Slashdot Mirror
Cracker Gains Access to 2.2 Million Credit Cards
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....
Damn white boys need to stay away from them computers!!
I dont like the use of racial slurs like that on /.
So THATs why $5 was paid to Slashdot without me remembering!
Fortunately, none of them seem to have been used fraudulently.
And how exactly do they know that all 2.2 million credit card #'s haven't been used fraudulently? I'm sure that there are at least a small percent of any given set of 2.2 million credit card #'s that are used fraudulently.
damn kevin mitnick!
This is a great security threat for our nation! Just think of all the plastic explosives terrorists could create with 2.2 million credit cards!
---
Hello, Slashdot user. My name is Dr. Sbaitso. I am here to help you.
2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?
Should prove interesting as these numbers start getting used. 2.2 is a little large of a block to just re-issue.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
I guess tomorrow all the online pr0n stores will be sold out of everything!
You mean 'none of them seem to have been used fradulently YET'
Fortunately, none of them seem to have been used fraudulently
Uh, yeah, because it's so easy to verify that two MILLION credit card numbers haven't been used fraudulently.
I mean, come on, just through coincidence I'm sure some of the physical cards themselves have been stolen recently and used fraudulently.
Comment removed based on user account deletion
That article was not written with many details... What credit group... who's the hacker?
||| I still can't believe Parkay's not butter.
With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?
Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.
At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.
But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Let's say this cracker e-mails off these credit card numbers to everyone in the world (those lists of e-mail addresses are only $20, ya' know), can you imagine the offices of Visa and Mastercard?
Actually, things probably wouldn't be that bad.
Who in there right mind would use credit card numbers fraudulently on such a high-profile case? Surely jail time or fines would ensue, and that alone would keep most Americans from jumping to use the numbers.
Then again, there is the chance that many Americans would use those numbers. How about a program that automatically used those numbers to make fraudulent purchases? It would take weeks or months just to sort out bills. Would Visa and Mastercard even be able to handle that amount of traffic? No, something like this could destroy these two companies; it would be almost impossible for them to handle.
Remember, Credit Cards companies use neural networks to analyse transactions and decide whether or not they may be faulty, and the success-rate of these babies is higher than you may suspect (okay, I don't have a web-link, I read it in a pop-sci book on maths, biology and AI). So you may be short a few dollars, which isn't good (don't get me wrong), but unless you normally spend $hitload$ of money, they won't be able to buy a Ferrari or anything (mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari ...)
This sig intentionally left bla... dammit!
Who's got the whiteout?
New leaf my ass. Welcome back, Kevin ;-)
I like those odds - not a single fradulent use in 2.2 million cards.
Hell i've had 3 fradulent transactions and only own 3 credit cards and two debit cards.
One thing i've noticed is that my card company seem good at stopping me from spending when they think i'm fradulent. Just put 7 currencies on your card in as many days and alarm bells seem to ring somewhere.... but catching real theives is a little too tricky
I used to work at an incredibly busy CompUSA back when I was putting myself through college, I worked behind the register and had to put up with any number of fucking (A)Assholes, (B)Jerks, (C)Fucklickers (D)Cunts and/or (E)Wastes of Meat every day of my miserable existance there. Every day, these pricks would come in, verbally abuse me and then give me their credit card number.
I cannot believe the amount of trust these dickheads put into me, a lowly redshirted laser-slinger. These were people who would verbally abuse me, harass me, scream, yell, pester and generally treat me as something beneath the lump of Fluffy's late night cat puke that they caked off of the designer argyle socks that cost more than they make in a day.
Every time one of those shits oh-so-respectfully tossed me their credit card (They'd never hand it to me, oh no... never just hand it to me) then get all indignant that I ask to check their ID, even though it says in big, block letters 'CHECK ID' on the little 'sign here' strip on the back... I'd just smile... You know the smile, the one that a pudgy Vincent D'Nofrio shot at the sergeant before putting one in his chest while I simply took their reciept and folded it in half and stuck it in a little slot on my register.
Had I been just a little dumber or a bit ballsier, I'd be rolling in all the pre-Pentium 3 generation hardware and pre-Kazaa generation illicit software that I could have purchased on their dimes.
Point being: Why why why do these people who are so abusive to those of us who (A)Handle Their Credit Cards and (B)Handle Their Food treat us in such a manner?
Why is it when I hit ^R that ZSH calls me a cocksucker?
Nice informative article. No mention of which credit card processor this was. It'd be nice to know if it's one that one of my clients uses. Anyone know the identity of the victim?
SONY. Because caucasians are just too damn tall.
I do notice that sometimes, very rarely though, that sites will ask for that extra three digit code on the back of the card, to verify that you do in fact have the card in your hand. This the same concept as a PIN and I don't see why more web sites aren't doing it. It's not like they have to completely revamp their way of accepting credit cards, it should be a very simple fix.
Makes me want to go back to barder. Do you think ThinkGeek would accept two dead chickens and a half wheel of gouda for one of those mini tanks with the camera?
Yeah he gained access to 2.2 million cards, but to bad they are all probably overdrawn! Just about everybody I know complains that their cards are maxed out. :D
I also agree, that out of 2.2 million cards, it's impossible for them to know that all of them are ok and haven't been used.
When all else fails, piss on it. At least you will feel better in some kind of way.
this report says 5 million cards
1 7/ rtr881826.html
http://www.forbes.com/markets/newswire/2003/02/
Citizens Bank, a financial institution serving the Northeast, shut down the accounts of 8,800 customers whose card numbers had been accessed after being notified by MasterCard on Friday, bank spokeswoman Pamela Crawley said. All of those accounts were safe, she said.
I'll bet those people are just *thrilled* to have their accounts locked out. How many people are going to find their card mysteriously declined when doing their weekly grocery shop then ? I'm betting the bank hasn't made 8,800 phone calls to explain their position.
Hell of a way for VISA/MC to limit their liability - just cancel their cards ??Never, ever lose a file again. Ever.
You get the idea.
You'll have that sometimes...
I think its time the whole CC system is overhauled!
The lack of authentication is the biggest problem with it. And no, the PVV is not good enough for authentication either, its also printed on the card and some online stores require that number but store it with the CC# anyway.
I'm sure the banks have a huge amount of fraud on cards and eventually these costs get passed on to the customers.
Debit cards with PINs / Smartcards are the way to go.
How on earth do they know that none of 2.2 million credit cards has been used fradulently in the last 24 hours? Seems pretty impossible to me. I'll bet some of them have for reasons completely unrelated to this hacker anyway. How can you verify something like that on such a huge scale?
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
My guess is that they haven't had any reports of fradulent use.
Or maybe he bought some cheese to go with his crackers.
I found the meaning of life the other day, but I had write-only access.
Why are so many companies so foolish?
You encrypt the number like crazy when it's traveling to your server. You protect it with all the firewalls and whatnot you can muster. You limit who has legitimate access to it. And you don't encrypt it when it's stored on the server?
I don't get it. Passwords are stored encrypted. Why not credit cards?
For all the time I've spent reassuring my parents that it's okay to pay for things on the Internet because the encryption is impossible to break, things like this make me really nervous. I think we need legislation requiring all company databases that store credit cards to store them encrypted.
That way, if someone does break the encryption and get our credit card numbers, at least we can prosecute them under the DMCA!
I found the meaning of life the other day, but I had write-only access.
obviously the humor in the use of the word "cracker" in the article title was lost.
From the article, it appears that Visa is saying that none of the flagged numbers have actually been used after the specified date and time.
You could just cut them all off. Are there any places left that don't call in credit card purchases? Of course, that would leave 2.2 million credit card users high and dry and they would have to issue 2.2 million new cards. It would cost hundreds of thousands of dollars and do incalculable PR damage. So what to do?
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Having read it :) I suspect this CNN article isn't much more than a paraphrase-the-press-release sort of thing. ("A hacker has gained access to as many as 2.2 million Visa and MasterCard accounts, the two companies announced Monday.") Someone else here cites an article saying FIVE million numbers were stolen! I think more probing work is needed.
Also, I love "Both card companies have zero-liability policies, which protect cardholders from being held responsible for unauthorized or fraudulent charges" -- as if they're so generous. For one thing, I think that "policy" is required by federal law, and if not it would be legally insane (and unenforceable) to hold subscribers liable for 3rd party mistakes. An interesting Q might be how long you could wait or fail to notice an ongoing fraudulent use of the card, assuming it didn't get maxed out within minutes.
Anyway, look for more probing articles. I'd like to know what *other* sensitive information might have been accessible? Wouldn't a list of social security numbers be nice? How'd you like to have to go get that number changed? I assume (hope, pray) SSN's weren't stored in the same sloppy way as these CC #'s, but it's perfectly possible at some other institution.
Credit cards weren't invented last year. Back when they were invented, this was some major technology. Can you imagine? A piece of plastic with a magnetic stripe on the back? Totally un-hackable! How could it possibly be hacked when most people didn't even have magnetic tapes at home? Most people were still using records to play music. This was state or the art technology. And to fake the card? No way, an "embosser" was probably something guarded as close as the mona lisa painting.
These days, you can buy blanks, printers, mag-stripe writers at most stores. Easily hackable. Too easy in fact.
Like the article mentioned, there are 500 millions cards in the US alone. If you calculate the cost to replace each card at $1, you've got 1/2 a billion $ fee. Companies are slowly going to the "smart (yeah right) card" but that just doesn't cut it. The whole system sucks, but companies don't really care because we're actually paying for it..! Wonder why you have a 21% interest fee while you can borrow at around 5-6% at the bank? The credit card companies simply balance their #'s every year... "ok we lost $X dollar, let's charge X% to customers". It's no magic... So why bother changing the system? It's perfect to the credit companies...!
-- Leeeter than leet
Here are a few things I'd like to see in the credit card infrastructure.
Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.
After that story with the RIAA claims about number of seized CD burners, I'm seriously wondering whether this "dangerous cracker" is not in fact some script kiddie who stumbled upon a computer that stored 275,000 CC#s, and the data is mirrored in 7 other computers... ;-)
The ENIAC Demo Competition
It's CRACKER not HACKER if anyone would read the headline. God, even on slashdot...I wonder how hackers get the bad name...
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
Inquiring minds want to know...
If they don't know who did it, not even the tiniest little hint, then how can they know it even happened ? There was a similar 'accident' some time ago where a disgruntled tech ran off with a hard drive full of bank account numbers from his workplace, but they knew who did it and they had the missing hard drive as 'proof'. The trouble was just finding the guy who had skipped the country or something. Much different.
-Billco, Fnarg.com
Because remember, it's not the credit card processor's fault that your credit card got stolen, it's the evil hacker who bypassed the security. If we told you which credit card processor it was you might take your business elsewhere, therefore ensuring that security of your credit card is taken seriously -- and we don't want that, do we? I mean, that would be like punishing the credit card processor for the evil hacker's crime!
How we know is more important than what we know.
Ok so which CC processor got hacked? I am assume that when Visa/MC says 'processor' it means specifically a credit card processing network that receives and authorizes charges from merchants, not a consolidator like PayPal, and not an e-commerce gateway like CyberSource or VeriSign.
Was it Nova, Wells Fargo, Vital, BankAmerica, EFS, or ECHO? These are the only big non-regional credit-card processing networks in the US (AFAIK).
<Begin speculation>
Note that there was no mention of the Internet in the press release. This leads credence to the theory it was a private processor network (not TCP/IP or a web site) that got hacked somehow.
It must be a big processor, otherwise Visa/MC would finger them (and therefore shift the blame). It obviously wasn't Amex or Novus as they both offer competing plastic. And I doubt it was a bank-level processor like US Bancorp (again because they are smaller and would have been fingered.)
The people victimized are not just e-commerce shoppers but also customers at the grocery store, the shopping mall, etc. My worry is that it was a really big processor like Nova, which means that 2.2 million could be the tip of the iceberg.
<End speculation>
This story would be more interesting if every last one of the stolen credit card numbers had been used fraudulently. Now that would be an exploit!
-kgj
500 kg of explosives have been stolen from the police evidence warehouse, but none has exploded yet so there's no danger.
And crackers and other salty biscuits are making plans to take over the world.
"I used to have that really cool,funny sig
"Credit cards weren't invented last year. Back when they were invented, this was some major technology. Can you imagine? A piece of plastic with a magnetic stripe on the back?"
No offense, but you have to look back a little farther than that for the roots of credit card technology.
Back when credit cards were REALLY invented (1950), there was no mag stripe, just the embossed account numbers on the plastic. When you presented your card to a merchant, they were supposed to check a book of closed/fraudulent account numbers to make sure yours wasn't listed (I think they mailed these out monthly). The account numbers, like many state's driver's licenses or physician's DEA numbers, could also be checked for internal validity by using an algorithm. (Big flaw in that system was that your clerks had to have passed ninth grade math -- digital calculators were still decades in the future.)
I agree with your point that credit card companies pass costs through rather than absorb them. Fraud is simply a cost of doing business to them, and they make a hell of lot more money if they paper over fraud and ID theft. Why? Because the key to the credit card issuing game is, well, issuing. If publicity about stolen accounts give potential new card holders the willies, then the pyramid starts to fall apart.
Credit cards are the crack cocaine of the financial world, and the card issuers are the guys selling the rocks. They know it's a statistical certainty that x-percent of people who get cards will spend them to the max and then be unable to pay the cards off, and so, prevent being kicked to the highest APR bracket. Your first rock is usually free, too... ID theft and computer fraud are simply a tax the card issuers are willing to pay to keep the crack house open.
So we hear about this cracker who stole two million numbers or whatever. For every one of these guys, how many do we NOT hear about?
Heh. I haven't read all the posts on this article yet, but I'm sure I'm not the only one thats thinking about this "coincidence" ...
Starting at the beginning of the month, and every 4 days since then, someone has been using my friends Visa card to buy Calcium Pills and have them shipped to his house. This is the first time this had ever happened to him.
The people made 3 orders using two different emails addresses. When the first orders arrived at the door, he called the Bank and had them put a stop on his card. There were two more attempts made, and the email addresses where the orders originated (at least the order confirmations weren't bounced back) were then delivered to the police, and our district attorney's office. We have yet to hear from anyone on the matter.
Whether this has anything to do with what has happened is beyond me, but its a little interesting that this happened at the same time.
400 Person LAN for Charity: Zion LAN 2005
But what usually is ignored is that while the consumer might not have to pay, the merchant who sold the goodies does have to pay. The credit card issuer doesn't pay for fraudulent charges -- they get "charged back" to the merchant who made the charge, and the merchant pays, plus a "chargeback fee" of $15 - $50 per transaction. It's one thing for a software download to go unpaid, it's quite another for a merchant to ship actual physical goods and not get paid for them.
Eventually the consumer does end up paying for fraudulent credit card charges, but just like insurance premiums, where any individual charges or payments might be small relative to the total public cost of the incident, you can be sure that in the aggregate the fees, interest, and other charges imposed by the credit card issuing banks will cover their losses and still make a profit, and the prices merchants have to charge for goods will, in the long run, certainly have to cover their losses and still make a profit.
In other words, the cost of credit card fraud is shifted away from the consumer (who is innocent of any single fraudulent charge on their particular card, so of course should not be forced to pay it), and becomes instead just part of the cost of doing business for everyone on the other side of the transaction.
In theory, practice and theory are the same. In practice, they rarely are.
2.2 million cards isn't that many so I don't think it was a major gateway. I bet some vender kept credit cards on record and had lousy security. Also if there was a gateway problem we would see some missing AmEx and Discover. Lots of venders just accept Visa and Master (it's the basic package man)
We use a randomly generated code specific to each transaction, user, time, and credit card that only our bank (in theory) can track back to an actual credit card. We don't know and therefore don't have any of our customer's credit cards.
-888 Geek Help (888-433-5435)
How is it that a credit card company can determine (within hours!) that not a single one out of their +2 MILLION accounts have been tampered with, but yet, it takes them like 3 months to resolve a single dispute over an unauthorized charge to *my* account?
I used to have a pretty good bullshit detector.... Until this Timmy-riffic article came along and broke the fucking needle off, that is.
Bowie J. Poag
The number of cards is too large for any gateway IMHO. I will bet money that a private processor network got hacked, or the central database for said network, i.e., ECHO, EFS or something on that scale.
These networks are used for dialup and leased line access for authorizations. This means your grandmother's card used at the grocery store could now be in the hand of a hax0r.
Reuters is reporting 5 million cards.
Somebody collected 2.2 million AOL disks (not hard to do), and needed CC's to activate them all.
Most of the AOL CDs (no apostrophe in a pluralized acronym) I have seen lately state pretty loudly on the packaging that a CC is no longer required for activation of the trial account.
I pledge allegiance to the flag...
of the Corporate States of America...
This whole thing is part of George W. Bush's new economic stimulus plan! Give everyone's credit card to some millionaire's son, and he spends it all on cars, porn, liquor, etc., and bit by bit the whole economy will recover!
Repeal the DMCA!
They dont actually say somebody hacked into their network from the internet.
Manipulate the moderator system! Mod someone as "overrated" today.
I know Visa is a secretive company but I find the lack of information to be seriously annoying.
Which company was hacked?
How do I determine if my CC# is part of the 2.2 million obtained?
Can the same routine the hacker used be used against other companies that process CCs?
Did the hacker access the CCs from the internet site directly or use the internet to access the companies internal Intranet to get the CCs?
Of course, this is Visa/MC. They don't have to be nice to customers and give out good info. What are their customers going to do, cancel their cards? (snicker)
... but the merchants that sell goods over the Internet. I used to run a mail order business. We got a lot of orders with people trying to use stolen credit cards. After a while we got really good at filtering these out. But the cost to learn the lessons was high. I can only sympathize with all the new businesses. If they think that matching the shipping/billing address and security code is enough, they are in for a rude awakening.
At the end of the day, the entire loss from these fraudulent transactions is passed down to the retailers, when clearly the morons who are handing out the credit cards to the thiefs have some responsibility to share.
if each card costs 25-50 cents to replace ... that's 550k-1.1m dollars.... that should have gone to the following:
... I think you get the point...
.... maybe someone who works there just mailed the database home.
TRAINING STAFF: The first line of defense is someone who won't just give 5 million credit card numbers out over the phone.
TRAINING STAFF: The second line of defense is someone who won't let leave their console logged on when they go to the bathroom.
TRAINING STAFF: The third line of defense is someone who doesn't give out his password to someone over the phone.
TRAINING STAFF:
Ok, so maybe it wasn't this easy,
Hacking cash is called "counterfeiting". Its way old school. ;-)
I would like to see it overhauled too. However, I'd prefer to see credit cards that use strong cryptography. These days, we have the proper algorithms pretty much worked out, and we have enough very cheap computing devices available to do it.
Basically, crypto allows you do two helpful things with a good degree of certainty:
Now, the fundamental problem with credit card transactions these days is that, although signatures and photo IDs are used peripherally, fundamentally they are based on the idea (just like social security numbers) that they will be kept secret, because knowing the number allows you to exercise the privileges that come with holding the account. But, there is no way to use the account other than to give away the secret . And worse, you either seriously restrict your buying or you end up giving the secret away to people who you can't really trust and who have no big incentive to protect the secret. And even those who you legitimately want to have the secret (your insurance company) can screw up and overcharge, because they have the power (if not the legal right) to charge your account any amount any number of times once they have the secret.
Cryptography can basically eliminate all those problems.
Here's how I envision a future credit card transaction working:
There would be some drawbacks (big effort to change over, etc.), but the following benefits would, I think, outweigh them:
OK, I could go on, but basically the situation right now is that the system is horribly insecure, and we're relying on legal penalties to try and prevent fraud. But, with strong cryptography, we have the capability to do a million times better, and it really wouldn't be all that inconvenient. And the scary part is, a working prototype of this system can be built in maybe 24 hours using Perl and GPG or similar.
Online Viagra purchase: $150
Trisexual Midget porn : $55
Buying it on someone elses credit card so that your wife never finds out: Priceless
There's somet things that money can buy but you'd rather it not be your own. For everything else, there's Mastercard.
I wonder if anybody knows which company does the actual transactions, a.k.a. who was actually hacked? I know of one large credit card transaction processer, Firepay, but I'm not sure if they're the official one for VISA/MC.
---
"The chances of a demonic possession spreading are remote -- relax."
Since I work for one, I'll be AC for now.
CC companies foot the bill for fraud, as long as there was no gross negiligence on the part of the merchant (and some other rules). That would translate into vastly dissimilar signatures, a white dude using a black dude's card (with a photo) and so forth.
There are several reasons why cc technology is slow to roll out. The current way liability is distributed between issuer and acquirer (you have your customer relationship to the issuer, while the merchant has their relationship to the acquirer), there is insufficient incentive to invest the billions of dollars a smart card rollout costs. There are even incentives in the system to underreport fraud. It is simply more cost effective to monitor the transactions, and use software+humans to identify fraud as early as possible. Remember, most fraud is "skimming" (copy the magstripe, put it onto a counterfeit card). Skimming will happen as long as we have a magstripe, and there is little incentive for developing nations to implement smart cards. That means that the magstripe will be around for a looong time. So, a smart card solution would only reduce the problems to an unknown degree (since the fraud would migrate across borders). The alternative is to make cards that only work in countries with interoperable smart cards.
Simply put, there are more cost effective ways of handling fraud without alienating your customers (PIN entry is really not an option, since people forget their PIN all the time on low-usage cards)
For online authorizations, I think the one-use cardnumber is a good solution, as well as the idea of a browser plug-in.
Of course, I have wet dreams of biometrics. We might actually see that sometime. There will be a rollout of smart cards at SOME point, and the longer that takes, the lower the extra cost of using biometrics. We'll see.
Thank goodness my Visa Checkcard has a negative balance right now! :)
Denied!
Steve Magruder, Metro Foodist
Mine was stolen, but the thief's using it less than the wife did.
ba-dum ching!
A third party processor could be, for example, Authorize.net, Verisign, Card Service Intl, or any of the other Payment Gateways, I believe.
I know it sucks that we can't find out which third party processor it is, so we can all stop using them, but I'll take the unpopular position that it's a good idea to not have that information disclosed to the public.
The bad publicity from a mess like this could put a struggling company out of business when everyone stops using them. Do they deserve to go out of business? Sure, but that's not the point.
If a company discovers someone has hacked into one of their servers with access to a database full of credit card numbers, and they know that notifying Visa, MasterCard, and the FBI is going to put them out of business with bad publicity, how many companies are going to report it?
They could rationalize that while there is evidence the server was cracked, there is no proof that someone actually downloaded credit card numbers from the server. Maybe it was a worm that just infected the server and tried to find more vulnerable servers, and did nothing more. Or maybe they were just setting up an ftp server for their mp3 collection.
Is it worth publicly releasing this information that right now only 3 people in the company know about, and all but guarantee they will go out of business? Or should they just rebuild the server, fix the problem, and hope that no credit card numbers were stolen, and if they were, that they don't get traced back to you if they are used fraudulently?
Personally, I was in that situation two years ago, and we opted to just rebuild the server and hope that the 10,000 credit card numbers sitting on the cracked server were never found. Was it the right thing to do? No. Was it illegal? Hard to say. But the negative impact to the company could have been devastating, so we decided to report nothing. We never heard about any of the credit cards being used fraudulently, which wasn't surprising, and we went out of business a year later anyway, which also wasn't surprising.
So my point is, if companies that get cracked can report it without having to go public, Visa and MasterCard would probably be able to stop a lot more fraud before it happens. I would guess the vast majority of known server compromises go unreported now because companies are afraid to come forward and tarnish their name.
They're not "profiling your consumption," because it's not your money you're spending - it's theirs. Until you pay your bill, you've spent THEIR money, and thus have every right to track what you buy and protect their money from being spent fraudulently.
If someone steals your card and charges up $10K, who do you think gets stuck with the loss? Certainly not you! So if you want them to stop watching what you buy, I'd suggest you agree to be liable for any and all fraudulent charges, without limitation.
Take a Valium, you paranoid, X-File watching, crop-circle worshipping, black-helicopter-fearing freedom-junkie. If you're so scared of it, then cut up your credit card and pay for everything with cash.
On a side note, is anyone else a little worried about how it is presently impossible to live without a bank? In Canada, stores are not obligated to accept cash. That surprised me. It seems to me that cash should be the one things stores should not be allowed to decline. If I choose to pay for my gas with cash, I should be allowed - but that right is not guaranteed in Canada. Think about all the bills you pay in a month. How many of them could be paid with cash? My car payment comes out of my bank account. So does my mortgage. None of my utilities accept cash; cheque or automatic withdrawl only (i.e., bank account required). Is it possible to carry on a normal life without a bank account in present day?
Like woodworking? Build your own picture frames.
Perhaps it's time credit cards went public key. That way you could sign the transaction rather than just handing out the magic number to you account.
pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....
I think the moral of the story is that CCs are *really* bad from an authentication point of view. For chrissake, the *number* is enough to let you bypass the thing.
A replacement (probably public key/smartcard) system would be a *much* better idea -- you'd have to physically steal a card to abuse it. No more grabbing a database or a recipt and having free rein.
There are only two drawbacks to this: first, there's a *huge* installed base of CC users and support, and second, anyone instituting it (VISA, whatever) is going to have to overcome temptation to try charging percentages of transactions (the reason we don't have e-cash now is because of overly greedy financial services companies who couldn't manage this).
May we never see th
Credit cards work both ways. Be intelligent, and they will be an asset. Be stupid, and they will be a liability.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
They have to do that when such things happen.
So people can effectively control their bank account.
Do they expect that all internet users check their bank account usage from now for 12 months or more?
A serious company would do that.
It is better to send 2 million people in panic than 40 million (or 560)
They're so poor they send a press note claiming nobody used the c.cards
mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari ...
There are ongoing frauds where small amounts in fraudulent "service fees" or subscriptions to porn sites are being charged on hundreds of thousands of cards every month. The charges are small enough that most card holders don't bother to track them down and get hit up month after month for years.
There is a web page about one of these frauds here In this particular fraud the card numbers were taken from a shady bank that did CC transactions for porn sites. The con men would make charges under a variety of entities posing as subscription based porn sites so the card holder would not only be paying for his original porn purchase but other fraudulent ones besides - pretty smart because it wouldn't set of any alarms at the card company (the guy is already making legitimate purchases of that particular product) and the numbers are small enough that the guy wouldn't bother doing anything about it if he even notices. Since it's porn, and some of it he really *did* sign up for, he might be too embarassed to do anything about it even if he realises some of the charges are fraudulent. This particular fraud ended up making between $40 and $50 million dollars off of about 900,000 card holders.