Slashdot Mirror
60,000 Credit Cards Numbers Stolen Online
robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
now i can finally afford some /. credits!
MARIJUANA, SHROOMS, X: ONLINE?! - E
This is why I have fraud protection on my card. I can backcharge anything, and VISA goes after those who frauded me. No fault, no charge. Anyone who messes with VISA goes against some of the most expensive lawyers there are... and a whole lotta pain can ensue....
Duh. From the article:
They then go on to talk about an earlier MSNBC expose reported in April. I suspect the testing of credit gateways happens far more often that MSNBC suggests. Actually, I was a "victim" of this sort of authorization fraud last month -- someone in Czechoslovakia breached a transaction system in North Carolina, posting $0.01 charges, then following up with larger charges for goods delivered to El Paso. Lovely. I only got hit up for the initial cent before cancelling the card, but the person with whom I spoke mentioned that many more people were tapped through their system.
People: check those statements. So many friends of mine don't, holding on to bank-issued VISA debit cards and not bothering to account for their money apart from "do I have anything in my account now that I'm standing in from of an ATM?"
The initial password assigned to the hacked account was OnlneAp16501. I wonder if the merchant before them had password OnlneAp16500? Sigh.
Curtains for windows?
Go online, log on, generate a one-time use number, plug that into the web site, only good for one transaction.
If you'd read the article through, you would've seen that the merchant account was never credited with the $300K-plus authorized. The main worry is that now the criminals have a large number of valid card numbers; but all those numbers are on record and can be canceled, and new numbers issued. Transactions using those numbers can be traced.
Admittedly the incident caused a lot of annoyance and no small expense for card issuers, and there are ways security could be improved, but in the end, the hack didn't cause a disaster.
I was pissed off recently because I can't use my Switch (Debit Card) on Dabs, but looking at it realisticly, it makes sense because with most banking online in the UK, most (if not all)Credit Cards have insurance against online theft (wheras I don't think the Debit Cards have the same protection).
But I know that isn't the point (relying on the insurance), because the systems (and banks) need to catch up with the standards that the internet/online world requires. Not only the banks have problems, but remember Amazon.com keeping quiet about major breaches of security and customers bank details being overly exposed... I never saw the image, but didn't someone modify their logo so that it said 'Shhhh!'?,
Just my 2 fruadulently obtained cents (processed through 'Online Data Corp's credit card transaction processor).
Are you local? There's nothing for you here!
OK, so the hackers now have a list of 60K credit cards that worked on this test. But the credit card company also has a list of credit cards tested by the hackers, right?
It shouldn't take too long for the credit card company to block all those cards. Of course, they've got 60K pissed off customers whose cards will have to be replaced, and that's not going to be that cheap!
My opinions may have changed, but not the fact that I am right! =)
Face it, most of us will never buy a 30,000$ piece of equipment on a e-commerce site. And even companies, that's why you have Purchase orders and/or accounts/checks. If you're crazy enough to buy that 30$ item or that 200$ basket with a GOLD Visa that has no protection, you're asking for trouble.
.02
The most basic way to protect yourself is to 1. You get a visa or mastercard with insurance/protection for that kind of fraud. If it's not available then go for a LOW limit on it, I did that with one, got about 700$ credit limit on it, I've taken the worst case scenario buying, more than that, if, let's say I would buy something for 2000$ off ebay, I'd simply send a cheque or if I don't trust the seller, I'll use an escrow service. For most e-commerce sites, 700$ for my personnal needs is okay, if I get frauded, it'll be ~500$ (balance) in the average, much less than if I'd use a 5K$ visa.
Banks are to blame on this though, we are users, we pay good money and good interests for this service and even in recessions they are still the ones making the most money, so why can't they come up with a better system? I don't have to THINK about that system, someone there is paid to do exactly that. I saw a report on TV the other night about how easy it is to empty bank accounts if you only have an account number and the complete address of the account number's owner... I mean... come on... basic service here. I'd gladly take an extra step that could make it less convinient to get better protection, this kind of situation shouldn't happen.
If you say "banks have nothing to do with E-merchants that don't protect their data" I'll say this: Banks indorectly or directly giving e-merchant status to people/companies, it's their responsibilities to make sure that their systems are safe and that their name won't be associated with being frauded to the bones. While I agree nothing is safe at 100%, there are some BASICS that should be covered, and the one in this article with over 100,000 queries is kinda OBVIOUS.
I fear we'll see more and more of this since now everything is continuing to be programmed at a higher and higher level without really knowing the insides and completely trusting the source tools (.NET for example, makes everything so much easier, but you don't even have to be a good programmer to use this). if the command becomes "securecheckout(items,price) return total; Charge(inputcreditcard)" well, if you are a good programmer, you'll check that "charge" function and how it works, if you are like most programmers out there, on a rush with a crazy deadline, you won't bother or take the time, hense, this will happen more and more. (I won't get into the rushed/incomplete software developping as well we all know the effects of that).
my
--- Metamoderating abusive downgraders since my 300th post.
Why does /. always consider stolen credit card numbers a consumer/yro problem? Stolen numbers that are used are nearly always reimbursed by the company (debit cards are different, unless you know the rules, you shouldn't use them online).
Big, enormous, credit card companies could make usage of credit cards more secure (and difficult) but they haven't because they probably don't want to do anything that will lower or hinder usage.
Because these guys make an enormous amount of money from credit card interest, I don't think they will make any major changes anytime soon.
-Sean
"You've generated 140,000 charges, thats more than your normal volume."
Hmm... Would you expect a store to want to deliberately shut down its systems because it is getting too much business? I mean what if slashdot had given them a posting about some great new product they had, or cnn.com, or any large media outlet. Can you really expect a merchant to build in a shutdown to its system on the extremely small chance that some hacker is going to use their site as a testbed, and potentially lose millions of dollars in sales? I do not think you can really blame the system here, for either its lack of foresight, or lets say they did forsee this scenario, or its unwillingness to refuse lots of orders. The article was kind of sparse on details but I am guessing this was an all at once kind of transaction, and even if there was some kind of alert sounded, that by the time anyone realized what was going on, the transactions would have taken place already. The passwords, while a little on the weak side, did contain a mixture of letters and numbers, and I am going to go under the assumption that the number was randomly generated. I dont think you can really place much blame on the merchant here- Could their security have been made stronger? Yes. Would stronger security have even prevented the event? Maybe.
I've never had a fear of credit card theft.
1. I can dispute charges (I suppose you can't do this with all credit card companies).
2. They ALWAYS call me if there is any "suspicious activity" on my card.
There have been times when I used my card 5 times in a single day, and of course the call me to make sure its all legitimate. I guess I don't know if all credit card companies extend such benefits to the customers, but my cards always have (Platinum, gold, and even those crappy ones you get in college when all you really wanted was a candy bar.)
Granted, this does not excuse sloppy software and ISP's leaving our credit card numbers exposed to the world, but it does increase my confidence in my credit card.
[FromTheMorning]
it says that I am responsible for unauthorized charges and I'll start caring.
I used to work at a small video rental chain (nine stores) in the corporate office/warehouse.
Each year, we would have a huge warehouse sale. We would gather about 10,000 previewed VHS tapes and sell them for anywhere from $1 up to $10. There were some really great deals.
Anyway, since the warehouse was actually behind and attached to one of the stores, we would just run one of the telephone lines and charge machines to the warehouse.
During that weekend, we would see tens of thousands of dollars in transactions, up from the normal activity on our account, usually measured in the hundreds of dollars a day in charges.
Each year we were called by the authorizing agent during the sale to make sure the sales were not fraudulent. In addition, one year we had to show a random sampling of the signed receipt copies from the sales.
I find it strange that the credit card company did not look into the matter any quicker than it did.
- (c) 2018 Hank Zimmerman
I work for TrustCommerce, a credit card processing gateway that just happens to compete with Verisign, the gateway mentioned in this article. What I want to know is why the Verisign rep said nothing about the velocity controls that should have been in place on the account in question. Velocity controls work like this: If a merchant goes over a certain number of transactions per day or per card, no more transactions are let through. The whole point of these controls are to prevent exactly this sort of basic fraud from occurring in the first place.
Go on-line to your favorite search engine and do a search for information about how to encrypt credit card transmissions using SSL. You will find a ton of useful information and hordes of people wanting to sell you certificates for your servers.
Now, go on-line and try to find information about STORING credit cards. There's very little in the way of useful information on how to do this securely. Most of the good security people simply advise not doing at all. In spite of that many on-line businesses are doing credit card storage and you quickly get the sense that few of them have any idea how to store this information in a secure way.
This sig has been temporarily disconnected or is no longer in service
why I don't own a credit card.
The numbers get stolen all the time and abused and they charge you for things you haven't bought like expensive cars, tall buildings and anti-tank missiles. And then you get into trouble.
The other reason why I don't own such a silly credit card is only known to the credit card companies, which won't tell me.
Owner of a Mensa membership card.
Heh... want to talk about credit card fraud?
The place I work at (which I'm not going to disclose right now) asked us for:
- Rent receipts
- My financial breakdown
- Cost of schooling
- Credit Card receipts
on our job application, so that I can "prove" I need the job badly enough (it's a student job, partly paid for by gov't wages).
How's that for fraudulent? I'd sue, but I don't think I'd win (the place I'm working for is pretty damn big). Ho hum.
Needless to say, they're not getting the receipts until the talk to me personally. Hasn't been a problem yet.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
A 400 mhz machine used as a server can handle 50-60 simultanious connections (thats what I have, thats what I can handle I pray I don't get slashdotted and I don't post links to my site), A commercial ebusiness should have dozens of time the capicity of me. so lets go with math time
lets just say they can handle 100 transactions a second (not unreasonable) then all 140000 transaction could happen in 23 minutes,
so lets say a computer flagged unusual activity and after 40000 transactions it would still take a t least fifteen minutes for the guy who saw the flag to ask his manager what he should do about it and make the call, by that timeit could be over.
This could happen much faster than the video stores big business day.
I used to have a cool sig, back when I cared
False chargest that are later cancelled still show up on your credit record, with notes explaining the situations. As anyone who has worked with databases will understood, these records are then queried in credit checks with queries that do not have a human's ability to understand that the credit charge was bogus.
Therefore until the record has to be removed by law, your credit record can be hosed. And since nothing was actually stolen from you, if the credit card company chooses not to pursue (which from their point of view is a risk/reward issue involving the amount that a lawsuit would cost), you have no standing to sue about it.
The same thing happens with identity fraud, but tends to be larger because they can rack up quite the bill before anyone figures out that you don't live at the black hole that the bills are going to.
For more see Database Nation.
Does anyone else find it incredibly ironic that Verisign is blaming Online Data for assinging weak passwords instead of strong passwords, and Online Data is blaming merchants for not changing their passwords?
Online Data, the payment processor, is a reseller of Verisign credit card gateway services.
And Verisign sells digital certificates, which provide authentication, identification, and non-repudiation of data signed with those certificates.
And yet they are relying on passwords, rather than requiring the use of an X.509 certificate for an established security association, so that no client machines other than the ones owned by the merchants themselves can be used to make credit card authorization requests.
And each of these people *has* a certificate in hand, since they have to have one to run an HTTPS (SSL based) server in the first place!
That's a bit like the U.S. Marines deciding to hire school crossing guards to provide the security for Fort Knox, isn't it?
And now they are blaming people for not hiring the right school crossing guards, or not firing olld school crossing guards, and hiring different ones "often enough"...
-- Terry
It's all 'cause they Freed Kevin. It's the only possibility.
± 29 dB
Time to sign up with Microsoft Passport. At least then, I'll know my credit card information will be safe :)
This space left intentionally blank.
And once again, this is a problem for Visa, not for me.
The onus is on the merchant to PROVE that I authorized those charges, and not the other way around. It SHOULD be like this on every other visa card issuer out there. If it's not, change (i'd be surprised)
IF you see a charge on your card that isn't yours, a single phone call is all that should be required to get rid of it.
WE have to remember, the credit card is the property of the issuer, not the holder. The money was not stolen from you, it was stolen from VISA.
Credit cards are an entirely different matter than debit cards like switch.
Credit cards don't *NEED* insurance against online theft usually... fraudulent charges are NOT your responsbility, PERIOD.
It is the responsbility of the merchants to ensure that transactions are legit, or they lose out, not you.
A single call from a cardholder declaring a transaction as unauthorized is all it takes to get you off the hook for the cash. They will investigate, of course, but the onus is heavily on the merchant to prove he had authorization to make the charge.
The credit card numbers weren't STOLEN. They were COPIED. Information wants to be free! Oh wait, this argument only applies to music, movies and software...
First of all, stop this whole credit card business on the net. It is WAY dumb to have a stupid little code and an expiery (sp?) as the only thing identifing you.
Here is an example:
Have an ID system a la passport (preferably a company with no other interests at hand other than providing this service and high security). Now I can identify myself.
I login to shop.on.the.net and register myself (I let them know who I am), I can set what kind of news I want, and I can shop for stuff. Goodie. I choose to buy thing A, thing B, and thing Q, and I press "ORDER".
Now I have to log into my bang account, here I see that shop.on.the.net wants $XXX from me, and I say "yes I would like that". Now you have had two different systems that had to be broken before you can hack it.
Now what happens is that the order is sent to one of a few addresses that I have registered at my bank, no other addresses will be sent to. There is also a mentioning on my pages on the banks site of where it was sent.
Now, this system would not be hard to use (probably would take less time to order than for me to write this down for you), and it could probably be improved upon further, in terms of ease of use and security. And it is surely much better than a system with a stupid number and almost no control over it.
on many cards, the $50 limitation is only if your CARD is used fraudulently... as in, someone steals it and uses it without your permission.
If you read most contracts, you will find you have zero liability if someone scams your number somehow and uses it.
but you don't HAVE to "buy" protection from this kind of fraud; at least in Canada & the US, it is federally guaranteed.
You are not responsible for fraudulent use of your card. Period. At all. In any way.
The only way you ARE responsible is usually for up to $50 IF THE CARD ITSELF IS STOLEN., and that's only if the charges happen before you report the card as stolen.
Merchants are hte ones who get stung when cards are used fraudulently, not visa, and not the cardholder.
I thought this story was gonna be about a website where you could test the "validity" of your credit card by typing in the number and waiting for the results...
Obligatory Simpsons reference:
Snake: "OOhhhh.. wallet inspector."
Nerds: "I think everything's in order." (hand over wallets)
Snake: "I can't believe that worked."
What else would Online Data be running? Duh, the validation sofware saw nothing unusual in 140,000 $5.07 transactions? OK. Here, Mr. Vendor, just use this super secret closed software that we promisse will be safe and secrure because no one has ever auditied or validated it. Weeee! Another fine "product" to run on the world's most secure platform.
Friends don't help friends install M$ junk.
While Verisign actually performed the authorizations, Dunne blamed the reseller, Online Data, for the incident. She said the company issued poor passwords to its customers.
"We encourage resellers to assign strong passwords. The issue here appears to be the nature of passwords assigned to merchants," she said.
But Rante said the merchant was to blame for not changing its password often enough.
"All of us need to change our passwords," Rante said. "We issue a starter password just like most companies do. We strongly urge the merchant to go in and change their password. This merchant failed to change their password and they were hacked.
So remember that kiddies, you are RESPONSIBLE for your password and any foul deed commited when someone breaks the crummy buggy crap software that accepts it! So clueless. The software was inadequate and those inadequacies obviously aided criminals. The criminal is at fault, but the maker of the software deserves blame for protecting against an obvious event.
Business at the speed of stupid.
Friends don't help friends install M$ junk.
Geez, I wonder how the Online Data Corp web site got hacked so easily... Let's see on Netcraft...
Yep, "The site www.onlinedatacorp.com is running Microsoft-IIS/5.0 on Windows 2000" (and with an uptime of less than a day at that).
And what about the vendor with a guessed password? Netcraft it again... You, ahem, guessed it: The site TalkingTP.com is running Microsoft-IIS/5.0 on Windows 2000.
I dunno about you, but whenever I see a web page with the magical .asp suffix, I carefully avoid to even turn on cookies. Much less give them my name and CC number. Because I know that it's only a question of time before they get hacked, owner and stripped from their customer files.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
I remember him: my number was one of the ones stolen from cduniverse. My card was cancelled, but they didn't tell me until I was at the front of a many-deep line at Best Buy. In fact, the clerk "called it in" and contacted Discover security, who then wanted to talk to me. When you're seventh in line, it's not moving, and the clerk and the customer are on the phone, now you know why. Sorry, I didn't enjoy it either.
Ironically, my number was stolen and the card pre-emptivly cancelled for a second time just two weeks ago. Fortunately, through both incidents, I haven't had to pay a dime.
and no-one else seems to get the joke
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
In 1998 I was one of thousands of victims in an international hundred million dollar credit card fraud. Some of the suspected principals of that case are said to be back in operation.
I had a few minutes of limited fame back then, including an appearance on Japanese tv. The story of that fraud, and a dicussion of cc fraud in general, is here. (Alas, the site is hosted by myhosting.com, and as on many Sunday mornings it is now down!)
Only the banks can fix the problem, but with the very notable exception of American Express they've done very little. I now use AMEX for all recurring internet transactions, and if they ever got their Quicken support working reliably (they've failed for 3 years) I'd use them for all online transactions. AMEX has the best attention to security, and the best response to fraud, and the most sustained interest in combating fraud.
Barring litigation, the VISA/MC franchise will only fix this problem if customers stop using their cards. So use AMEX instead.
john faughnan
jfaughnan@spamcop.net
www.faughnan.com
John Faughnan
jfaughnan@spamcop.net
Was the card a Visa or Mastercard? If so, call them, not you bank. Banks have had their credit card privelges revoked (and all cards cancelled) because of shit like this. I know Ford and Dodge dealers that have had the service centers shutdown and dealership stuff put under a microscope because of the same type of things but with cars. Also, go to the bank in person WITH ANYONE PERSON and speak to the big cheese himself. Be prepared with the reciepts. Know exactly how long you and your family has been a customer and how many accounts your family has conbined. Be nice but very firm. If they don't act, file a BBB complaint and contact you AG. They can't weasel out of it for ever.