Slashdot Mirror
60,000 Credit Cards Numbers Stolen Online
robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
If you'd read the article through, you would've seen that the merchant account was never credited with the $300K-plus authorized. The main worry is that now the criminals have a large number of valid card numbers; but all those numbers are on record and can be canceled, and new numbers issued. Transactions using those numbers can be traced.
Admittedly the incident caused a lot of annoyance and no small expense for card issuers, and there are ways security could be improved, but in the end, the hack didn't cause a disaster.
I was pissed off recently because I can't use my Switch (Debit Card) on Dabs, but looking at it realisticly, it makes sense because with most banking online in the UK, most (if not all)Credit Cards have insurance against online theft (wheras I don't think the Debit Cards have the same protection).
But I know that isn't the point (relying on the insurance), because the systems (and banks) need to catch up with the standards that the internet/online world requires. Not only the banks have problems, but remember Amazon.com keeping quiet about major breaches of security and customers bank details being overly exposed... I never saw the image, but didn't someone modify their logo so that it said 'Shhhh!'?,
Just my 2 fruadulently obtained cents (processed through 'Online Data Corp's credit card transaction processor).
Are you local? There's nothing for you here!
EVERYONE with a Visa or Mastercard has fraud protection. It's a federal law. You probably didn't know that, and were suckered into paying extra for it.
Why does /. always consider stolen credit card numbers a consumer/yro problem? Stolen numbers that are used are nearly always reimbursed by the company (debit cards are different, unless you know the rules, you shouldn't use them online).
Big, enormous, credit card companies could make usage of credit cards more secure (and difficult) but they haven't because they probably don't want to do anything that will lower or hinder usage.
Because these guys make an enormous amount of money from credit card interest, I don't think they will make any major changes anytime soon.
-Sean
Are you sure that your debit card has fraud protection? most debit cards do not, as they are regulated differently than credit cards.
My Visa debit card, for example, does not, so I put all my online transactions on my actual credit card.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
If you're crazy enough to buy that 30$ item or that 200$ basket with a GOLD Visa that has no protection, you're asking for trouble. The most basic way to protect yourself is to [...] get a visa or mastercard with insurance/protection for that kind of fraud.
No, the most basic form of protection is to not have a card at all. Seriously, though, as others have pointed out elsewhere, there are federal liability statues that limit fradulent purchase charges to, at most, $50. Enrolling in fraud protection programs offered by credit card companies it just not worth it -- over the lifetime of the card, balanced against the risk of a fraudulent charge appearing on your statement in excess of $50, you're paying for more than you're getting.
Banks are to blame on this though[...]
I suspect a fair amount of exaggeration here. I will agree that "bank cards" that act as credit accounts area danger. They are not subject to the same fraud protection that "true" credit accounts are. I wouldn't fault the banks for that headache, though, I'd blame consumers who flash them around without considering the consequences. Sometimes, I wonder whether VISA check cards and their ilk were such a good idea at all.
Your points about the significance of proper software development are important. However, the issues aren't confined to "e-merchants", as brick and mortar merchants are quite open to credit fraud, too.
False chargest that are later cancelled still show up on your credit record, with notes explaining the situations. As anyone who has worked with databases will understood, these records are then queried in credit checks with queries that do not have a human's ability to understand that the credit charge was bogus.
Therefore until the record has to be removed by law, your credit record can be hosed. And since nothing was actually stolen from you, if the credit card company chooses not to pursue (which from their point of view is a risk/reward issue involving the amount that a lawsuit would cost), you have no standing to sue about it.
The same thing happens with identity fraud, but tends to be larger because they can rack up quite the bill before anyone figures out that you don't live at the black hole that the bills are going to.
For more see Database Nation.
It's worse than that. They will take the money back from the reseller plus a pealty. The credit card companies actually make money on the deal.
Scam is putting it mildly.
I was under the same impression, but listen to my sad story.
On August 17, while on vacation, I discovered some bogus transactions on my card on August 9 - 5 transactions, $800, to some card processor in Israel. I called my bank the same day and told them the transactions were bogus and they issued me a new card.
Yesterday my bank called back and said that the merchant had verified the transactions and that I would be responsible for them. The merchant's "proof" was a single page fax that basically said that the charges had been done for an online casino account that had been opened in my name. Since the account was in my name, and the account "had a unique username and password", that is all the proof that the bank needed that I had authorized the charges.
The fact that the casino account was opened on the same day that the charges were made didn't seem to make a difference. The fact that I had never heard of the casino, nor had I authorized them to open an account in my name didn't make a difference. The fact that on the day in question, I was on vacation and driving from Seattle to Montana (a 10 hour drive, with credit card receipts to prove it) didn't seem to make a difference.
According to my bank (this is US Bank), I am responsible for the charges, and my only recourse is to take it up with the casino and their credit card processor.
So much for anti-fraud protection.
I am still planning to fight this, BTW, so if anyone has any suggestions about a course of action, I'm all ears.
If you do this every day, perhaps you have some insight on why my credit card company has refused to grant a chargeback to me.
One of the major banks in the UK has a great and simple fraud prevention scheme.
When the customer applies for a credit or debit card they bring in a passport photo of themselves and provide a specimen signature. These are then printed onto the back of the card.
The customer doesn't forget to sign the card, it doesn't rub off like normal cards, and it's easy for the cashier to tell if the person standing in front of them looks like the picture on the back of the card.
Fraudsters might be able to print cards with these details too, but perhaps by adding a hologram then this wouldn't be a problem either?
In 1998 I was one of thousands of victims in an international hundred million dollar credit card fraud. Some of the suspected principals of that case are said to be back in operation.
I had a few minutes of limited fame back then, including an appearance on Japanese tv. The story of that fraud, and a dicussion of cc fraud in general, is here. (Alas, the site is hosted by myhosting.com, and as on many Sunday mornings it is now down!)
Only the banks can fix the problem, but with the very notable exception of American Express they've done very little. I now use AMEX for all recurring internet transactions, and if they ever got their Quicken support working reliably (they've failed for 3 years) I'd use them for all online transactions. AMEX has the best attention to security, and the best response to fraud, and the most sustained interest in combating fraud.
Barring litigation, the VISA/MC franchise will only fix this problem if customers stop using their cards. So use AMEX instead.
john faughnan
jfaughnan@spamcop.net
www.faughnan.com
John Faughnan
jfaughnan@spamcop.net