Slashdot Mirror
Cracker Gains Access to 2.2 Million Credit Cards
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....
Damn white boys need to stay away from them computers!!
This is a great security threat for our nation! Just think of all the plastic explosives terrorists could create with 2.2 million credit cards!
---
Hello, Slashdot user. My name is Dr. Sbaitso. I am here to help you.
2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?
Should prove interesting as these numbers start getting used. 2.2 is a little large of a block to just re-issue.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
I guess tomorrow all the online pr0n stores will be sold out of everything!
You mean 'none of them seem to have been used fradulently YET'
Fortunately, none of them seem to have been used fraudulently
Uh, yeah, because it's so easy to verify that two MILLION credit card numbers haven't been used fraudulently.
I mean, come on, just through coincidence I'm sure some of the physical cards themselves have been stolen recently and used fraudulently.
Comment removed based on user account deletion
I heard on TV that they have contacted the issuing banks. I am going to call tomorrow and find out if mine was hijacked, then if I can get these charges to CompUSA removed
With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?
Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.
At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.
But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Remember, Credit Cards companies use neural networks to analyse transactions and decide whether or not they may be faulty, and the success-rate of these babies is higher than you may suspect (okay, I don't have a web-link, I read it in a pop-sci book on maths, biology and AI). So you may be short a few dollars, which isn't good (don't get me wrong), but unless you normally spend $hitload$ of money, they won't be able to buy a Ferrari or anything (mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari ...)
This sig intentionally left bla... dammit!
Who's got the whiteout?
New leaf my ass. Welcome back, Kevin ;-)
I like those odds - not a single fradulent use in 2.2 million cards.
Hell i've had 3 fradulent transactions and only own 3 credit cards and two debit cards.
One thing i've noticed is that my card company seem good at stopping me from spending when they think i'm fradulent. Just put 7 currencies on your card in as many days and alarm bells seem to ring somewhere.... but catching real theives is a little too tricky
Nice informative article. No mention of which credit card processor this was. It'd be nice to know if it's one that one of my clients uses. Anyone know the identity of the victim?
SONY. Because caucasians are just too damn tall.
I do notice that sometimes, very rarely though, that sites will ask for that extra three digit code on the back of the card, to verify that you do in fact have the card in your hand. This the same concept as a PIN and I don't see why more web sites aren't doing it. It's not like they have to completely revamp their way of accepting credit cards, it should be a very simple fix.
Makes me want to go back to barder. Do you think ThinkGeek would accept two dead chickens and a half wheel of gouda for one of those mini tanks with the camera?
this report says 5 million cards
1 7/ rtr881826.html
http://www.forbes.com/markets/newswire/2003/02/
Citizens Bank, a financial institution serving the Northeast, shut down the accounts of 8,800 customers whose card numbers had been accessed after being notified by MasterCard on Friday, bank spokeswoman Pamela Crawley said. All of those accounts were safe, she said.
I'll bet those people are just *thrilled* to have their accounts locked out. How many people are going to find their card mysteriously declined when doing their weekly grocery shop then ? I'm betting the bank hasn't made 8,800 phone calls to explain their position.
Hell of a way for VISA/MC to limit their liability - just cancel their cards ??Never, ever lose a file again. Ever.
You get the idea.
You'll have that sometimes...
How on earth do they know that none of 2.2 million credit cards has been used fradulently in the last 24 hours? Seems pretty impossible to me. I'll bet some of them have for reasons completely unrelated to this hacker anyway. How can you verify something like that on such a huge scale?
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
obviously the humor in the use of the word "cracker" in the article title was lost.
From the article, it appears that Visa is saying that none of the flagged numbers have actually been used after the specified date and time.
Here are a few things I'd like to see in the credit card infrastructure.
Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.
Inquiring minds want to know...
Well, I can imagine that if EVERYONE in the world got a list of a few million credit card numbers, you would suddenly see an awful lot of fraudulent purchases! I for one would be tempted, not to do something to get me in trouble (well they can try), but more likely a visit to my local net cafe to send some presents. Let's see:
- A full compendium of all O'Reilly Free software books, Debian DVD sets and an X-Box with the LinuxBios Mod installed for Bill Gates, Steve Ballmer, Scott McNeilly, Michael Dell and anyone else on those lines who took my fancy and whose address I could find. I might even send one to every elected official in my country while I'm at it!
- Amazon's entire porn collection (they have one I presume) for every censor on the planet.
- A cross sending of every spammers products I could come up with to all the other spammers.
God only knows what else could take my fancy, and god only knows how many orders would actually be filled. Heaven forbid anyone found a well known persons card in there, say Jack Valenti, I think he would find himself making some massive (or massive numbers of) donations to Mplayer, Freenet and any projects people could find which he campagins against.Do you REALLY think that people would hear on the radio about the 2.2 million credit card numbers 100 million people just recieved and think, "oooooooh they're gonna catch me if I touch them!"
The far more probable outcome is that an email of about 4 Mb (2,200,000 CC# * 20 bytes @ 90% compression) sent to 100 million people (or whatever the latest net use figures are) would be stopped at most ISPs very, very, very quickly as it would be lauching a large spam based DDOS against them (unless I underestimate the backbone out there). Sure it would get through to a lot of people, but unless it gets through to 10+% of hotmail or something similar, most users will have the fear you describe put into them.
A far more interesting prospect would be if instead of plain e-mailing the list around, a virus was used to propagate the data covertly by infecting web and/or email servers. If you get a web-server, you get it to gather the list and take part in attacking more hosts and passing it onto them, you also get it to add a link to every page at the trigger time so all visitors to that site gain access to the list. If you get an e-mail server, you just need to get the data there once and explode it out to all local mailboxes at the same trigger time (aswell as using the host to propagate). Then it comes down to a question of trying to balance the timings to maximise the number of boxes unchecked by the time of revelation.
Of course is there anything to stop the crackers from just dumping the data into all the P2P networks and letting it spread from there?
Finally I have to point out that I have no interest in obtaining these numbers (or any others, except my own :-) and I am certainly not advocating credit card fraud. Just saying that if an opportunity like you described (every email box got the list) came my way, I would be very tempted to try and enjoy myself with some humourous (to me) exploits from a safe place and that there would probably be tens or hundreds of thousands of other following suit. Damages would rack up pretty quickly.
Never underestimate the dark side of the Source
But what usually is ignored is that while the consumer might not have to pay, the merchant who sold the goodies does have to pay. The credit card issuer doesn't pay for fraudulent charges -- they get "charged back" to the merchant who made the charge, and the merchant pays, plus a "chargeback fee" of $15 - $50 per transaction. It's one thing for a software download to go unpaid, it's quite another for a merchant to ship actual physical goods and not get paid for them.
Eventually the consumer does end up paying for fraudulent credit card charges, but just like insurance premiums, where any individual charges or payments might be small relative to the total public cost of the incident, you can be sure that in the aggregate the fees, interest, and other charges imposed by the credit card issuing banks will cover their losses and still make a profit, and the prices merchants have to charge for goods will, in the long run, certainly have to cover their losses and still make a profit.
In other words, the cost of credit card fraud is shifted away from the consumer (who is innocent of any single fraudulent charge on their particular card, so of course should not be forced to pay it), and becomes instead just part of the cost of doing business for everyone on the other side of the transaction.
In theory, practice and theory are the same. In practice, they rarely are.
They dont actually say somebody hacked into their network from the internet.
Manipulate the moderator system! Mod someone as "overrated" today.
Hacking cash is called "counterfeiting". Its way old school. ;-)
Online Viagra purchase: $150
Trisexual Midget porn : $55
Buying it on someone elses credit card so that your wife never finds out: Priceless
There's somet things that money can buy but you'd rather it not be your own. For everything else, there's Mastercard.
That's exactly what I'm talking about - EFTPOS. There is a myth that they clear every txn - they simply don't (I've worked in shops using them, and more recently in the financial sector). As I said, most shops (particularly large department stores and supermarkets) cannot clear the required number of txns quickly enough, so they set a limit - anything below that is just approved automatically provided the card is not on a watch list. The actual value of the limit varies by shop and by day and is secret (as knowledge of it would be useful to a fraudster).
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Mine was stolen, but the thief's using it less than the wife did.
ba-dum ching!