Slashdot Mirror
60,000 Credit Cards Numbers Stolen Online
robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
Duh. From the article:
They then go on to talk about an earlier MSNBC expose reported in April. I suspect the testing of credit gateways happens far more often that MSNBC suggests. Actually, I was a "victim" of this sort of authorization fraud last month -- someone in Czechoslovakia breached a transaction system in North Carolina, posting $0.01 charges, then following up with larger charges for goods delivered to El Paso. Lovely. I only got hit up for the initial cent before cancelling the card, but the person with whom I spoke mentioned that many more people were tapped through their system.
People: check those statements. So many friends of mine don't, holding on to bank-issued VISA debit cards and not bothering to account for their money apart from "do I have anything in my account now that I'm standing in from of an ATM?"
Go online, log on, generate a one-time use number, plug that into the web site, only good for one transaction.
That fraud protection is ironically a scam.
You are already guaranteed limited liability to $50 and chargeback rights by law. The credit card companies sell that fraud protection because they know it doesn't really cost them anything, since it's mostly what they have to provide anyway.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
"You've generated 140,000 charges, thats more than your normal volume."
Hmm... Would you expect a store to want to deliberately shut down its systems because it is getting too much business? I mean what if slashdot had given them a posting about some great new product they had, or cnn.com, or any large media outlet. Can you really expect a merchant to build in a shutdown to its system on the extremely small chance that some hacker is going to use their site as a testbed, and potentially lose millions of dollars in sales? I do not think you can really blame the system here, for either its lack of foresight, or lets say they did forsee this scenario, or its unwillingness to refuse lots of orders. The article was kind of sparse on details but I am guessing this was an all at once kind of transaction, and even if there was some kind of alert sounded, that by the time anyone realized what was going on, the transactions would have taken place already. The passwords, while a little on the weak side, did contain a mixture of letters and numbers, and I am going to go under the assumption that the number was randomly generated. I dont think you can really place much blame on the merchant here- Could their security have been made stronger? Yes. Would stronger security have even prevented the event? Maybe.
I used to work at a small video rental chain (nine stores) in the corporate office/warehouse.
Each year, we would have a huge warehouse sale. We would gather about 10,000 previewed VHS tapes and sell them for anywhere from $1 up to $10. There were some really great deals.
Anyway, since the warehouse was actually behind and attached to one of the stores, we would just run one of the telephone lines and charge machines to the warehouse.
During that weekend, we would see tens of thousands of dollars in transactions, up from the normal activity on our account, usually measured in the hundreds of dollars a day in charges.
Each year we were called by the authorizing agent during the sale to make sure the sales were not fraudulent. In addition, one year we had to show a random sampling of the signed receipt copies from the sales.
I find it strange that the credit card company did not look into the matter any quicker than it did.
- (c) 2018 Hank Zimmerman
I work for TrustCommerce, a credit card processing gateway that just happens to compete with Verisign, the gateway mentioned in this article. What I want to know is why the Verisign rep said nothing about the velocity controls that should have been in place on the account in question. Velocity controls work like this: If a merchant goes over a certain number of transactions per day or per card, no more transactions are let through. The whole point of these controls are to prevent exactly this sort of basic fraud from occurring in the first place.
Go on-line to your favorite search engine and do a search for information about how to encrypt credit card transmissions using SSL. You will find a ton of useful information and hordes of people wanting to sell you certificates for your servers.
Now, go on-line and try to find information about STORING credit cards. There's very little in the way of useful information on how to do this securely. Most of the good security people simply advise not doing at all. In spite of that many on-line businesses are doing credit card storage and you quickly get the sense that few of them have any idea how to store this information in a secure way.
This sig has been temporarily disconnected or is no longer in service
I've posted this story before, but half the time clerks don't check signatures because customers are jerks if you do check.
My girlfriend is working as a cashier at a drug store. Somebody came in and bought around $50 worth of stuff. He wanted to put it on his visa - she takes the card, runs it through, and puts the card down beside her register while the transaction goes through. The guy asks for his card back and she says she'll give it back after she verifies the signature - and the guy freaks out!
(Keep in mind, she's very polite and friendly, not speaking with a "fuck off, I'll give it back when I'm ready" type attitude)
He reaches across the counter, grabs the card, rants about how much money he makes and how stupid she must be (incidently, she has a university degree and will be starting her first technical writing contract soon).
I used to get annoyed that cashiers don't check signatures - now I see why. Credit card fraud happens all the time but my girlfriend never had it happen on her register (unlike others at her store).
Robots are everywhere, and they eat old people's medicine for fuel.
A 400 mhz machine used as a server can handle 50-60 simultanious connections (thats what I have, thats what I can handle I pray I don't get slashdotted and I don't post links to my site), A commercial ebusiness should have dozens of time the capicity of me. so lets go with math time
lets just say they can handle 100 transactions a second (not unreasonable) then all 140000 transaction could happen in 23 minutes,
so lets say a computer flagged unusual activity and after 40000 transactions it would still take a t least fifteen minutes for the guy who saw the flag to ask his manager what he should do about it and make the call, by that timeit could be over.
This could happen much faster than the video stores big business day.
I used to have a cool sig, back when I cared