my account, and refunded me my overdraft fees.
My point in all this is that if you have a decent relationship with your bank, and they're not a bunch of twinks, you should be able to work something out with them should this particular wave of fraud affect you - even if you have a debit card.
"During your times of trial and suffering, when you see only one set of footprints, it was then that I was riding the pogostick."
A good traveller has no fixed plans and is not intent on arriving.
They'll never sell another CD again.
Whats to blame? Was there a gaping hole?
-Oy Vey
Why would they charge more to offset losses due to fraud? If the goal of the business is to maximize profits, they are going to charge the amount that makes them the most money. Businesses just don't decide "oh, we need to make more money, well, let's raise prices". It will either lose them enough customers to make it not worth it, or it won't, in which case they should have done it in the first place.
This is especially disgusting when banks claim that they need to charge 21% interest on credit cards due to fraud losses. If they were truly concerned about fraud, they would implement at least a moderately secure system.
"The REAL losses are covered by the big corporations, and I couldn't care less about them. Don't bitch about the lack of security - it doesn't harm any REAL people, only corporations." This doesn't affect any REAL people? Who pays those "big corporations" bills? The REAL people who use the cards pay them. Sure, some of it is offset by the small fees that merchants pay for the "privledge" of being able to offer Visa, Mastercard, etc services, but the vast majority of the cost is paid by the customers. Its neatly wrapped up in the interest rates you pay, the yearly charge for the card (if any), and the REAL first $50 you pay in liability charges if someone ab/uses your card. Sure, they dont put a monthly "$5 of your interest payment went towards credit card theft losses for the company" but.. its in there. Anyone thinking that credit card abuse doesn't affect their bottom line is sadly mistaken. Nothing in life is free.
(Shameless plug): ProcessTree - Put your idletime to use.
At least maybe we can get rid of the weaker implementations. If this media attention causes the online merchants to start looking for more secure systems, maybe we can get some better standards.
Since the Mom and Pop online merchants are archiving credit card information for customer convenience we need to get them encrypted quickly before they hit the hard drive.
Personally I would not mind entering my credit card information fresh each time I made a transaction if I thought that would reduce the risk of it getting it stolen. I said reduce since unless the server is using a devoted crypto card you could still lose your credit card numbers real time.
The guestbook is pretty funny too, what's up of it. Looks like our AC's been hanging out there :)
mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.
I really don't know enough about what steps companies take to try and protect credit cards and other info (well, other than SSL) to post an intelligent commentary, therefore I will post a mini Ask Slashdot:
emmons asks: "A friend of mine is setting up an e-.com site and wants to know how he can make sure the customer's data is as safe as possible. He knows that SSL is a must, but what can he do server side to protect the data from crackers? What do other sites do (if anything), and if what they do is not enough, how can it be improved upon?"
-----
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
In all fairness, ransom is the word in question here.
Personally I reckon CD universe should be boycotted and driven
off the net,
and little bas*ards like Maxis too.
I would almost lay bets that if they
did pay the ransom, the numbers would
still be made public anyway.
--
WorldServe Consulting
The ones who do this can :-)
The Matrix is going down for reboot now! Stopping reality: OK. The system is halted.
Greetings,
I recently read about the violation of CDuniverses security in regards regarding the credit card theft. I am displeased, as a customer of CDuniverse, to have heard about this from an online media source rather than your company. I would like to know if my billing information has been compromised.
My order was placed under the address druid@phreebyrd.com, and my full name is Daniel C. Bennett.
Sincerely, Dan Bennett
Why don't the banks care ? Well, it doesn't cost them any money, now does it ? The merchant and the consumer always lose. (Mostly the merchant)
Unless of course they cannot re-coup the damages directly, then it cuts into profits, or there being able to pay a bill, etc. Either way they dont take the damages, they pass the losses onto the consumer through increased prices, less discounts and coupons etc. Thats one of the reasons credit cards are so expensive (besides the fact that they can get away with it), what do you think banks do when you call to have an item taken off your bill? They pass those losses straight back to the consumer through interest and monthly fees. Either way the consumer loses, and business is right where it was before, as though it never happened.
Does anyone else think that storing credit card numbers *at all* is just a bad idea, except for the credit card company itself?
Information like this that needs to be secure for a particular person should *belong* to that person and only be used for the duration of a transaction. There are far too many ways to get unfair and/or deceitful charges on an account later if everyone is holding on to your credit card information. There's really no fair reason to hold on to credit card information after the transaction is complete. The risks far outweigh the benefits of any such reasons.
Put up a firewall and don't allow it to happen. Only allow access from the host that is serving up these pages and then, require a encrypted channel. This seems ridiculous in this day and age that the 5 year old M$ professional fuck heads can't get it right.
that's fire under their asses.....
What? Where have you been? It's not stealing, it's ok to copy linux. It would be larcenous to download it over and over, 100,000 times, stealing all that bandwidth.
It would be grand larceny, conspiracy, and crossing state lines if one were to buy a copy of NT for each of those machines, and it would teach you the lesson that there is no honor among theives, when you discovered that you couldn't cluster them, and your co-conspirator walked away with all the booty.
P.S. BTW, I didn't say it was ok for me to do it. What I said was, "you could."
You could download linux, then buy one box per credit card, and build one huge beowulf cluster :)
now the hacker term will turn evil..
what a great day
'Mullethead. A hairstyle that's a way of life'
i think we shouldn't use the term cracker to someone who steals credit card numbers.
instead, we should call them 'criminals' or 'theives' or something that suits them well instead of a deviation of the respectable term 'hacker'.
i, for one would like to see that, since 'cracker' is used to label people that crack copy protection algorithms and the like. that takes skill, and they get respect. the people that made DeCSS are crackers.
wake up dammit.
'Mullethead. A hairstyle that's a way of life'
In the first case, any security system can be overcome and the concepts of diminishing returns apply. You can throw a great deal of money at the problem which you pass along to your customers in the form of higher prices or you can suck up the risk and pass the theft losses along to the customers.
What it seems is that it is more cost effective for companies to do the latter than the former. Part of the reason is that a lot of the costs are don't ever hit their balance sheets (the costs due to the impacts on individual customers) though they may see it indirectly because of the loss of that customer base.
You correct in your statement that they are going to charge the amount that makes them the most money. But how do they arrive at those prices? They find out how much it costs to produce (which includes costs due to fraud -- they are real, quatifiable costs) and add a profit. Assuming a reasonably uniform distribution of fraud, everybody has the same hit so all prices reflect the same inflation due to fraud.
Remember, a lot of these costs are going to be passed along (a) to an insurance company who passes along to everyone they insure, or (b) the government, as a loss on their profit/loss statements, which mean reduced taxes which get passed along, sooner or later, to everyone.
Further, price is not the only driver in determining who you are going to shop with or what brand you will buy. You may pay 0.1% more for an item from a particular vendor because he is more responsive, is better organized online, has a larger selection, etc. So, you're support for these reasons are funding his lack of security.
Don't get me wrong - I'm not saying this is not a boneheaded thing on the part of the vendor nor am I implying the vendor will go through this unscathed. However, IT IS FACT that the theft costs get spread across the entire economy. We'll be paying for it eventually.
The little guy just ain't getting it, is he?
Right - except the big companies don't eat the cost. They just pass it off to their customers by charging higher prices for their goods. Basically, every consumer, regardless of whether they have a credit card or not, pays for the stuff ripped off by using a stolen card number.
The little guy just ain't getting it, is he?
I hope you win.
I would much rather type my credit card number in every stinking time I buy something than trust somebody else's code to keep my info safe (don't know that I'd trust my own, for that matter).
It's a whole lot more hassle to deal with an unauthorized purchase than typing in 16 numbers.
The little guy just ain't getting it, is he?
I don't think the technology required to steal the numbers is the issue here. All it requires is for the numbers to be stored on a server that has limited, breakable security, and for some cracker to find them.
I think the issue here is more one of what companies like CDuniverse are doing to protect our credit card numbers from malicious individuals like this guy. After the break of this story, some e-commerce sites will hopefully take a very serious look at what they're doing, and maybe improve their security.
Of course, it's doubtful that much will change with this story's appearance. After all, credit card theft is nothing new; the thieves simply keep getting better and the commercial industry has to struggle to keep up. But, they will keep up, or they'll lose their customers, and few companies can be accused of wanting to lose their business that badly.
meisenst
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
Definitely call your bank and cancel the card! The rules for loss and fraud are different for debit cards than for actual credit cards. They don't have the same $50 rule! It's actually a lot safer to do your transactions with a credit card than with a debit. I came close to finding out the hard way.
"The truth will set you free, but first it will piss you off"
Love 'em all and let God sort 'em out...
The pos systems we use where i work dial into the authorization servers over pots modems. That is why it takes so long to authorize a card, you are waiting for a modem to dial out. AFAIK all pos systems work this way.
What a pussy way to boycott. If you are going to boycott Slashdot, do it. Don't filter out the banner ads.
Well the original poster was specifically trying to hurt Slashdot by a "boycott" of the ads. If he wants to boycott Slashdot, he should boycott Slashdot all the way. Filtering out the ads is saying that he likes Slashdot. Slashdot contains value to him, but he's going to filter out the ads to "show them"
I can understand that you don't want to see banner ads. I wonder if Slashdot would have been able to afford their servers and bandwidth without advertisers. I wonder how many advertisements Slashdot would have sold if everyone blocked banner ads like you do.
I visit a decent number of smaller websites that probably wouldn't exist if everyone blocked filter ads. They work hard and give me lots of valuable information, why not let them place their banner ads on my screen?
if what you say is true, then, out of curiosity, I must ask -- are you purchasing these goods for personal use, or for resale? If resale, what's your market -- black, consumer gray, what?
I am, therefore you think.
Do you really think 'it doesn't harm any REAL people'? Ultimately the costs/losses are passed on to the consumer - that means you & I - directly via increased charges, or indirectly via insurance cover which leads to higher REAL people premiums.
I think it would be totally inappropriate for me to even contemplate what I am thinking about. - Don Mazankowski
Paket sniffing is way too much work for most script kiddies, yet they have access to exploits, to exploit servers and get databases. Then it's right there in plain text. Which one do you think is more appealing to script kiddies? I am not saying that this person was a script kiddie, but since he did find the database on an obviously insecure server... It makes you think. If he made his own exploit, how long till it is released? Needless to say, this is scary.
Its not true that only big corps. I used to run an online comic shop and when a charge was fraudulant, *we* had to pay the full amount of the charge to the bank (even though we already paid the bank their cut of the original transaction). So, the merchant loses and the banks actually profit! You should know better than to think the big corps would allow themselves to lose.
/to email, remove the naughty symbol.
It won't help because the credit card companies keep your credit card info in their servers. So if you are going to have a credit card, you might as well use it on line.
I used to consult for a web hosting site and not *1*, that's right NONE of the companies whose web stores they hosted wanted their transactions excrypted -- the time I spent setting up pgp, etc was totally wasted, they all insisted on clear-text e-mail of transactions. And as you know, the customer is always right...
Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
So when I go into a resturaunt and get food and pay with my CC and sign the slip that is a valid transaction, if I try to dispute it they say "look you signed it, now pay up!"
:)
If I order from amazon.com and they send my books by fedex/ups and I sign for them, that signature proves that I accepted merchandise. Unless I return that merchandise, I am bound by 'Good Faith' to follow through with payment.
If I order from amazon.com and they send my books by the USPS and I don't sign for them... they can't prove that I recieved anything, so if I were to 'theoretically' dispute a charge by them... well that one click thing probably broke
-- "My dad used to play sports with me... I don't like sports" -Tim
I've very suprised they did not pay him. They probably could have negotiated down the 100K figure to something more reasonable, and would have avoided this terrible embarrasment. Of course, the would need some kind of assurance that the CC numbers would not be released even if he was paid, but if you have a reputable lawyer approach the company for you, usually a deal can be worked out. I know a someone who turned a similar exploit into a very high paying job. This does not mean the kid is in anyway excused of his criminal acts, but a business which relies on consumer trust does not need this kind of publicity.
It all depends on the company. My friend works for a company that takes E-Commerce security very seriously. They use excellent passwords, never write down the info and destroy all written info of transactions. They have high encryption and only store the info (for record information) on servers not connected to an outside network. There is always a way but making it difficult deters most people from trying. The reason people do not rob banks is because of the level of difficulty. A person has to hold everyone up, or kil them, break the vault get away and hope the police do not catch you. Good Luck!! On the internet it is much easier. If you happen upon the name and password of just one company it can be devastating. I do not know if the hacker bypassed the security or luckily came upon the information. But all it takes is one company to be insecure to have terrible consequences on the public at large.
I still don't understand why the companies feel it neccessary to store all that information on it server. Well i would be worried but, im too broke to even have companies offer me creditcards, so i guess im safe for now!
More race stuff in one place,
than any one place on the net.
Got to admit though, I still feel better using cards over the net (on trusted sites) than I do giving my MC or VISA to some pimple faced kid when we go out to eat.
More race stuff in one place,
than any one place on the net.
Look a the troubles Providian has had over the last year. They didn't lose anyones money, but they had a wide scope ethics problem and the stocks down by 70% in '99. It's hurt the whole financial sector.
More race stuff in one place,
than any one place on the net.
Couldn't find the original story, but he got caught by a vigilant customer, who saw him swipe the card twice.
--
MotorMachineMercenary
"We have an A-Bomb...what more do you want, mermaids?" --I.I. Rabi, speaking in defense of Robert Oppenheimer
Recently. HECK Just the last week of December, someone got a hold of my Debit Card number.
They used it to purchase items from CDNOW. Thing is I never used my debit card during that time except to take out ATM money.
here is the kicker. CDNOW has the billing Address of the Card and IT DOES NOT MATCH the Debit Card's billing Address. This is Ridiculus that they ask for billing address and don't use that as a backup check.
My bank and cdnow are great though in that they shutdown the account and I will get my money back. It required a letter signed 3 times and some other issues. They are very helpful at working it out.
What have I learned? That anyone can use any number at any time to get CD's. The billing Address is not used, you can just input random combinations of numbers.
What if this person who used my card just flipped a number wrong from thier actual card??? the amount of purchases was not as you would expect. This could cause someone who makes an innocent mistake to Go down hard.
This is for everyone to learn from. Be careful what you do, and no matter what DON'T get more CC than you use, for someone can charge on them without even having them.
I can program myself out of a Hello World Contest!!
This is no surprise. You knew it was going to happen eventually. However, this is not the crisis situation that it's been made out to be. These victims will not be responsible for paying any fees incurred on their credit cards. All banks and credit card companies insure that customers won't have to pay for fraud. On a side note, this could have been avoided had law permitted better/higher encryption on the CDUniverse site.
Ummm.. You are not really putting your real info into netscape or IE, are you? Or into windows itself?
Hidden Win2K Menu
They get a cut.
Hidden Win2K Menu
WELL YOU YOUNG SCRIPT KIDDIE BUTTPLUGS SHOULD THANK US OLD FARTS. That's right Sparky... just cause you can take some packet sniffer program and log some crap comiing over a network connection doesn't mean crap.
CAN YOU SAY SCRIPT KIDDIE.....REPEAT AFTER ME..SCRIPT KIDDIE SCRIPT KIDDIE SCRIPT KIDDIE.
What happened to the old days when you had to friggin know something....aw hell
FRANK RIZZO WAS HACKING HEX CODE WHEN YOU WERE STILL SPITTING UP COCOA PUFFS IN YOUR MOMMAS LAP.
A genius writes code an idiot can understand, while an idiot writes code the compiler can't understand.
Okay, substitute the word "older" for "old". The point is, that there weren't recent credit cards (otherwise, there would have been expiration dates further in the future.)
And how does the store verify that your certificate is valid? There must be a way for them to verify it. Hence a database of valid certificates. Now we're back at the same place where we started.
Merchant needs to keep the credit card numbers around for a short period of time after the transaction and dispose of it when they are no longer needed. Some sites even allow you to click a check box so that you can store your number in the store so that you can login and buy stuff on-line without a credit card on hand. What buyers in the right mind would do that? But they do...
Also, why allow remote online access of the database in the first place.... There is no technological solution for stupidity, none, nada, zip...
- Etam
Yeah, I'll bet this dudes are using Micro$oft web servers, too. Do you even have a Firewall
or packet filtered router? Doubt it!
Honestly, who ever heard of CD Universe? They're not worth a crap.
octaene@yahoo.com
It's not surprising. Law is, after all, a system designed to protect people from the inadequacies of other systems.
--llb
--llb
Support peer pressure - kick a lemming off a cliff.
Happens all the time.
Here's the scenario:
1) Person uses social engineering to find out choice pieces of info about, say, a bank. Stuff the bank believes no one outside the bank knows
2) Same person uses same social engineering skills to determine, again, some choice info about the structure of the computer systems at the bank
3) Tha bank is contacted, told their systems have been compromised with suitable threats included in the "blackmail". Bad guy asks for money wired into an offshore bank account.
4) Bank assumes that the system have in fact been compromised. Not knowing the extent of the compromise, and being unable to take their systems offline, the bank makes the payment.
5) Bank may or may not contact the authorities about the situation. Contacting authorities increases dramatically the chance that the public will be aware of the "compromise"
6) Bad guys walk off with a few hundred grand without having broken into any system with the knowledge that their actions will likely not be reported anyway.
It happens all the time, cduniverse.com just happened to have the whole thing fall apart in their face, and this bad PR is the result.
That's true. People are dumb as hell!
Look at this... People go shopping (online). Cool. They order something, they checkout, they get "CC authorized", and they're happy. They receive their item, and they are even more happy. But now, they want to buy something again, and... they need to input the information again.
LAZY PEOPLE ARE GUILTY FOR SECURITY PROBLEMS!
It's that simple. Because people are lazy, merchants (not PROCESSORS - processors are only a 'gateway' betweek a bank and a merchant) are storing the cc numbers on a server. And when sh*t happens - merchant is guilty, and those SAME lazy people are yelling around "how bad this company is". But they are the same ones who were sending complaints to support@your.favourite.shop.com about "I want my cc to be remembered!".
It just CAN'T be done securely (at least, not until bank gets REALLY involved, meaning - merchant/processor stores MD5 sigs of CC, and bank maintains the database, and compares; however, bank will do this only for HUGE client, since bank doesn't want to get involved into 'e-commerce' - they just want to authorize the cards) at this time.
Just look at computer systems... No matter what people think, most of the tests (talking about intrusion tests, not lame script kiddies defacing web pages) are at the end successful as a result of *weak* authentication schemes at some point. You get a FW-1 w/ VPN (and you don't have a budget to get SecurID or similar thing), but your 'CEO' is too lazy to remember password like '$!*C&*E', so he orders you to let him use 'john/john123'. And there goes your security... [I'm talking from experience]
And NOBODY is going to sniff you SSL connection and to crack it in order to get a cc number. Get real. It's not worth the time. Chances are that you'll randomly generate valid cc/expiry date before you manage to crack the key. At the end, it's not the 'connection' that you will attack, it's the site that hosts the cc information. I'm so tired of those 'packet sniffing' gurus that have started sniffit on local LAN and think how they've discovered the fire...
Yes, I've been involved in creation of 'payment gateways' for real-time cc authorization, so I *know* how painful it is, and how LAZY/STUPID customers are. As long as customer won't listen to techies just 'because customer is always right', there will be no security. When customers realize that techies don't suggest things because they like to bother other people, but because they want to do the things 'right way' - we'll have a progress.
It's pathetic to see how many companies expect their people to maintain perfect security, in all areas, but yet they limit IT budget to some silly amounts (that can't cover the costs of hardware needed, not to talk about other infrastructure, or software), don't want to employ more people to do security work, don't want to LISTEN to people who are in charge of security (no, we don't want CEO to have a modem connected to his PC, so that he can dial in whenever he wants, bla, bla, bla...), etc.
If there is no mgmt involved, everything would be much better. But right now, you have deadlines, you have marketing dept that always announces something you didn't have clue about (like, you make a payment gw, and you find out from the newspapers that your payment pw can easily be integrated with every shopping cart - yet you know that integration wasn't ever mentioned during the development, it was supposed to be 'ongoing process' after the gw is running 'live'). Bla, bla, bla... You should get a picture now, I hope.
That's what it says to me, anyway...
--
Xenu loves you!
I work for a major hotel in Las Vegas and I can't believe some of the stuff I hear when I happen to be in the Room Reservations Department.
Many times I have heard a clerk spend a minute or more explaining to a returning customer that they can't magically pull up the credit card number from their last visit on the computer system. Sure we have the number archived for accounting and legal reasons, but it is in no way linked to the customer database.
I bet these same customers are the ones that are worried about packet sniffers on the Internet. They would probably have a fit if you mentioned how easy it is to intercept their number when they use that $19.95 cordless phone while giving out their CC number. But they expect that person on the other side of the line that they will never meet in person to have access to a database with the customer's CC number bundled with their name and address?
"Mommy, stupid consumers make my head hurt."
"I know dear. Just ignore them and they might go away."
You obviously know little to nothing about what A1 security really means. Please try to find a good security book. Read it. Once you realize what a truly "secure" system entails, you might think again.
;)
They aren't a dime a dozen for a reason.
Fine then, here's some information:
a sp?theisbn=0471019070
1 70,00.html
n quiry.asp?userid=686GAUD2CA&mscssid=9BBLV0 W1RRS12NQU001PQJ9WMNQ2B225&srefer=&isbn=188413355X
"Computer Security Basics" by Deborah Russell & G.T. Gangemi, Sr.
http://www.oreilly.com/catalog/csb/
"Computer Security Handbook" By Hutt, Arthur E. / Hoyt, Douglas B. / Bosworth, Seymour
http://www1.fatbrain.com/asp/bookinfo/bookinfo.
"Cryptography and Network Security: Principles and Practice, 2/e" by William Stallings
http://vig.prenhall.com/acadbook/0,2581,0138690
"Hacker Proof: The Ultimate Guide to Network Security" By Lars Klander and Edward J. Renehan
Renehan
http://shop.barnesandnoble.com/booksearch/isbnI
(This book really isn't that good, though. Some errors and tends to be too general)
Of course, you could always find an electronic copy of the Orange book itself online. It's out there, I just don't have a URL handy.
--
One way to avoind storing card numbers is to have the client reenter them at each purchase. Unfortunately, people don't like that. They like the convenience of one-click buying.
Another possibility is for the credit card verification company to issue a unique token which can be used only for billing to the same merchant. This data is stored in the merchant's databases and should be quite useless to anyone else.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Since it has long since been obvious that banks and businesses will pay the blackmail rather than alert law enforcement, in order to preserve their own reputations and customer base (CitiBank was a notable exception and paid dearly for doing the "right thing"), the best way to make blackmail unworkable, and to put these creeps out of business for good, is to put the fear of the law into the person being blackmailed if they go along with it.
If paying the blackmailer were to come with sufficient legal ramifications (huge fines, jail time, etc.), and actively prosecuted, companies and individuals will be more likely to cooperate with law enforcement rather than criminals. In a contest of jail vs. embarressment, or fine+public knowledge vs. public knowledge alone, the blackmailer will almost always lose. Without victims willing to pay, the blackmailer must fine another line of work if they don't have the human decency to simply starve instead.
BTW -- keep up the boycott. Financial pressure is a reasonable tool to discourage this sort of behavior as well.
The Future of Human Evolution: Autonomy
One way to do this is to put a gatekeeper in between the order entry system and the secure database. The gatekeeper system is responsible for checking and forwarding all messages to/from the secure database. The gatekeeper has its own database of message types and message templates. Each incoming message is checked for a valid message type and the contents are compared to the message template for that message type. Only messages that pass all tests are forwarded. All others are logged and printed for analysis by the security office.
Mea navis aericumbens anguillis abundat
Sorry, but I have to throw this problem at the website developers themselves. When we develop Web Server sites that contain credit-cards, we make sure that the database server cannot be accessed from the outside world. And we make sure that credit card information travels one way only, from client to database. Only internal networks can see the credit card information. We trust physical hardware limitations, not software limitations...
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Cool down. There's no evidence they actually intended to pay; indeed, the fact that they didn't suggests they were trying to lure him into doing something they could use to identify him. Ultimately, the story relies on the word of a criminal.
Certainly, though, you could write them off as a vendor after their poor attention to security issues.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
slashdot-terminal wrote:
...
I could believe that this guy is just working alone without the help of his government the day pigs fly!
I find it much more plausible that he is an individual than that there is a vast Russian government conspiracy to shake down American dot-coms. But I wouldn't put it past the Russian mafia. (Most likely he did have help setting up that bank account.)
I don't see this as a government operation because it's just too small. There's more money in shaking down the US for space station funding, many times more money
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
But these thefts have nothign to do with all of this.. they have to do simply with the company keeping it's customer databse, including credit card numbers, online, where it should never be.
And seriously, why should card owners be liable for *ANYTHING*? The card is just a symbol of the credit granted to the individual, not the credit itself.
I came late to the conversation, but I hope someone has an answer for this question. I've bought from CDuniverse.com before... so what should I do? What are the chances that my card has actually been stolen? I suppose I could just watch my balance carefully (it's a debit card), but I'd rather know quickly whether this is a scam or my number really is loose.
And I love how the old, crotchety types assume that nobody can do anything without their help...
Packet sniffing is trivial, if you're inbetween the people who are communicating, and if you know what you're looking for.
I've personally seen a lot of people snag a lot of interesting stuff from the sniffing.
A friend in university wrote a program to watch for IRC traffic, it was pretty stupid, just grabbing things to the default ports, 6667 or whatever, and scanning for keywords. Found some funny stuff that way.
A guy I work with ran a small business which required net access, so they dropped the machine off at an ISP instead of getting dedicated bandwidth. Turns out all third-party machines were on the same 100mbps hub (the service was for T1-equivalent of bandwidth, so the ten or fifteen machines didn't saturate this)... They could remotely put the second network card (no idea why it had two cards.) into promiscuous mode, and by sniffing, they were able to watch all transactions from the other machines... Mostly mail servers, but a few web servers, at least one of which was taking orders. Mostly PO stuff, but still...
As long as you're inbetween the two ends, or on a hub with either end, you can see what they send, and if it's unencrypted, you can read it. Many ordering forms are still unencrypted, and if you watched for traffic to those sites, you'd probably get a few hits here and there. Not enough perhaps to justify it, compared to hacking into something to just grab a list, but...
Sniffing IS easy, and with some luck and skill, it's not hard to get stuff you shouldn't have access to.
Just think of how much fun those things could be. I'd by 10,000 twinkies :D
In case of Emergency, Curl up in the Fetal position, and lick a Bible for comfort!
It's common practice in the financial industry to pay off h/cracker blackmailers.
Quite likely, almost every major financial institution has done it.
Not that this is a good thing, just common practice.
LetterRip
This may seem scary, but the same thing happens almost daily in the real world. Hell, the same thing happened to me - a company I had had problems with in the past decided that they wanted me to have e 300 dollar DVD player, so they charged my card. Problem was, I neither wanted or needed it, and they couldn't/wouldn't cancel the order. Took me two months of wrangling to get it sorted out.
And I never touched a computer while making my original order with said Giant_Bastard_Company. It was all done over the phone.
I tend to worry more about the company on the other end than anyone in the middle or hacking.
My opinion is that 1200 baud connections are very very sniffable and consider that all this encryption is closed source, unverifiably secure. Ok, big deal. You'd expect banks to be closed source. Next we started to deal with a few other "gateway" companies like First Data Resources (of whom we havn't dealt with, but apparently are very good.. I'm still waiting for my programmers documentation). One particular gateway company has an exclusive arrangement with a local bank that a few of our merchants were interested in using. We went and spoke to them. They gave us lots of development information and talked to us for a few hours. After about 2 hours of talking about security, they showed us the reporting mechanism of their gateway. I casually asked: "So where is all this data stored?".. their reply: "Oh.. we maintain an access database on the local harddrive". A few minutes pass.. I ask: "So what exactly is stored in that database?", the reply: "Well, everything about the transaction", "Including credit card details?", "Of course!".. After informing them about the total insecurity of that I asked what else their NT based gateway had installed on it other than their closed source processing/report generating software. "PC Anywhere".. "oh, why is that on there?", "We like to dial up and do maintainence on the gateway", "Dial up using what?", "The tran$end modem".. so they want to dial up a box on my secure network using a 1200 baud connection over the private banking network to use PC Anywhere to access a database that includes credit card information. These people virtually represent the bank! Yawn. I took their programming docs and quitely told the manager with me that we would wait until we did our FDR development before we offered service to that bank.
How we know is more important than what we know.
If they had stored the CC# in encrypted form in their database, no hacker could have stolen the number. They could have downloaded 300000 encoded # by hacking into the system, but would have been stuck with unusable datas (cracking a PGP key is more difficult than hacking NT, you see)
I have my credit card company by my side. My credit card agreement/contract protects me from any unauthorized charges and the credit card company will investigate any such charges. Of course, there is the problem of going through phone calls and other communication to get the matter straightened out, but not a single unauthorized/fradulent charge makes it past one statement!
So, if you are/were a customer of cduniverse.com, don't get too worried. You're protected.
On a more serious note exactly who is this guy. I could believe that this guy is just working alone without the help of his government the day pigs fly!
It's actually a pretty slick thing. Just unofficially get someone to crack a site and then blame him and you can just walk away.
Slashdot social engineering at it's finest
People basically have no choice if I want to get something online: anything at all I need a credit card to process it. This allows for easy and convient transfer of funds and allows for all those nice little savings that people now have. Unfortunately screws anyone that dosn't have a credit card as well.
Slashdot social engineering at it's finest
Interest paid on a loan is free money. It's a part of the chain of how the economy grows:
The more interest the Bank can charge on a loan, the faster they get rich. They can afford to pay all the other incidental costs of the mistakes: bad loan risks, stolen merchandise on stolen cards, etc.
One late payment, and that "Low APR For A Limited Time" card of yours balloons to a ridiculous loan-shark rate of 19, 20, even 25% APR.
The large corporations don't pay the costs. If they did, they wouldn't be large corporations.
[
Only if they got your card. (and in reality, the bank never makes you pay the $50). In this case, without the physical card, you'd be out a maximum of $0.
--
--
E2 IN2 IE?
To get off our collective duffs and develop a secure internet monetary system. Hell, even if visa/amex/etc just implemented a system wherein you could get a "internet secure" credit card, that would refuse internet transactions unless the buyer presented a valid certificate that only the cardholder has. Then a database of these things would be useless unless you could somehow also obtain the person's personal certificate.
The idea that the printed information on a card is enough to verify it is IMHO plain outrageous. It doesn't matter if a villain got my credit card number by cracking a site or from simply looking at the card. Paying for stuff giving only the cc number (and date) is as stupid as logging on using only a uid.
All opinions are my own - until criticized
It seems like the e comerce sites need to isolate the credit card numbers. How hard would it be for the web server to take the number, not cache it, and submit it to a secure machine for proccessing and storage. Now while secure may be impossible, we can get close.
Put it behind a firewall (or even just shutoff all services on a UNIX machine) and only have a system to procces credit cards, and have it setup so it is only accessable from the web server, and then only accepts credit card numbers, and NEVER puts them back out. If the store wanted to store numbers for quick access by customers (I like this, although the security is definatly a problem), the system can a assign a unique reference to that card number that can be stored on the web server.
If this program is written carefully, and doesn't have buffer overflows, there would be no way to get the credit card numbers from it without access to that machine. How the admin wants to keep it secure could vary, the ultimate would be using a dedicated connection to the credit card company (I am not sure how all these work, but it would be the same as any POS system), and even console only admin access, although the admin may choose to trust some form of remote access such as ssh or ssl telnet, etc, and of course if that is compromised the whole above system is insecure, but I think it would be secure enough if the sysadmin stayed on top of things.
I am more afraid someone at Olive Garden will snitch my CC num than someone at Amazon.com. A lot more people interaction occurs at some place like a resteraunt(sp). They get to see what kind of person you are and possible what kind of CC you have. Titanium.. yep this is one I want to steal. That scares me a HELL of a lot more than any online site. I have a 500 Dollar unsecured VISA thats all I will ever have. Just for emergencies. I have a debit card on a checking account with no more than 2000USD EVER. The BANK does assume the risk and I am only liable for 50 bucks of it if any of its stolen. Its just like a VISA in every respect except for the fact the money comes straight from my bank account. Bleh. Keep on using them CC's online :-)
Jeremy Allen
jallen@idminc.com
Well, the only reason this is possible is that the credit card comanies don't care. Introducting strong cryptography, challange-response protocols and real online banking will make such frauds nearly impossible. All these technologies exist, but why aren't they implemented?
Apparently the losses of the credit card companies are not enough to justify the move towards stronger verification schemes. This is also fine with everybody - the card ownerers are not liable for more than $50 of losses and the hackers have an easy source of income.
The REAL losses are covered by the big corporations, and I couldn't care less about them. Don't bitch about the lack of security - it doesn't harm any REAL people, only corporations.
Combine this fact with this part of the "FAQ" on Maxus' site (mirrored here)
In other words, all he got were rather old credit cards. One might surmise that CDUniverse updated their CyberCash software, but failed to delete the log file you mention.
As have I. All the encryption on the world will not help you if you store the credit card info on the server! Especially if the server is IIS 4.0, which it is in this case. You can hack it with a fsckin' web browser!
Maybe SET was a bad standard, I don't really know. But the idea (transfer the money, not the card number) was highly sound.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
It's not hard to get a visa card. I have a free checking account that gives me a visa card. You don't nedd to have credit to have a visa or mastercard. The minimum balance is zero to answer that one right away.
Nerd rage is the funniest rage.
So you are saying there is some conspiricy of the Russian government & hackers to steal credit card numbers and post them on the 'net.
Why?
I find it is much more likely that he is an individual - like most hackers are.
Not everything is a conspiricy, you know.
This is how credit card theft REALLY happens on-line, not by packet sniffing.
This was the case until a few years ago, but now the branded debit cards have changed their policy to match those of credit cards, at least in the US.
HOWEVER, if you use a debit card you should still maintain multiple accounts, since there is usually a significant delay before your funds are returned. The people who get bounced checks might be understanding when you contact them, but they are not legally required to be so. I've known more than a few landlords who would not hesitate to assess substantial penalties, even start the eviction process, if your check bounces for *any* reason.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
'cause it is not the customer who has to wear the rap when someone cracks your database server and steals their credit card. The point of my refusal is that I cannot store credit card information securely. It is not possible. No matter how many firewalls you put up, eventually you have to expose services to the world (in this case a web server) and that is a weak link. Some zero day cr4x0rin' d00d will always be able to get into your web server some time in the future. When he does, you want to have the smallest possible bounty waiting for him. You want him to have to hang around for 3 days to get more than a few pages worth of credit card numbers.. all that time exposing himself to detection. This would not be a major issue if we were any old credit card gateway. The worst anyone can do with a credit card is make you pay $50. Big deal, but we claim to be the securest thing under the sun.. which is what our customers (merchants) and their customers expect.
How we know is more important than what we know.
Ah, but 1) He only posted about available 25,000 of the 300,000 cards.
2) He is still selling them for $1 / card, minimum of 1000. (See entry in his guestbook)
So, the person you are admiring is not the moralistic crusader you think he is, instead he is someone who used a known exploit to read the log file of a website that didn't bother upgrading the software they were using to fix a known security hole.
There is no-one in this incident to admire, that's including posters who are using this to push their own agenda (encryption, server OS software etc).
How many people encrypt their log files ? And how many people just make that subdir non-global readable ?
Instead, there are 300,000 people who are going to get put through a lot of trouble over the next year as these credit cards are doled out by this 'hacker' to his other teenage friends for phonesex lines and other wonderfully mature pursuits.
What most people don't realize is that shopping with your credit card is actually safer than paying by check. In the event that there is a problem with your purchase, the credit card company will remove the purchase from your bill and the on-line merchant is not paid. In the event that your credit card number is stolen, the credit card companies do not hold you responsible for any unauthorized purchases.
So go ahead and join the six million other people that are experiencing the pleasure of on-line shopping.
So thats OK then! (well, I found it amusing anyway)
From what I have done in research about things like this there is a better chance for fraud at a local store using in person methods of using credit cards than online.
If you ever looked at that little "educational" thing called the anarchists cookbook you will notice that they have a fairly detailed scheme that demonostrates how to commit credit card/mail fraud using carbons taken from retail stores in their rubbish bins.
Slashdot social engineering at it's finest
should probably contact BizRate and CDUniverse itself to express your concern. I'm not sure whether I was more disturbed by the fact that the cards were stolen and customers were not notified immediately, or the fact that CDUniverse was about to pay the thief without contacting authorities.
"In individuals, insanity is rare, but in groups, parties, nations, and epochs it is the rule." -Nietzsche
Uh, it's probably a conspiracy created by the US government in cooperation with the russian mafia in order to discredit the kgb, all for the sake of getting the story linked on slashdot, america's number one e-conspiracy resource.
Amazing magic tricks
Alot of E-commerce companies put big efforts in making the "shopping experience" as easy and interresting for the user. Wonderful, the company stored your credit card number, you wont have to type it in again when you shop later!
Security seems to come second for alot of those companies, and it shows. No one with some sense of security would store credit card numbers with expiration dates of all its clients in a database!
Companies need to be educated about security, and users as well. We just had the proof that some companies who try to get users' trust are definitely not trustworthy.
"I remember Y1K, every abacus had to get another bead"
Someone was saying just the other day (week?): It will take a major fraud before common everyday people begin to demand strong encryption.
Perhaps now the time has come? A few more heists like this, and if some reporter would just have the balls to "leak" how strong public/private key encryption could provide decent security... Maybe things would improve?
Maxus claims the company agreed to the payment last month, but subsequently balked at initiating a wire transfer to a secret bank account because it might be noticed by auditors.
I can't freakin' believe this, that the people CDUniverse were actually going to pay the blackmail instead of trying to either fix the hole, or alert law enforcement/credit card companies to what happened!
This disgusts me, it's not that CDUniverse didn't pay because they might have though he was bluffing, but they didn't pay because their were worried that they might get into legal trouble for that! What about the customers with the comprimised credit card numbers in the first place, don't they mean anything to CDUniverse? Bastards.
I don't think I'll ever be doing business with CDUniverse. I think I'll be dropping a line to manager@cduniverse.com and telling them why, too!
SET is completely unworkable. It requires an infrastructure (PKI) that somebody has to provide and that infrastructure is costly. The other issue was that it required the processing performed at the merchant site (real world, not electronic). This is also unworkable because most merchants don't have the capacity to run the technology required.
I was involved in investigating SET for operation in the "real world" not some mickey-mouse VISA/BANK setup that "prooved" it worked. Ack!
What the banks should be doing is enforcing their TOS which (in Australia) state that credit card numbers cannot be recorded for any purpose other than for the duration of the transaction. So, you can take down the CC# and use it to process the transaction, and then it must not be kept for any other reason. None at all. As for the USA ? YMMV.
As you state, transfer the money, not the card. That's pretty much how it should be. If you encrypt the card details and the decrypted card details is only used to approve the availability of funds, the "window of opportunity" can be kept to a minimum. With appropriate encryption, the decryption of the CC# can be done at the bank, and the cc# is never, ever in the clear outside the banking network. That's how it should be done. Oh, did I forget to mention that's why we did when I was involved in developing a credit card authorisation system. ;-)
Why don't the banks care ? Well, it doesn't cost them any money, now does it ? The merchant and the consumer always lose. (Mostly the merchant) Cheers,
I have found a vulnerability in CyberCash 3 where local users can do Bad Things.
I have tried many times to get an adequate response from then over the last two or three months. They do seem to be fairly clueless about security issues.
I will be submitting the details to BugTraq tomorrow. They have been warned.
I work for a company producing a credit card processing gateway. I have had pressure by management (evil!) to store credit card details in my database. I refused. The bank stores credit card details.. and they do it securely, in semi-stand-alone computers that are protected by guards with guns. There is no reason to keep a customer's credit card number in a database and stories like this are another reason I can show to management to get them off my back.
How we know is more important than what we know.
No digits, of course :) HERE
Incidentally you have to hit <esc> to get it not to autorefresh to a 404'd page...
mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.
No, not all online merchants do this -- only the foolish ones. I build e-commerce sites for a living, and steadfastly refuse to even allow credit card information to traverse my client's servers unless they are encrypted at every step.
Of course, we have to provide for those cases where the remote payment processing center is unreachable, so we do sometimes have to store the information on the internet-connected server. The information stays strongly-encrypted until it reaches the merchant, and is never within reach of the HTTP server. We counsel the merchants to keep the decryption process out of any internet-connectable machine, and we keep a very jealous eye on the server logs for crack attempts. When a crack attempt is found, the site is disabled and we go to work analyzing the attempt and searching for any damage or changed files and take whatever action is appropriate.
We make noise to the administrators whose machines and network were used, but the fact remains that a persistent cracker will just come back using some other route -- and the knowledgable ones can cover their tracks pretty well. If they come back often enough they're more likely to make a mistake that gives them away, but even then there may be nothing that can be done about it short of increasing security. In many places on the globe, cracking is not illegal.
As long as there is commerce, there will be thieves. And as long as there are thieves, there will be a few who get away with it. It's easier to commit credit card fraud in the physical realm than it is in the virtual -- and the black market for stolen credit card numbers is huge. All it takes to gather up a group of stolen credit card numbers in the physical world is to find some embittered minimum wage punk in a gas station, mini-mart, or restaurant who wants to make a quick buck on the side, and they'll do so willingly. It's tougher to make a computer give them up unwillingly.
E-commerce is generally no more risky than is handing your credit card across a counter to someone you don't know just because he's there, and I would even go so far as to say that it's probably safer. If for no reason other than the fact that e-commerce sites are not where you'd expect to get caught in the crossfire of an armed robbery.
It's a good thing that tomorrow never comes, because most of us are stuck in yesterday.
But that's not the problem this time. This cracker reportedly found a bug in ICVERIFY, which is a completely separate program. ICVERIFY is an old, clunky program that emulates a credit card terminal, dialing and all. There's a free version; I got a copy once on a CD-ROM in an early book on Internet commerce. It's slow; when you see a site that says "It may take minutes to verify your transaction", it's probably an ICVERIFY site. CyberCash resells the thing, and has some improved versions.
CyberCash itself is a different system. A site using CyberCash on its servers runs the CyberCash CashRegister program, which sends transactions over the Internet (encrypted) to CyberCash HQ, which in turn has servers connected both to the Internet and to the interbank networks. This works much better than using ICVERIFY; you get address verification and proper error codes, and turnaround is about a second. CyberCash 2.x no longer works; it's not Y2K compliant. The current minimum version is 3.x. So that bug should be fixed for all sites.
Let me ask Slashdot readers a question. Suppose you could get a version of Linux that ran 25% slower, but was highly secure, secure enough to run trusted applications in a leakproof environment and untrusted applications in a "sandbox". Would you run it? Would you buy it?
Most "high" end banking institutions DO have their revenue processing systems directly connected to the other areas of their environment.
If a cracker had the right tool and a little social engineering skill, it would not be difficult at all.
Simple scenerio is to gain access to a less secure DB and then spoof the card DB's into thinking your session is just another R/W from an trusted DB.P.Actually this sort of thing happens all too frequently and the card companies just right it off as bad debt. It's unfortunate, but in the long run, they would much rather keep the fraud FUD down, it is much more dammaging than having a high bad debt number. Most issuing comanies run between 4-8% written off as bad debt.
More race stuff in one place,
than any one place on the net.
I hate to be right, but when people would talk about the risks of using credit cards online, I would tell them that no h/c(racker) is going to intercept a communication and break the encryption for one credit card number when they can simply steal the entire database after breaking into one server, guess this guy proved me right.
-- "The higher we soar, the smaller we appear to those who can not fly" -Frederick Nietzsche
As a side effect of tracking down spammers and liquidating them, I found many low budget web sites that accepted credit card orders and stored them in globally readable files on the web server. If you read the source for these web pages, you can see how they process the data submitted by their customers. Many just take the data from the form and append it to a file on the web server.
Mea navis aericumbens anguillis abundat
Call your bank. Most likely they will simply issue you a new card.
Since you stated this is a debit card, be aware of a little-known fact:
Debit cards do not have the same protections as credit cards.
While many bank policies are similar to the legal limitations on credit card liability, they are not, repeat not subject to the same laws. Read this recent article explaining the differences. Under certain circumstances, your entire bank account could be cleaned out, and the bank wouldn't have to give you one cent back.
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
Here they are (in no particular order):
Of course "Under federal law, the most you'd owe for unauthorized charges to your credit card is $50 per card. You owe nothing if you report the problem before charges are made. " If I was a customer of this company I would call my bank and cancel my card ASAP.
E-Commerce sites have had problems like this from the beginning. Just last week I read a story in the news about someone saying that their credit card got stolen from Amazon.
What is scary about this heist is the fact that the cracker posted the page online and doled out card #'s to anyone in the world that wanted to get one... that is a first. The blackmail thing has been done b4.
However, I believe that the majority of credit card #'s that are stolen or taken advantage off w/out the owners knowledge over the internet are taken by kiddies and their credit card # generators. Most sites are secure and are not broken into by hackers. If (the myth that) most sites were broken into was true... someone with a fair amount of brains would have cracked a college application website and got ssn #'s and addresses and other crap and done a whole lot more damage to a person, or cracked an online banking service by now and screwed over thousands.
Also, the fact that stuff like this gets major news stories shows that it is not common place, if it were the news sites/people would not cover it because viewers want sensationalism.
Personally, I doubt that this guy did what he says he did. Had he done it, Interpol/Russian Cops would have gotten involved right away and tossed him in the chink - or at least payed the blackmail $.
Is it progress if a cannibal uses a fork?
Vulnerability found in CyberCash v 2.1.2 has been known for a while. Either these people didn't bother to fix their configuration, CyberCash didn't fix it in subsequent releases (if there have been any), or they continue to not take security seriously. For example, here is a summary of the vulnerability in CyberCash 2.1.2:
CyberCash v. 2.1.2 has a major security flaw that causes all credit card information processed by the server to be logged in a file with world-readable permissions. This security flaw exists in the default CyberCash installation and configuration.
The flaw is a result of not being able to turn off debugging. Setting the "DEBUG" flag to "0" in the configuration files simply has no effect on the operation of the server.
In CyberCash's server, when the "DEBUG" flag is on, the contents of all credit card transactions are written to a log file (named "Debug.log" by default).