Slashdot Mirror
60,000 Credit Cards Numbers Stolen Online
robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
now i can finally afford some /. credits!
MARIJUANA, SHROOMS, X: ONLINE?! - E
This is why I have fraud protection on my card. I can backcharge anything, and VISA goes after those who frauded me. No fault, no charge. Anyone who messes with VISA goes against some of the most expensive lawyers there are... and a whole lotta pain can ensue....
Ahh, and of course we can only guess where the money went.
Quick, think of the Children.
Damn.
Glad I work for my money.
To pay for better editors and columnists who can actually spell!
IMG:INTERACTIVES 'Brute force' card theives attack - I think that this should be spelled thieves
Or maybe they're just rolling our the new MSN - "Microsoft" Version of the English language...
"i" before "e" except after "c". Kindergarten time for MS - phorm
umm, that starts with a 1... Try at least starting with a 4 (visa), 5 (mastercard), or 6 (discover).
Duh. From the article:
They then go on to talk about an earlier MSNBC expose reported in April. I suspect the testing of credit gateways happens far more often that MSNBC suggests. Actually, I was a "victim" of this sort of authorization fraud last month -- someone in Czechoslovakia breached a transaction system in North Carolina, posting $0.01 charges, then following up with larger charges for goods delivered to El Paso. Lovely. I only got hit up for the initial cent before cancelling the card, but the person with whom I spoke mentioned that many more people were tapped through their system.
People: check those statements. So many friends of mine don't, holding on to bank-issued VISA debit cards and not bothering to account for their money apart from "do I have anything in my account now that I'm standing in from of an ATM?"
The initial password assigned to the hacked account was OnlneAp16501. I wonder if the merchant before them had password OnlneAp16500? Sigh.
Curtains for windows?
Go online, log on, generate a one-time use number, plug that into the web site, only good for one transaction.
http://www.vitalizeme.com/arcade
it sucks!
Since it was so obviously testing stolen credit card numbers one would hope that all the cards would be immediately cancelled.
:-(
If so, the thieves must be kicking themselves for being so greedy.
Although knowing the way that institutions work, I somehow doubt that that has happened yet!
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
Anyone remember him he had hacked the a cd reseller website ( cduniverse.com afaik ) and stole
:_ 278091 , 00.html
about 25,000 credit card numbers and publish them on the net!
Check here for his page
Though he never get caught....
Related Links
http://www.internetnews.com/ec-news/article.php/4
http://www.wired.com/news/technology/0,1282,33539
Never learn by your mistakes, if you do you may never dare to try again
Online transaction systems should always be set up to require a zip code and decline the transaction if it's bad. This problem is just negligence on the part of the merchant.
"Eve of Destruction", it's not just for old hippies anymore...
If you'd read the article through, you would've seen that the merchant account was never credited with the $300K-plus authorized. The main worry is that now the criminals have a large number of valid card numbers; but all those numbers are on record and can be canceled, and new numbers issued. Transactions using those numbers can be traced.
Admittedly the incident caused a lot of annoyance and no small expense for card issuers, and there are ways security could be improved, but in the end, the hack didn't cause a disaster.
They wouldn't be having these problems if they used linux and perl.
I was pissed off recently because I can't use my Switch (Debit Card) on Dabs, but looking at it realisticly, it makes sense because with most banking online in the UK, most (if not all)Credit Cards have insurance against online theft (wheras I don't think the Debit Cards have the same protection).
But I know that isn't the point (relying on the insurance), because the systems (and banks) need to catch up with the standards that the internet/online world requires. Not only the banks have problems, but remember Amazon.com keeping quiet about major breaches of security and customers bank details being overly exposed... I never saw the image, but didn't someone modify their logo so that it said 'Shhhh!'?,
Just my 2 fruadulently obtained cents (processed through 'Online Data Corp's credit card transaction processor).
Are you local? There's nothing for you here!
You'd think that Visa, MC, and other CC companies would come down hard (as in, put them out of business) on any business who's stupid enough to save CC # on an internet connected system!
It doesn't matter if SSL protects your CC # on-route. The danger is saving them on systems, hooked to the internet.
How long does it take to type in a CC #? Not very long. So there's no real need to save CC#s. Besides, knowing companies, they're CC# server databases are probably designed by MS.
They don't go after the thief first. The first thing they do is a chargeback to the merchant that accepted the bad card. Merchants have none of the legal protections of cardholders and end up eating the vast majority of fraudulant charges.
"Eve of Destruction", it's not just for old hippies anymore...
OK, so the hackers now have a list of 60K credit cards that worked on this test. But the credit card company also has a list of credit cards tested by the hackers, right?
It shouldn't take too long for the credit card company to block all those cards. Of course, they've got 60K pissed off customers whose cards will have to be replaced, and that's not going to be that cheap!
My opinions may have changed, but not the fact that I am right! =)
Yet another problem for Verisign. I wonder how this will affect their image...
Face it, most of us will never buy a 30,000$ piece of equipment on a e-commerce site. And even companies, that's why you have Purchase orders and/or accounts/checks. If you're crazy enough to buy that 30$ item or that 200$ basket with a GOLD Visa that has no protection, you're asking for trouble.
.02
The most basic way to protect yourself is to 1. You get a visa or mastercard with insurance/protection for that kind of fraud. If it's not available then go for a LOW limit on it, I did that with one, got about 700$ credit limit on it, I've taken the worst case scenario buying, more than that, if, let's say I would buy something for 2000$ off ebay, I'd simply send a cheque or if I don't trust the seller, I'll use an escrow service. For most e-commerce sites, 700$ for my personnal needs is okay, if I get frauded, it'll be ~500$ (balance) in the average, much less than if I'd use a 5K$ visa.
Banks are to blame on this though, we are users, we pay good money and good interests for this service and even in recessions they are still the ones making the most money, so why can't they come up with a better system? I don't have to THINK about that system, someone there is paid to do exactly that. I saw a report on TV the other night about how easy it is to empty bank accounts if you only have an account number and the complete address of the account number's owner... I mean... come on... basic service here. I'd gladly take an extra step that could make it less convinient to get better protection, this kind of situation shouldn't happen.
If you say "banks have nothing to do with E-merchants that don't protect their data" I'll say this: Banks indorectly or directly giving e-merchant status to people/companies, it's their responsibilities to make sure that their systems are safe and that their name won't be associated with being frauded to the bones. While I agree nothing is safe at 100%, there are some BASICS that should be covered, and the one in this article with over 100,000 queries is kinda OBVIOUS.
I fear we'll see more and more of this since now everything is continuing to be programmed at a higher and higher level without really knowing the insides and completely trusting the source tools (.NET for example, makes everything so much easier, but you don't even have to be a good programmer to use this). if the command becomes "securecheckout(items,price) return total; Charge(inputcreditcard)" well, if you are a good programmer, you'll check that "charge" function and how it works, if you are like most programmers out there, on a rush with a crazy deadline, you won't bother or take the time, hense, this will happen more and more. (I won't get into the rushed/incomplete software developping as well we all know the effects of that).
my
--- Metamoderating abusive downgraders since my 300th post.
Why does /. always consider stolen credit card numbers a consumer/yro problem? Stolen numbers that are used are nearly always reimbursed by the company (debit cards are different, unless you know the rules, you shouldn't use them online).
Big, enormous, credit card companies could make usage of credit cards more secure (and difficult) but they haven't because they probably don't want to do anything that will lower or hinder usage.
Because these guys make an enormous amount of money from credit card interest, I don't think they will make any major changes anytime soon.
-Sean
"You've generated 140,000 charges, thats more than your normal volume."
Hmm... Would you expect a store to want to deliberately shut down its systems because it is getting too much business? I mean what if slashdot had given them a posting about some great new product they had, or cnn.com, or any large media outlet. Can you really expect a merchant to build in a shutdown to its system on the extremely small chance that some hacker is going to use their site as a testbed, and potentially lose millions of dollars in sales? I do not think you can really blame the system here, for either its lack of foresight, or lets say they did forsee this scenario, or its unwillingness to refuse lots of orders. The article was kind of sparse on details but I am guessing this was an all at once kind of transaction, and even if there was some kind of alert sounded, that by the time anyone realized what was going on, the transactions would have taken place already. The passwords, while a little on the weak side, did contain a mixture of letters and numbers, and I am going to go under the assumption that the number was randomly generated. I dont think you can really place much blame on the merchant here- Could their security have been made stronger? Yes. Would stronger security have even prevented the event? Maybe.
Now isn't this the first time that a credit card # has been stolen from a website and used that we know of?
With the ratio of transactions to thefts, net commerce is still reallllly safe. Unfortunately, things like this will be blown up so those who are holding back won't jump on board.
"Oh no, 3 horny women and only 2 condoms...Thank god I read slashdot"
I've never had a fear of credit card theft.
1. I can dispute charges (I suppose you can't do this with all credit card companies).
2. They ALWAYS call me if there is any "suspicious activity" on my card.
There have been times when I used my card 5 times in a single day, and of course the call me to make sure its all legitimate. I guess I don't know if all credit card companies extend such benefits to the customers, but my cards always have (Platinum, gold, and even those crappy ones you get in college when all you really wanted was a candy bar.)
Granted, this does not excuse sloppy software and ISP's leaving our credit card numbers exposed to the world, but it does increase my confidence in my credit card.
[FromTheMorning]
it says that I am responsible for unauthorized charges and I'll start caring.
If you're going to steal a database of credit card numbers, it'll probably have the zip code in the records. It's not likely these guys are checking 100,000+ credit card numbers they got off used credit carbons.
I used to work at a small video rental chain (nine stores) in the corporate office/warehouse.
Each year, we would have a huge warehouse sale. We would gather about 10,000 previewed VHS tapes and sell them for anywhere from $1 up to $10. There were some really great deals.
Anyway, since the warehouse was actually behind and attached to one of the stores, we would just run one of the telephone lines and charge machines to the warehouse.
During that weekend, we would see tens of thousands of dollars in transactions, up from the normal activity on our account, usually measured in the hundreds of dollars a day in charges.
Each year we were called by the authorizing agent during the sale to make sure the sales were not fraudulent. In addition, one year we had to show a random sampling of the signed receipt copies from the sales.
I find it strange that the credit card company did not look into the matter any quicker than it did.
- (c) 2018 Hank Zimmerman
Damn. And nobody noticed until irate customers started calling? Who dropped the ball here? Presumably Spitfire is ultimately responsible for not paying attention to the transactions through their own website, but I imagine Online Data comes in for some of the blame, since they were actually processing the payments. Interesting to see where the most fingers end up pointing (probably depends on who has the best legal department).
Also: In a situation like this, is Verisgn obligated to contact 62,000 credit card holders to warn them about a possible fraudulent transaction using their card?
Dublin has single or double char postal areas. Outside the city there is no concept of a postcode.
I dare say there are a large number of other places that have credit card holders but no ZIP codes.
Assumably, Verisign and the reseller were able to clean up the merchant's account, at least I hope so.
A customer chargeback from a disputed charge is an automatic ding against the merchant, both in status and $$$. Too many chargebacks, Visa/MC will shut you off. Plus, they run the merchant about $35 a pop -- which is never refunded if the dispute goes in the merchant's favor.
Just dripping a few fraudulent charges per day into a small retailer could put them out of business!
I work for TrustCommerce, a credit card processing gateway that just happens to compete with Verisign, the gateway mentioned in this article. What I want to know is why the Verisign rep said nothing about the velocity controls that should have been in place on the account in question. Velocity controls work like this: If a merchant goes over a certain number of transactions per day or per card, no more transactions are let through. The whole point of these controls are to prevent exactly this sort of basic fraud from occurring in the first place.
Go on-line to your favorite search engine and do a search for information about how to encrypt credit card transmissions using SSL. You will find a ton of useful information and hordes of people wanting to sell you certificates for your servers.
Now, go on-line and try to find information about STORING credit cards. There's very little in the way of useful information on how to do this securely. Most of the good security people simply advise not doing at all. In spite of that many on-line businesses are doing credit card storage and you quickly get the sense that few of them have any idea how to store this information in a secure way.
This sig has been temporarily disconnected or is no longer in service
why I don't own a credit card.
The numbers get stolen all the time and abused and they charge you for things you haven't bought like expensive cars, tall buildings and anti-tank missiles. And then you get into trouble.
The other reason why I don't own such a silly credit card is only known to the credit card companies, which won't tell me.
Owner of a Mensa membership card.
a) far too convoluted and insecure (Paypal)
b) not convoluted and insecure (everything else)
You know, I keep hearing the endless screaming matches over the direction of the Internet -- either a free exchange of information as originally intended or as a capitalist haven as has more recently been the goal. Well, kids, things have moved about ten light years from the communal dreamscape envisioned by the original developers and, as demonstrated by this most recent theft of CC numbers, is about the same distance from the global mall imagined by about sixty million marketing majors named "Leif". What does that say? The Internet doesn't actually do anything well right now. Isn't that something?
-
Inventor of the term 'pardon my French'.
Heh... want to talk about credit card fraud?
The place I work at (which I'm not going to disclose right now) asked us for:
- Rent receipts
- My financial breakdown
- Cost of schooling
- Credit Card receipts
on our job application, so that I can "prove" I need the job badly enough (it's a student job, partly paid for by gov't wages).
How's that for fraudulent? I'd sue, but I don't think I'd win (the place I'm working for is pretty damn big). Ho hum.
Needless to say, they're not getting the receipts until the talk to me personally. Hasn't been a problem yet.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
A 400 mhz machine used as a server can handle 50-60 simultanious connections (thats what I have, thats what I can handle I pray I don't get slashdotted and I don't post links to my site), A commercial ebusiness should have dozens of time the capicity of me. so lets go with math time
lets just say they can handle 100 transactions a second (not unreasonable) then all 140000 transaction could happen in 23 minutes,
so lets say a computer flagged unusual activity and after 40000 transactions it would still take a t least fifteen minutes for the guy who saw the flag to ask his manager what he should do about it and make the call, by that timeit could be over.
This could happen much faster than the video stores big business day.
I used to have a cool sig, back when I cared
False chargest that are later cancelled still show up on your credit record, with notes explaining the situations. As anyone who has worked with databases will understood, these records are then queried in credit checks with queries that do not have a human's ability to understand that the credit charge was bogus.
Therefore until the record has to be removed by law, your credit record can be hosed. And since nothing was actually stolen from you, if the credit card company chooses not to pursue (which from their point of view is a risk/reward issue involving the amount that a lawsuit would cost), you have no standing to sue about it.
The same thing happens with identity fraud, but tends to be larger because they can rack up quite the bill before anyone figures out that you don't live at the black hole that the bills are going to.
For more see Database Nation.
Does anyone else find it incredibly ironic that Verisign is blaming Online Data for assinging weak passwords instead of strong passwords, and Online Data is blaming merchants for not changing their passwords?
Online Data, the payment processor, is a reseller of Verisign credit card gateway services.
And Verisign sells digital certificates, which provide authentication, identification, and non-repudiation of data signed with those certificates.
And yet they are relying on passwords, rather than requiring the use of an X.509 certificate for an established security association, so that no client machines other than the ones owned by the merchants themselves can be used to make credit card authorization requests.
And each of these people *has* a certificate in hand, since they have to have one to run an HTTPS (SSL based) server in the first place!
That's a bit like the U.S. Marines deciding to hire school crossing guards to provide the security for Fort Knox, isn't it?
And now they are blaming people for not hiring the right school crossing guards, or not firing olld school crossing guards, and hiring different ones "often enough"...
-- Terry
It's a honeypot account, a functioning decoy. and a good way to control one's own spending habits too.
Opens up when you want an online purchase.
I know. My company does 30 percent overseas sales. Nonetheless, a zip code verification should be done on *automated* credit card transactions. If the zip code fails, a human can look at the transaction and decide whether or not to override it.
"Eve of Destruction", it's not just for old hippies anymore...
It's all 'cause they Freed Kevin. It's the only possibility.
± 29 dB
Time to sign up with Microsoft Passport. At least then, I'll know my credit card information will be safe :)
This space left intentionally blank.
What do you think that there is a standard zipcode system? Think again. If they can get your card# surely they can get this too.
There is no such thing as security these days.
If you can prove that you weren't in El Paso that day then the Credit Card Co. is SOL!
"You're on my side and the dark side, like Lando Calrissian?" --Gimpy, Undergrads
And once again, this is a problem for Visa, not for me.
The onus is on the merchant to PROVE that I authorized those charges, and not the other way around. It SHOULD be like this on every other visa card issuer out there. If it's not, change (i'd be surprised)
IF you see a charge on your card that isn't yours, a single phone call is all that should be required to get rid of it.
WE have to remember, the credit card is the property of the issuer, not the holder. The money was not stolen from you, it was stolen from VISA.
Credit cards are an entirely different matter than debit cards like switch.
Credit cards don't *NEED* insurance against online theft usually... fraudulent charges are NOT your responsbility, PERIOD.
It is the responsbility of the merchants to ensure that transactions are legit, or they lose out, not you.
A single call from a cardholder declaring a transaction as unauthorized is all it takes to get you off the hook for the cash. They will investigate, of course, but the onus is heavily on the merchant to prove he had authorization to make the charge.
The credit card numbers weren't STOLEN. They were COPIED. Information wants to be free! Oh wait, this argument only applies to music, movies and software...
1. read this article
2. ???
3. profit!
First of all, stop this whole credit card business on the net. It is WAY dumb to have a stupid little code and an expiery (sp?) as the only thing identifing you.
Here is an example:
Have an ID system a la passport (preferably a company with no other interests at hand other than providing this service and high security). Now I can identify myself.
I login to shop.on.the.net and register myself (I let them know who I am), I can set what kind of news I want, and I can shop for stuff. Goodie. I choose to buy thing A, thing B, and thing Q, and I press "ORDER".
Now I have to log into my bang account, here I see that shop.on.the.net wants $XXX from me, and I say "yes I would like that". Now you have had two different systems that had to be broken before you can hack it.
Now what happens is that the order is sent to one of a few addresses that I have registered at my bank, no other addresses will be sent to. There is also a mentioning on my pages on the banks site of where it was sent.
Now, this system would not be hard to use (probably would take less time to order than for me to write this down for you), and it could probably be improved upon further, in terms of ease of use and security. And it is surely much better than a system with a stupid number and almost no control over it.
Ever wonder why stores take an imprint of your card? In looking up the rules for both MasterCard and Visa, this gives a lot of support to the merchant in case of a chargeback.
Merchants defintely have different internal policies for verifying the card and cardholder. At the low end of the scale (most stores), the card isn't even looked at, returned before you sign, etc.
In Atlanta, the CompUSA's require photo id. At the local Apple store, you have to take the ID out of your wallet.
Get too many chargebacks as a merchant, and notice just how high your "discount fee" (percentage paid to the acquirer) can get. Plus the per item chargeback fees too (upwards of $50-100 *per item*).
Its easy to find credit card numbers with CV2 and zip information.
Big deal, many of us know how easy it is to kiddie a credit card or 100,000.
Sure glad I don't have one.
Suckers!
-- Note: If you don't agree with me, don't bother replying. I won't read it.
on many cards, the $50 limitation is only if your CARD is used fraudulently... as in, someone steals it and uses it without your permission.
If you read most contracts, you will find you have zero liability if someone scams your number somehow and uses it.
but you don't HAVE to "buy" protection from this kind of fraud; at least in Canada & the US, it is federally guaranteed.
You are not responsible for fraudulent use of your card. Period. At all. In any way.
The only way you ARE responsible is usually for up to $50 IF THE CARD ITSELF IS STOLEN., and that's only if the charges happen before you report the card as stolen.
Merchants are hte ones who get stung when cards are used fraudulently, not visa, and not the cardholder.
Where are all the server logs?
Shouldn't there be a record of where all this was starting from?
Worst-case you can trace it to a hacked gateway or proxy and fix it.
Just a thought...you know...logs.
- Josiah
I thought this story was gonna be about a website where you could test the "validity" of your credit card by typing in the number and waiting for the results...
Obligatory Simpsons reference:
Snake: "OOhhhh.. wallet inspector."
Nerds: "I think everything's in order." (hand over wallets)
Snake: "I can't believe that worked."
i wonder why the credit card companies don't just send users an email/pager message showing the balance used when the card is charged, rather than sending them all in an end-of-month statement.
What else would Online Data be running? Duh, the validation sofware saw nothing unusual in 140,000 $5.07 transactions? OK. Here, Mr. Vendor, just use this super secret closed software that we promisse will be safe and secrure because no one has ever auditied or validated it. Weeee! Another fine "product" to run on the world's most secure platform.
Friends don't help friends install M$ junk.
While Verisign actually performed the authorizations, Dunne blamed the reseller, Online Data, for the incident. She said the company issued poor passwords to its customers.
"We encourage resellers to assign strong passwords. The issue here appears to be the nature of passwords assigned to merchants," she said.
But Rante said the merchant was to blame for not changing its password often enough.
"All of us need to change our passwords," Rante said. "We issue a starter password just like most companies do. We strongly urge the merchant to go in and change their password. This merchant failed to change their password and they were hacked.
So remember that kiddies, you are RESPONSIBLE for your password and any foul deed commited when someone breaks the crummy buggy crap software that accepts it! So clueless. The software was inadequate and those inadequacies obviously aided criminals. The criminal is at fault, but the maker of the software deserves blame for protecting against an obvious event.
Business at the speed of stupid.
Friends don't help friends install M$ junk.
Hmm... Here's a copy of a certain email I got a while back that seemed fishy.
On the authentication page, you will be requested to enter a password. Your password is:
All this for testing validity? And why send it after I've already been using the card for three months? Hmm...
bluHatter
What consistently amazes me is that the banks just don't care about security until their noses are rubbed in it. An example of this came some time ago when I was implementing a merchant account reconciliation for a customer. We did not need the bank to provide us with the credit card numbers -- just the amount of each transaction and our internally generated transaction identifiers we initially sent them. Naturally, they had the brass balls to charge us extra for this precaution that would have saved both our asses in the event a hacker got a copy of the plaintext reconciliation data. Something this basic ought to be standard operating procedure.
Geez, I wonder how the Online Data Corp web site got hacked so easily... Let's see on Netcraft...
Yep, "The site www.onlinedatacorp.com is running Microsoft-IIS/5.0 on Windows 2000" (and with an uptime of less than a day at that).
And what about the vendor with a guessed password? Netcraft it again... You, ahem, guessed it: The site TalkingTP.com is running Microsoft-IIS/5.0 on Windows 2000.
I dunno about you, but whenever I see a web page with the magical .asp suffix, I carefully avoid to even turn on cookies. Much less give them my name and CC number. Because I know that it's only a question of time before they get hacked, owner and stripped from their customer files.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
The kid that broke into MSN, hacked Gates' credit card number and ordered a shipment of Viagra sent to Gates paid for with his own credit card?
Much more amusing than this...
Rutger Hauer playing a sort of Carlos the Jackal terrorist in the movie "Nighthawks" used to call people over the phone before he blew something up and say, "Remember - there is no security!"
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
The biggest lie is that the credit card companies eat these losses. It is often the merchant who gets nailed. I lost 5 grand last year when I sold some equipment to someone with a stolen credit card. Chase Manhattan and Cardservice said: yes, it was a fraud and forgery, and we gave you an approval, but f@ck you anyway. The money was removed from my account, never to be seen again.
Who on earth would really bother going after card numbers (except for making a fuss)? The thing to go after is the DES key used to make real cards (cracking here is useless as most of the data is discarded, except the PIN offset). I almost got them once, but disassembling 8051 code and dragging around hardware for retrival of the key from CMOSRAM on the thing (old-time Wayne-Dresser card reader, that works offline, had keys, and strapped down so that the memory-clear security features was disabled), while on the run from the cops didn't help my effort, had to give up after a week or so.
Ordo Militum Unix.
Go all the way up the chain until you're talking to the chairman's office. In the UK we have what's called the "Banking Ombudsman", a government regulator/independent mediator between banks and their customers, a quick google for something similar for the USA shows These Guys could be the mediators you need. I'm sure more googling will help.
Best of luck mate.
I don't think I'm very happy. I always fall asleep to the sound of my own screams.
and no-one else seems to get the joke
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
piece of mind
Stay in school, kid. You're not done. It's "peace of mind".
In 1998 I was one of thousands of victims in an international hundred million dollar credit card fraud. Some of the suspected principals of that case are said to be back in operation.
I had a few minutes of limited fame back then, including an appearance on Japanese tv. The story of that fraud, and a dicussion of cc fraud in general, is here. (Alas, the site is hosted by myhosting.com, and as on many Sunday mornings it is now down!)
Only the banks can fix the problem, but with the very notable exception of American Express they've done very little. I now use AMEX for all recurring internet transactions, and if they ever got their Quicken support working reliably (they've failed for 3 years) I'd use them for all online transactions. AMEX has the best attention to security, and the best response to fraud, and the most sustained interest in combating fraud.
Barring litigation, the VISA/MC franchise will only fix this problem if customers stop using their cards. So use AMEX instead.
john faughnan
jfaughnan@spamcop.net
www.faughnan.com
John Faughnan
jfaughnan@spamcop.net
Was the card a Visa or Mastercard? If so, call them, not you bank. Banks have had their credit card privelges revoked (and all cards cancelled) because of shit like this. I know Ford and Dodge dealers that have had the service centers shutdown and dealership stuff put under a microscope because of the same type of things but with cars. Also, go to the bank in person WITH ANYONE PERSON and speak to the big cheese himself. Be prepared with the reciepts. Know exactly how long you and your family has been a customer and how many accounts your family has conbined. Be nice but very firm. If they don't act, file a BBB complaint and contact you AG. They can't weasel out of it for ever.
I've had both on Discover and Mastercard accounts where I was traveling and made a quite large purchase away from home. A spanking new laptop in one case. Returned home, they called and asked what were my latest charges, making sure they were mine, and not fraud. That was nice of them. And I check the statement every time.
Oke. I'm a girl who has a traditionally male first name. And i can't tell you how many cashiers i have berated for not checking my signature. They look at me blankly, and say, "Oh, i thought it was your husband's card." And i silently hold up my ringless left hand, and as they blink, cluelesly, i explain to them that i always want them to check the signature. What if a guy were to swipe my card? i then show them my license, etc. I USED to write, "Please request identification," on the card. Oddly enough, it was the bank that made me stop this, because they said that i had to have a valid signature, or they wouldn't be able to acknowledge ANY fraudulent charges. Darn it. THat worked best but is now not allwed to me, so i settle for not signing anything until i see them actually look at the card. And if they don't raise an eyebrow when they see my unusual name on the card, i stand there until they compare the signature... I used to be a cashier, too. And i have seen it all: the people who actually use whiteout on the back of the card- the new, rollon whiteout can be used, with a little epoxy, to create a new (but very inauthentic looking to a close look) signature strip; the people who bring the unsigned card up and then offer to sign it in front of you; the people who give you the card, write an entirely different name, and then tell you that it's their husband's/ wife's card- and offer you a note giving them permission to use it!!! As for my problem? Well, i talked it over with the bank. As long as it's not actually written on the signature strip, you can write anything you want on the back of the card. So, in indelible ink on the top of the back, it reads: DO NOT PROCESS THIS CARD WITHOUT CHECKING ID. Has it worked? Mostly. I still get the occasional brainless cashier, but for the most part, they pay attention. Tha bank was happy, i'm happy, and my imaginary husband whose card they think it is- well, he's just out of luck.
"I'd say 'Have a good time,' but arson is still illegal.
Found this on one of my webtrawls (am in fact looking for a new bank and like the new crop of internet only banks).
a rd/webcard.html - which must be one of the most innovative solutions for CC fraud (the online variety anyway).
/Martin
Cahoot (a credit card and internet bank) have a service called "Web Card" - http://www.cahoot.com/cahoot_products/cahoot_webc
The idea is that you never use your real CC number online, but log on to your internet bank and get a web card number.
This web card number is a one off generated VISA number that you can lock to one amount.
In the background, the bank matches the charge to that VISA number with your CC number and deducts the charge from your card.
Once the amount you set has been transacted on that VISA number, the number ceases to be useful.
Doesn't solve every CC fraud, but is still smart...
The complete verse is:
I before E
Except after C
Or when sounded as A
As in eighteen and sleigh
Instant message me with your credit card # address, and exactly what you want, I will purchase it with MY credit card and charge yours the same amount (minus 1 dollar processing fee) I am honest ,OK? This will work. I will work for the fee only. thanks
This is not a Sig.