Slashdot Mirror
60,000 Credit Cards Numbers Stolen Online
robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
Duh. From the article:
They then go on to talk about an earlier MSNBC expose reported in April. I suspect the testing of credit gateways happens far more often that MSNBC suggests. Actually, I was a "victim" of this sort of authorization fraud last month -- someone in Czechoslovakia breached a transaction system in North Carolina, posting $0.01 charges, then following up with larger charges for goods delivered to El Paso. Lovely. I only got hit up for the initial cent before cancelling the card, but the person with whom I spoke mentioned that many more people were tapped through their system.
People: check those statements. So many friends of mine don't, holding on to bank-issued VISA debit cards and not bothering to account for their money apart from "do I have anything in my account now that I'm standing in from of an ATM?"
The initial password assigned to the hacked account was OnlneAp16501. I wonder if the merchant before them had password OnlneAp16500? Sigh.
Curtains for windows?
Go online, log on, generate a one-time use number, plug that into the web site, only good for one transaction.
That fraud protection is ironically a scam.
You are already guaranteed limited liability to $50 and chargeback rights by law. The credit card companies sell that fraud protection because they know it doesn't really cost them anything, since it's mostly what they have to provide anyway.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
If you'd read the article through, you would've seen that the merchant account was never credited with the $300K-plus authorized. The main worry is that now the criminals have a large number of valid card numbers; but all those numbers are on record and can be canceled, and new numbers issued. Transactions using those numbers can be traced.
Admittedly the incident caused a lot of annoyance and no small expense for card issuers, and there are ways security could be improved, but in the end, the hack didn't cause a disaster.
I was pissed off recently because I can't use my Switch (Debit Card) on Dabs, but looking at it realisticly, it makes sense because with most banking online in the UK, most (if not all)Credit Cards have insurance against online theft (wheras I don't think the Debit Cards have the same protection).
But I know that isn't the point (relying on the insurance), because the systems (and banks) need to catch up with the standards that the internet/online world requires. Not only the banks have problems, but remember Amazon.com keeping quiet about major breaches of security and customers bank details being overly exposed... I never saw the image, but didn't someone modify their logo so that it said 'Shhhh!'?,
Just my 2 fruadulently obtained cents (processed through 'Online Data Corp's credit card transaction processor).
Are you local? There's nothing for you here!
EVERYONE with a Visa or Mastercard has fraud protection. It's a federal law. You probably didn't know that, and were suckered into paying extra for it.
Face it, most of us will never buy a 30,000$ piece of equipment on a e-commerce site. And even companies, that's why you have Purchase orders and/or accounts/checks. If you're crazy enough to buy that 30$ item or that 200$ basket with a GOLD Visa that has no protection, you're asking for trouble.
.02
The most basic way to protect yourself is to 1. You get a visa or mastercard with insurance/protection for that kind of fraud. If it's not available then go for a LOW limit on it, I did that with one, got about 700$ credit limit on it, I've taken the worst case scenario buying, more than that, if, let's say I would buy something for 2000$ off ebay, I'd simply send a cheque or if I don't trust the seller, I'll use an escrow service. For most e-commerce sites, 700$ for my personnal needs is okay, if I get frauded, it'll be ~500$ (balance) in the average, much less than if I'd use a 5K$ visa.
Banks are to blame on this though, we are users, we pay good money and good interests for this service and even in recessions they are still the ones making the most money, so why can't they come up with a better system? I don't have to THINK about that system, someone there is paid to do exactly that. I saw a report on TV the other night about how easy it is to empty bank accounts if you only have an account number and the complete address of the account number's owner... I mean... come on... basic service here. I'd gladly take an extra step that could make it less convinient to get better protection, this kind of situation shouldn't happen.
If you say "banks have nothing to do with E-merchants that don't protect their data" I'll say this: Banks indorectly or directly giving e-merchant status to people/companies, it's their responsibilities to make sure that their systems are safe and that their name won't be associated with being frauded to the bones. While I agree nothing is safe at 100%, there are some BASICS that should be covered, and the one in this article with over 100,000 queries is kinda OBVIOUS.
I fear we'll see more and more of this since now everything is continuing to be programmed at a higher and higher level without really knowing the insides and completely trusting the source tools (.NET for example, makes everything so much easier, but you don't even have to be a good programmer to use this). if the command becomes "securecheckout(items,price) return total; Charge(inputcreditcard)" well, if you are a good programmer, you'll check that "charge" function and how it works, if you are like most programmers out there, on a rush with a crazy deadline, you won't bother or take the time, hense, this will happen more and more. (I won't get into the rushed/incomplete software developping as well we all know the effects of that).
my
--- Metamoderating abusive downgraders since my 300th post.
Why does /. always consider stolen credit card numbers a consumer/yro problem? Stolen numbers that are used are nearly always reimbursed by the company (debit cards are different, unless you know the rules, you shouldn't use them online).
Big, enormous, credit card companies could make usage of credit cards more secure (and difficult) but they haven't because they probably don't want to do anything that will lower or hinder usage.
Because these guys make an enormous amount of money from credit card interest, I don't think they will make any major changes anytime soon.
-Sean
I used to work at a small video rental chain (nine stores) in the corporate office/warehouse.
Each year, we would have a huge warehouse sale. We would gather about 10,000 previewed VHS tapes and sell them for anywhere from $1 up to $10. There were some really great deals.
Anyway, since the warehouse was actually behind and attached to one of the stores, we would just run one of the telephone lines and charge machines to the warehouse.
During that weekend, we would see tens of thousands of dollars in transactions, up from the normal activity on our account, usually measured in the hundreds of dollars a day in charges.
Each year we were called by the authorizing agent during the sale to make sure the sales were not fraudulent. In addition, one year we had to show a random sampling of the signed receipt copies from the sales.
I find it strange that the credit card company did not look into the matter any quicker than it did.
- (c) 2018 Hank Zimmerman
I work for TrustCommerce, a credit card processing gateway that just happens to compete with Verisign, the gateway mentioned in this article. What I want to know is why the Verisign rep said nothing about the velocity controls that should have been in place on the account in question. Velocity controls work like this: If a merchant goes over a certain number of transactions per day or per card, no more transactions are let through. The whole point of these controls are to prevent exactly this sort of basic fraud from occurring in the first place.
Go on-line to your favorite search engine and do a search for information about how to encrypt credit card transmissions using SSL. You will find a ton of useful information and hordes of people wanting to sell you certificates for your servers.
Now, go on-line and try to find information about STORING credit cards. There's very little in the way of useful information on how to do this securely. Most of the good security people simply advise not doing at all. In spite of that many on-line businesses are doing credit card storage and you quickly get the sense that few of them have any idea how to store this information in a secure way.
This sig has been temporarily disconnected or is no longer in service
I've posted this story before, but half the time clerks don't check signatures because customers are jerks if you do check.
My girlfriend is working as a cashier at a drug store. Somebody came in and bought around $50 worth of stuff. He wanted to put it on his visa - she takes the card, runs it through, and puts the card down beside her register while the transaction goes through. The guy asks for his card back and she says she'll give it back after she verifies the signature - and the guy freaks out!
(Keep in mind, she's very polite and friendly, not speaking with a "fuck off, I'll give it back when I'm ready" type attitude)
He reaches across the counter, grabs the card, rants about how much money he makes and how stupid she must be (incidently, she has a university degree and will be starting her first technical writing contract soon).
I used to get annoyed that cashiers don't check signatures - now I see why. Credit card fraud happens all the time but my girlfriend never had it happen on her register (unlike others at her store).
Robots are everywhere, and they eat old people's medicine for fuel.
Does anyone else find it incredibly ironic that Verisign is blaming Online Data for assinging weak passwords instead of strong passwords, and Online Data is blaming merchants for not changing their passwords?
Online Data, the payment processor, is a reseller of Verisign credit card gateway services.
And Verisign sells digital certificates, which provide authentication, identification, and non-repudiation of data signed with those certificates.
And yet they are relying on passwords, rather than requiring the use of an X.509 certificate for an established security association, so that no client machines other than the ones owned by the merchants themselves can be used to make credit card authorization requests.
And each of these people *has* a certificate in hand, since they have to have one to run an HTTPS (SSL based) server in the first place!
That's a bit like the U.S. Marines deciding to hire school crossing guards to provide the security for Fort Knox, isn't it?
And now they are blaming people for not hiring the right school crossing guards, or not firing olld school crossing guards, and hiring different ones "often enough"...
-- Terry
It's worse than that. They will take the money back from the reseller plus a pealty. The credit card companies actually make money on the deal.
Scam is putting it mildly.
I was under the same impression, but listen to my sad story.
On August 17, while on vacation, I discovered some bogus transactions on my card on August 9 - 5 transactions, $800, to some card processor in Israel. I called my bank the same day and told them the transactions were bogus and they issued me a new card.
Yesterday my bank called back and said that the merchant had verified the transactions and that I would be responsible for them. The merchant's "proof" was a single page fax that basically said that the charges had been done for an online casino account that had been opened in my name. Since the account was in my name, and the account "had a unique username and password", that is all the proof that the bank needed that I had authorized the charges.
The fact that the casino account was opened on the same day that the charges were made didn't seem to make a difference. The fact that I had never heard of the casino, nor had I authorized them to open an account in my name didn't make a difference. The fact that on the day in question, I was on vacation and driving from Seattle to Montana (a 10 hour drive, with credit card receipts to prove it) didn't seem to make a difference.
According to my bank (this is US Bank), I am responsible for the charges, and my only recourse is to take it up with the casino and their credit card processor.
So much for anti-fraud protection.
I am still planning to fight this, BTW, so if anyone has any suggestions about a course of action, I'm all ears.
If you do this every day, perhaps you have some insight on why my credit card company has refused to grant a chargeback to me.
Send a letter in as follows:
Re fraudulent charges to account XYZ charges [list]
Under penalty of perjury I deny authorizing the charges specified above.
I hereby require you to produce the signed transaction receipts as required by Regulation E of the Federal Reserve regulations governing the use of credit cards.
As your legal department will confirm the laws of the United States govern all transactions concerning credit cards issues in the United States. These laws make the card issuer responsible for all fraudulent charges and not the consumer, the merchant or any other party.
These charges are in dispute. Any allegation made to a third party such as a credit agency alleging refusal to pay a legitimate debt shall be considered defamatory and action may be taken accordingly.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/