Slashdot Mirror
Cracker Gains Access to 2.2 Million Credit Cards
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
2,200,200 x .03 = $66,000
Im sure they have prety good mertrics on what normal background fraud is. I doubt the statement means that each and every account has been hand checked, but just that that block of accounts dosent have a abnormal rate of fraud.
As others have pointed out it dosent realy matter for card holders, but its like any theft from a big company. (shoplifting, insurance fraud, etc) Eventualy it trickles down to the consumer...
Unfortunately, I hold one of those 2.2 million cards. I was thoroughly frustrated when my card was declined Friday, Saturday then again on Sunday. What was even odder is that I could take my bank-issued card to the ATM and withdraw $100 and get a balance statement that showed positive numbers. Finally got the "scoop" from my bank today. They gave me a different story though, said MC alone had 7 million cards compromised. Ended up having to call the "fraud" department at MC, verify my vital information and have my cards re-issued. They also took the time to verify all transactions in the last 4 days to make sure none were fraudulent. On a side note, they did try calling me, but my number had been changed.
Um, he's talking about the database needed to VERIFY the PIN numbers. When the merchant runs the transaction, it needs to be checked against *something* to see if it's the right one.
Even if you used one-way hashing, it'd still be weak, because with a typical 4-digit pin there aren't that many combinations -- so the hashes wouldn't be secure. So, since the hashes and the numbers would likely be colocated, it wouldn't add that much unless you made people use really long PINs or seriously modified credit card hardware to allow other inputs besides digits.
Only the dead have seen the end of war.
Article is called "Cracker Gains Access to 2.2 Million Credit Cards".
Cracker...
Get it?
Eh.
From the article, it appears that Visa is saying that none of the flagged numbers have actually been used after the specified date and time.
It's CRACKER not HACKER if anyone would read the headline. God, even on slashdot...I wonder how hackers get the bad name...
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
Even if such a machine were created, an attacker could trojan the entry system and capture the PINs as they were used.
Problem is that this requires some sort of protocol: bank has to keep a secure central repository of PINs for each CC number issued and you need a protocol to query "is this PIN correct for this CC?" Bank would respond "yes" or "no." Needs some sort of secure channel to ensure hashes aren't intercepted mid-stream (x509 would serve nicely for this). Hopefully merchant won't store the PIN or hash, but that's too much to hope for.
Possible, but ain't gonna happen.
Yep.
My dad lost his card visiting relatives about 100 miles away in Virginia and didn't even realize it. When he got home he got a call from the credit card company, who said their software flagged a $600 purchase made at Home Depot in Virginia which didn't fit his profile, and asked whether he had made it. Sure enough, he checked his wallet and his card was gone. He realized he had left it sitting on top of an ATM or something. He did not have to pay for the Home Depot purchase.
I was impressed with how well all that worked.
No, it's not being used for that meaning.
A Cracker is someone who is good at defeating copy protection in games. Back in the day crackers used to NOP over the passwords, the non-standard diskette reads, etc. and give us the game in a form that we could enjoy without encumberment.
That's what a cracker is.
There are, of course, people trying to change the classic meaning of the word. Kind of the same as the people trying to change the meaning of the term 'hacker.'
But what usually is ignored is that while the consumer might not have to pay, the merchant who sold the goodies does have to pay. The credit card issuer doesn't pay for fraudulent charges -- they get "charged back" to the merchant who made the charge, and the merchant pays, plus a "chargeback fee" of $15 - $50 per transaction. It's one thing for a software download to go unpaid, it's quite another for a merchant to ship actual physical goods and not get paid for them.
Eventually the consumer does end up paying for fraudulent credit card charges, but just like insurance premiums, where any individual charges or payments might be small relative to the total public cost of the incident, you can be sure that in the aggregate the fees, interest, and other charges imposed by the credit card issuing banks will cover their losses and still make a profit, and the prices merchants have to charge for goods will, in the long run, certainly have to cover their losses and still make a profit.
In other words, the cost of credit card fraud is shifted away from the consumer (who is innocent of any single fraudulent charge on their particular card, so of course should not be forced to pay it), and becomes instead just part of the cost of doing business for everyone on the other side of the transaction.
In theory, practice and theory are the same. In practice, they rarely are.
Address verificaion only works in the US as far as I know. The system isn't allowed in most of Europe and Australia because of "privacy concerns" and the house numbering can cause issues. The US system works fine because most house numbers are 4 or 5 digits long in areas that have unified addressing. In most cities in Europe the house numbers start at 1 on the street and go up till the road changes name and it starts over again.
... but the merchants that sell goods over the Internet. I used to run a mail order business. We got a lot of orders with people trying to use stolen credit cards. After a while we got really good at filtering these out. But the cost to learn the lessons was high. I can only sympathize with all the new businesses. If they think that matching the shipping/billing address and security code is enough, they are in for a rude awakening.
At the end of the day, the entire loss from these fraudulent transactions is passed down to the retailers, when clearly the morons who are handing out the credit cards to the thiefs have some responsibility to share.
Since I work for one, I'll be AC for now.
CC companies foot the bill for fraud, as long as there was no gross negiligence on the part of the merchant (and some other rules). That would translate into vastly dissimilar signatures, a white dude using a black dude's card (with a photo) and so forth.
There are several reasons why cc technology is slow to roll out. The current way liability is distributed between issuer and acquirer (you have your customer relationship to the issuer, while the merchant has their relationship to the acquirer), there is insufficient incentive to invest the billions of dollars a smart card rollout costs. There are even incentives in the system to underreport fraud. It is simply more cost effective to monitor the transactions, and use software+humans to identify fraud as early as possible. Remember, most fraud is "skimming" (copy the magstripe, put it onto a counterfeit card). Skimming will happen as long as we have a magstripe, and there is little incentive for developing nations to implement smart cards. That means that the magstripe will be around for a looong time. So, a smart card solution would only reduce the problems to an unknown degree (since the fraud would migrate across borders). The alternative is to make cards that only work in countries with interoperable smart cards.
Simply put, there are more cost effective ways of handling fraud without alienating your customers (PIN entry is really not an option, since people forget their PIN all the time on low-usage cards)
For online authorizations, I think the one-use cardnumber is a good solution, as well as the idea of a browser plug-in.
Of course, I have wet dreams of biometrics. We might actually see that sometime. There will be a rollout of smart cards at SOME point, and the longer that takes, the lower the extra cost of using biometrics. We'll see.
Personally, I can't even remember the last time I bought something on CC using anything other than an EFTPOS terminal - which automatically verifies every transaction with the bank operating it, as well as keeping an internal 'hotlist' of stolen cards, updated nightly. (Done properly, the call costs somewhere around 1p - at which point, even on a 50p transaction, the 2.5% cut will cover it. The modem racks and servers will cost more, of course, but you need most of that infrastructure in place anyway...)
Are you thinking of the "manual" verification procedures used on suspicious or very large transactions, where the store telephones the bank, who then ask you questions to confirm your identity??
If I were the issuing bank, I'd put a 'verify' flag on the cards immediately (vendor must confirm identity directly, i.e. have you call the bank to check it's really you), and rush a replacement card out to each cardholder. That way, the cardholders are only inconvenienced for the day or two it takes to FedEx (or whatever) the new card out - yes, it's expensive to repeat this for 2.2m people, but compared to the cost of having to honor a string of dishonest transactions you can't bill the cardholder for?
That's exactly what I'm talking about - EFTPOS. There is a myth that they clear every txn - they simply don't (I've worked in shops using them, and more recently in the financial sector). As I said, most shops (particularly large department stores and supermarkets) cannot clear the required number of txns quickly enough, so they set a limit - anything below that is just approved automatically provided the card is not on a watch list. The actual value of the limit varies by shop and by day and is secret (as knowledge of it would be useful to a fraudster).
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
I think my wife's card was part of this. She got a call from the bank last week telling her that her card was dead.
My father runs a men's wear store. Last month sometime, he was told that any transaction that he didn't call in would result in a $50 fee.
Joe
Joe Batt Solid Design
Actually, it isnt. The ole USPS has addressed this, and there _IS_ a standardized format. You can purchase software to "sanitize" your lists and make them match any other sanitized list. It's actually mandatory for bulk mailing rates.
If you are a true sadist, you can read about it here
For us carnivores, "Sucking the marrow out of life" isn't a transcendentalist philosophy but a practical instruction.