Slashdot Mirror
Cracker Gains Access to 2.2 Million Credit Cards
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?
Should prove interesting as these numbers start getting used. 2.2 is a little large of a block to just re-issue.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Let's say this cracker e-mails off these credit card numbers to everyone in the world (those lists of e-mail addresses are only $20, ya' know), can you imagine the offices of Visa and Mastercard?
Actually, things probably wouldn't be that bad.
Who in there right mind would use credit card numbers fraudulently on such a high-profile case? Surely jail time or fines would ensue, and that alone would keep most Americans from jumping to use the numbers.
Then again, there is the chance that many Americans would use those numbers. How about a program that automatically used those numbers to make fraudulent purchases? It would take weeks or months just to sort out bills. Would Visa and Mastercard even be able to handle that amount of traffic? No, something like this could destroy these two companies; it would be almost impossible for them to handle.
Remember, Credit Cards companies use neural networks to analyse transactions and decide whether or not they may be faulty, and the success-rate of these babies is higher than you may suspect (okay, I don't have a web-link, I read it in a pop-sci book on maths, biology and AI). So you may be short a few dollars, which isn't good (don't get me wrong), but unless you normally spend $hitload$ of money, they won't be able to buy a Ferrari or anything (mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari ...)
This sig intentionally left bla... dammit!
Who's got the whiteout?
Nice informative article. No mention of which credit card processor this was. It'd be nice to know if it's one that one of my clients uses. Anyone know the identity of the victim?
SONY. Because caucasians are just too damn tall.
I do notice that sometimes, very rarely though, that sites will ask for that extra three digit code on the back of the card, to verify that you do in fact have the card in your hand. This the same concept as a PIN and I don't see why more web sites aren't doing it. It's not like they have to completely revamp their way of accepting credit cards, it should be a very simple fix.
Makes me want to go back to barder. Do you think ThinkGeek would accept two dead chickens and a half wheel of gouda for one of those mini tanks with the camera?
this report says 5 million cards
1 7/ rtr881826.html
http://www.forbes.com/markets/newswire/2003/02/
Of course, they don't know. They won't know for a while. But the answer is Nothing Stolen, and the answer will always be Nothing Stolen.
Credit card companies are like insurance companies, it's all about playing the odds, and statistics, and consumer behavioural models. Personally I've stopped trusting them a long time ago. While the public meme is that credit card theft is on the rise due to Internet transactions, I really wonder sometimes. As seen with other examples, the Internet is actually becoming an invaluable tool for revealing nefarious activity (patterns of activity that is) that would have been otherwise obfuscated by natural physical barriers. The media are hardly reliably objective in this sense.
If Jesus wants me it knows where to find me.
Inquiring minds want to know...
Just think of all the plastic explosives terrorists could create with 2.2 million credit cards!
I know I'm going to be modded as a troll for this, but...
So we know that some terrorists were devoted enough to the cause of causing chaos that they actually enrolled themselves in flight school to learn how to do what they did. Is it that much of a stretch to think that they aren't aware that it is possible to steal credit cards numbers off the Internet? And do you think that by devoting the same amount of time to googling and reading some paint-by-numbers script kiddie how-to-steal-credit-cards blog someone dedicated to doing "very bad things" couldn't find a way to pull something like this off?
I'm not sure why everyone chose to mod the parent post as Funny. I find the prospect of Very Angry People stealing millions of credit cards quite frightening, myself...
I would have to say that explosives are the most abused technology in all of history.
Wells Fargo Bank cancelled my debit/Visa card with no notice.. Why? Because I purchased groceries in Los Angeles, and then there was a $300 purchase in the mid west for a plane ticket a few hours later.
:)
Unfortunately, the $300 ticket was to get my 13 year old step-daughter on a plane to see her dad. We didn't know til we got to the airport and Delta told us my card was stolen..
I pulled out my card, and my ID, and showed it to them.. Didn't matter.. I called the bank. They had no record of who did it, only that it was reported as stolen.
Took me 8 hours on the phones with the bank, airline, and every vendor I had bought from in the surrounding days to find out what happened.
When the airline called to verify the card, the bank took the fact that I was buying a ticket for her to be fraud, and cancelled my card immediately.
I went to the bank to get it fixed. They said they tried to contact me. They had my correct number on file (my cell), but said it was disconnected. I had them call my cell from their desk. Amazingly enough, it rang, and I answered.
I've had banks call me before to verify transactions. I have no problem with that. But, lying about it pisses me off.
I wonder how badly they'd handle me on a road trip. I drive from Florida to California and back on a semi-regular basis.. It takes me three days, with very little sleep. That would probably get the card cancelled too.. I'd hate to be stuck in Kent Texas with no gas and a cancelled credit card, because they thought I had traveled too far.
I had a whole stack of returned items, and a whole lot of merchants to apologize to for the bank's error. I never received an apology from the bank.
A month later (a week before xmas), they accidently closed my bank account. I didn't find out til the ATM took my new card.. Their system said there was fraudulent activity. Another bank error. They put all my funds on hold til Jan 6. Good thing I have friends who would loan me money over Christmas. It really sucks to ask your friends to buy everything.. But, they all got paid back after I got my money back.
Every bill check I had sent out previous got bounced. Wells Fargo *ALSO* charged me $25 per check for NSF, even though the funds were in the account, but they erroniously put on fraud hold by them.
You wouldn't believe how pissed I was when I got to the bank. I was polite at first.. They continued to tell me how they were keeping my money.. So, I got louder.. They threatened to call the cops. I told them to. I *WANTED* a cop to hear them saying that they made a mistake and took my money, and wouldn't give it to me.
The bank security were the only nice people working there. One of the guards told me how they screwed him over too, so he was completely sympathetic. He was just standing around to make sure I didn't get physically violent. No problem there, I don't get physically violent, he doesn't have to do anything but stand there.
Warning! Never Use Wells Fargo Bank!
I finally got the second set of NSF fees dropped after a few hours of screaming.. Hopefully the customers who overheard the incident had second thoughts of keeping their account at Wells Fargo.
[Rant Mode Off]
I'm now using a nice small bank, that doesn't have the same problems. I told them all about it when I opened my new account. They had heard similiar stories before about them. I'm on a first name basis with the new bank, and they love me.
Serious? Seriousness is well above my pay grade.
"Credit cards weren't invented last year. Back when they were invented, this was some major technology. Can you imagine? A piece of plastic with a magnetic stripe on the back?"
No offense, but you have to look back a little farther than that for the roots of credit card technology.
Back when credit cards were REALLY invented (1950), there was no mag stripe, just the embossed account numbers on the plastic. When you presented your card to a merchant, they were supposed to check a book of closed/fraudulent account numbers to make sure yours wasn't listed (I think they mailed these out monthly). The account numbers, like many state's driver's licenses or physician's DEA numbers, could also be checked for internal validity by using an algorithm. (Big flaw in that system was that your clerks had to have passed ninth grade math -- digital calculators were still decades in the future.)
I agree with your point that credit card companies pass costs through rather than absorb them. Fraud is simply a cost of doing business to them, and they make a hell of lot more money if they paper over fraud and ID theft. Why? Because the key to the credit card issuing game is, well, issuing. If publicity about stolen accounts give potential new card holders the willies, then the pyramid starts to fall apart.
Credit cards are the crack cocaine of the financial world, and the card issuers are the guys selling the rocks. They know it's a statistical certainty that x-percent of people who get cards will spend them to the max and then be unable to pay the cards off, and so, prevent being kicked to the highest APR bracket. Your first rock is usually free, too... ID theft and computer fraud are simply a tax the card issuers are willing to pay to keep the crack house open.
So we hear about this cracker who stole two million numbers or whatever. For every one of these guys, how many do we NOT hear about?
They dont actually say somebody hacked into their network from the internet.
Manipulate the moderator system! Mod someone as "overrated" today.
Pfff... I could even make them by hand, before they started cracking down on correlating expiration date to card number.
Up until about 4 years ago, you could use the CCtest# (4111-1111-1111-1111) to use the credit card phones in LAX and a few other major airports.
This is a very interesting story. I would recomend sticking it on a website, so that search engines will index it, and people looking up info on Wells Fargo will find it.
Personally, when I was looking around for a bank, I checked out Wells Fargo. There were three warning signs that prevented me form using them:
1) To enter or exit you have to go through double-doors. Presumably, this should trigger an alarm if someone has a gun, and possibly lock them in. The doors didn't work well normally, and customers had a difficult time going in and out. I asked if the glass on the doors and windows was bullet-proof... When the answer was "no", I realized their double-doors were no security at all, and merely to lull customers into a false sense of security, and possibly deter moronic bank robbers.
2) I overheard a discussion, that one of the employees had refinaced a customer's home loan, but had simply not used the computer properly and signed the contract with the wrong percentage. The contract was signed, but the customer was going to get an unplesant surprise quite soon.
3) When I walked in, I glanced at a computer screen and saw the Windows NT sign-on screen... Nuff said.
I must say, for one single ~10 minute visit, that was more than enough to have me out of there as quickly as possible.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Uh... no. People who pay their bill in full monthly (hi, I'm one) are known in the industry as "deadbeats". That small percentage they take generally just offsets their costs for providing the money and services. There's some profit involved, but not much. Most of the money goes toward covering advertising costs and bad debt (see below).
On the otherhand, they really love people who never pay in full, but still make regular payments. A bit more than the minimum payment is best, since while they bleed you for more with minimum payment, it also increases risk. But 10-20% interest is better than 2% any day of the week, especially since it's compounding interest. Gotta love paying interest on unpaid interest. At least if you're the lender that is.
I used to work for a company that contracted with a sub-prime credit card company - they really wanted the accounts that garnered interest (the average interest on the cards was 28% - and yes, there were entire states they didn't market to because that interest rate is illegal in those states). The entire business model was trying to identify more consumers that had poor enough credit to need a card like this (did I mention the average $50 annual fee? Or the card with a $300 credit limit that had $250 in fees put on it when you signed up?) but wouldn't go delinquint -- which was a problem. The average prime lender has to right off 15%... which is why about a year ago they slashed their IT budget and my company laid off 60% of their staff. Last I heard they were going into debt collector status - buying up bad debt from other credit card companies to turn around and sell it to debt collection agencies. They're still in business last I checked, but barely.
Oh well... better job now anyway.