Slashdot Mirror
60,000 Credit Cards Numbers Stolen Online
robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
If you'd read the article through, you would've seen that the merchant account was never credited with the $300K-plus authorized. The main worry is that now the criminals have a large number of valid card numbers; but all those numbers are on record and can be canceled, and new numbers issued. Transactions using those numbers can be traced.
Admittedly the incident caused a lot of annoyance and no small expense for card issuers, and there are ways security could be improved, but in the end, the hack didn't cause a disaster.
I was pissed off recently because I can't use my Switch (Debit Card) on Dabs, but looking at it realisticly, it makes sense because with most banking online in the UK, most (if not all)Credit Cards have insurance against online theft (wheras I don't think the Debit Cards have the same protection).
But I know that isn't the point (relying on the insurance), because the systems (and banks) need to catch up with the standards that the internet/online world requires. Not only the banks have problems, but remember Amazon.com keeping quiet about major breaches of security and customers bank details being overly exposed... I never saw the image, but didn't someone modify their logo so that it said 'Shhhh!'?,
Just my 2 fruadulently obtained cents (processed through 'Online Data Corp's credit card transaction processor).
Are you local? There's nothing for you here!
EVERYONE with a Visa or Mastercard has fraud protection. It's a federal law. You probably didn't know that, and were suckered into paying extra for it.
Why does /. always consider stolen credit card numbers a consumer/yro problem? Stolen numbers that are used are nearly always reimbursed by the company (debit cards are different, unless you know the rules, you shouldn't use them online).
Big, enormous, credit card companies could make usage of credit cards more secure (and difficult) but they haven't because they probably don't want to do anything that will lower or hinder usage.
Because these guys make an enormous amount of money from credit card interest, I don't think they will make any major changes anytime soon.
-Sean
If you're crazy enough to buy that 30$ item or that 200$ basket with a GOLD Visa that has no protection, you're asking for trouble. The most basic way to protect yourself is to [...] get a visa or mastercard with insurance/protection for that kind of fraud.
No, the most basic form of protection is to not have a card at all. Seriously, though, as others have pointed out elsewhere, there are federal liability statues that limit fradulent purchase charges to, at most, $50. Enrolling in fraud protection programs offered by credit card companies it just not worth it -- over the lifetime of the card, balanced against the risk of a fraudulent charge appearing on your statement in excess of $50, you're paying for more than you're getting.
Banks are to blame on this though[...]
I suspect a fair amount of exaggeration here. I will agree that "bank cards" that act as credit accounts area danger. They are not subject to the same fraud protection that "true" credit accounts are. I wouldn't fault the banks for that headache, though, I'd blame consumers who flash them around without considering the consequences. Sometimes, I wonder whether VISA check cards and their ilk were such a good idea at all.
Your points about the significance of proper software development are important. However, the issues aren't confined to "e-merchants", as brick and mortar merchants are quite open to credit fraud, too.
It's worse than that. They will take the money back from the reseller plus a pealty. The credit card companies actually make money on the deal.
Scam is putting it mildly.
I was under the same impression, but listen to my sad story.
On August 17, while on vacation, I discovered some bogus transactions on my card on August 9 - 5 transactions, $800, to some card processor in Israel. I called my bank the same day and told them the transactions were bogus and they issued me a new card.
Yesterday my bank called back and said that the merchant had verified the transactions and that I would be responsible for them. The merchant's "proof" was a single page fax that basically said that the charges had been done for an online casino account that had been opened in my name. Since the account was in my name, and the account "had a unique username and password", that is all the proof that the bank needed that I had authorized the charges.
The fact that the casino account was opened on the same day that the charges were made didn't seem to make a difference. The fact that I had never heard of the casino, nor had I authorized them to open an account in my name didn't make a difference. The fact that on the day in question, I was on vacation and driving from Seattle to Montana (a 10 hour drive, with credit card receipts to prove it) didn't seem to make a difference.
According to my bank (this is US Bank), I am responsible for the charges, and my only recourse is to take it up with the casino and their credit card processor.
So much for anti-fraud protection.
I am still planning to fight this, BTW, so if anyone has any suggestions about a course of action, I'm all ears.
If you do this every day, perhaps you have some insight on why my credit card company has refused to grant a chargeback to me.