Slashdot Mirror
60,000 Credit Cards Numbers Stolen Online
robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
Duh. From the article:
They then go on to talk about an earlier MSNBC expose reported in April. I suspect the testing of credit gateways happens far more often that MSNBC suggests. Actually, I was a "victim" of this sort of authorization fraud last month -- someone in Czechoslovakia breached a transaction system in North Carolina, posting $0.01 charges, then following up with larger charges for goods delivered to El Paso. Lovely. I only got hit up for the initial cent before cancelling the card, but the person with whom I spoke mentioned that many more people were tapped through their system.
People: check those statements. So many friends of mine don't, holding on to bank-issued VISA debit cards and not bothering to account for their money apart from "do I have anything in my account now that I'm standing in from of an ATM?"
Go online, log on, generate a one-time use number, plug that into the web site, only good for one transaction.
That fraud protection is ironically a scam.
You are already guaranteed limited liability to $50 and chargeback rights by law. The credit card companies sell that fraud protection because they know it doesn't really cost them anything, since it's mostly what they have to provide anyway.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
EVERYONE with a Visa or Mastercard has fraud protection. It's a federal law. You probably didn't know that, and were suckered into paying extra for it.
I used to work at a small video rental chain (nine stores) in the corporate office/warehouse.
Each year, we would have a huge warehouse sale. We would gather about 10,000 previewed VHS tapes and sell them for anywhere from $1 up to $10. There were some really great deals.
Anyway, since the warehouse was actually behind and attached to one of the stores, we would just run one of the telephone lines and charge machines to the warehouse.
During that weekend, we would see tens of thousands of dollars in transactions, up from the normal activity on our account, usually measured in the hundreds of dollars a day in charges.
Each year we were called by the authorizing agent during the sale to make sure the sales were not fraudulent. In addition, one year we had to show a random sampling of the signed receipt copies from the sales.
I find it strange that the credit card company did not look into the matter any quicker than it did.
- (c) 2018 Hank Zimmerman
I work for TrustCommerce, a credit card processing gateway that just happens to compete with Verisign, the gateway mentioned in this article. What I want to know is why the Verisign rep said nothing about the velocity controls that should have been in place on the account in question. Velocity controls work like this: If a merchant goes over a certain number of transactions per day or per card, no more transactions are let through. The whole point of these controls are to prevent exactly this sort of basic fraud from occurring in the first place.
Go on-line to your favorite search engine and do a search for information about how to encrypt credit card transmissions using SSL. You will find a ton of useful information and hordes of people wanting to sell you certificates for your servers.
Now, go on-line and try to find information about STORING credit cards. There's very little in the way of useful information on how to do this securely. Most of the good security people simply advise not doing at all. In spite of that many on-line businesses are doing credit card storage and you quickly get the sense that few of them have any idea how to store this information in a secure way.
This sig has been temporarily disconnected or is no longer in service
I've posted this story before, but half the time clerks don't check signatures because customers are jerks if you do check.
My girlfriend is working as a cashier at a drug store. Somebody came in and bought around $50 worth of stuff. He wanted to put it on his visa - she takes the card, runs it through, and puts the card down beside her register while the transaction goes through. The guy asks for his card back and she says she'll give it back after she verifies the signature - and the guy freaks out!
(Keep in mind, she's very polite and friendly, not speaking with a "fuck off, I'll give it back when I'm ready" type attitude)
He reaches across the counter, grabs the card, rants about how much money he makes and how stupid she must be (incidently, she has a university degree and will be starting her first technical writing contract soon).
I used to get annoyed that cashiers don't check signatures - now I see why. Credit card fraud happens all the time but my girlfriend never had it happen on her register (unlike others at her store).
Robots are everywhere, and they eat old people's medicine for fuel.