Slashdot Mirror
60,000 Credit Cards Numbers Stolen Online
robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
This is why I have fraud protection on my card. I can backcharge anything, and VISA goes after those who frauded me. No fault, no charge. Anyone who messes with VISA goes against some of the most expensive lawyers there are... and a whole lotta pain can ensue....
The initial password assigned to the hacked account was OnlneAp16501. I wonder if the merchant before them had password OnlneAp16500? Sigh.
Curtains for windows?
OK, so the hackers now have a list of 60K credit cards that worked on this test. But the credit card company also has a list of credit cards tested by the hackers, right?
It shouldn't take too long for the credit card company to block all those cards. Of course, they've got 60K pissed off customers whose cards will have to be replaced, and that's not going to be that cheap!
My opinions may have changed, but not the fact that I am right! =)
Face it, most of us will never buy a 30,000$ piece of equipment on a e-commerce site. And even companies, that's why you have Purchase orders and/or accounts/checks. If you're crazy enough to buy that 30$ item or that 200$ basket with a GOLD Visa that has no protection, you're asking for trouble.
.02
The most basic way to protect yourself is to 1. You get a visa or mastercard with insurance/protection for that kind of fraud. If it's not available then go for a LOW limit on it, I did that with one, got about 700$ credit limit on it, I've taken the worst case scenario buying, more than that, if, let's say I would buy something for 2000$ off ebay, I'd simply send a cheque or if I don't trust the seller, I'll use an escrow service. For most e-commerce sites, 700$ for my personnal needs is okay, if I get frauded, it'll be ~500$ (balance) in the average, much less than if I'd use a 5K$ visa.
Banks are to blame on this though, we are users, we pay good money and good interests for this service and even in recessions they are still the ones making the most money, so why can't they come up with a better system? I don't have to THINK about that system, someone there is paid to do exactly that. I saw a report on TV the other night about how easy it is to empty bank accounts if you only have an account number and the complete address of the account number's owner... I mean... come on... basic service here. I'd gladly take an extra step that could make it less convinient to get better protection, this kind of situation shouldn't happen.
If you say "banks have nothing to do with E-merchants that don't protect their data" I'll say this: Banks indorectly or directly giving e-merchant status to people/companies, it's their responsibilities to make sure that their systems are safe and that their name won't be associated with being frauded to the bones. While I agree nothing is safe at 100%, there are some BASICS that should be covered, and the one in this article with over 100,000 queries is kinda OBVIOUS.
I fear we'll see more and more of this since now everything is continuing to be programmed at a higher and higher level without really knowing the insides and completely trusting the source tools (.NET for example, makes everything so much easier, but you don't even have to be a good programmer to use this). if the command becomes "securecheckout(items,price) return total; Charge(inputcreditcard)" well, if you are a good programmer, you'll check that "charge" function and how it works, if you are like most programmers out there, on a rush with a crazy deadline, you won't bother or take the time, hense, this will happen more and more. (I won't get into the rushed/incomplete software developping as well we all know the effects of that).
my
--- Metamoderating abusive downgraders since my 300th post.
the hack didn't cause a disaster... yet.
Assuming they re-issie card numbers to the people affected.
People who have to wait for a new card.
People who might not be at liberty to pick it up (ie what if they were overseas, with a now defunct credit card, or worse, have to keep using a compromised credit card?.
People who still have to look for erroneous charges to their old card.
People who would then still have to re-instate any auto-debits they have charging to that card number.
There was annoyance to more than just the card issuers... and it wasn't even the card issuers fault, they shouldn't have had the annoyance any more than the card owner!
It's high time that credit card transaction processors were forced to pay up for the inconveniences as well as the charges they cause when their systems are breached.
Video meliora proboque deteriora sequor - Ovidius
I've never had a fear of credit card theft.
1. I can dispute charges (I suppose you can't do this with all credit card companies).
2. They ALWAYS call me if there is any "suspicious activity" on my card.
There have been times when I used my card 5 times in a single day, and of course the call me to make sure its all legitimate. I guess I don't know if all credit card companies extend such benefits to the customers, but my cards always have (Platinum, gold, and even those crappy ones you get in college when all you really wanted was a candy bar.)
Granted, this does not excuse sloppy software and ISP's leaving our credit card numbers exposed to the world, but it does increase my confidence in my credit card.
[FromTheMorning]
Does anyone else find it incredibly ironic that Verisign is blaming Online Data for assinging weak passwords instead of strong passwords, and Online Data is blaming merchants for not changing their passwords?
Online Data, the payment processor, is a reseller of Verisign credit card gateway services.
And Verisign sells digital certificates, which provide authentication, identification, and non-repudiation of data signed with those certificates.
And yet they are relying on passwords, rather than requiring the use of an X.509 certificate for an established security association, so that no client machines other than the ones owned by the merchants themselves can be used to make credit card authorization requests.
And each of these people *has* a certificate in hand, since they have to have one to run an HTTPS (SSL based) server in the first place!
That's a bit like the U.S. Marines deciding to hire school crossing guards to provide the security for Fort Knox, isn't it?
And now they are blaming people for not hiring the right school crossing guards, or not firing olld school crossing guards, and hiring different ones "often enough"...
-- Terry
This still doesn't help you with the fact that your primary number is easy enough to guess... a 16-digit credit card number only has a maximum of 11 digits for a given bank (4-digit bank code, and at least one checksum digit).
When a merchant is hacked like this, even brute-force number generation can be done with a little bit of information to yield a good number of valid credit card numbers.
The problem is that the credit card companies are allowed to make their money back (from fraud) on interest, so they have no real incentive to reduce the fraud imposed by the lack of numberspace. The "one-time numbers" are just something to make people feel more comfortable about spending money online.