Slashdot Mirror
ID Thieves Target Smaller Businesses
wiredog writes, "The Washington Post writes about real-time credit-card theft from small merchants (registration required). An accompanying Security Fix blog commentary from Brian Krebs describes '...10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.' Lesson: Don't buy online from the cheapest retailers. Guess where they are cutting costs to be the cheapest?" The article and blog commentary also cast doubt on the efficacy of online "hacker testing" services.
Okay, that's a bit of a cheap stab, but it's important to remember that white-hats and black-hats are only separated by the particular direction their careers took them (consider that "security consultant" guy in NZ who narrowly escaped a conviction).
There's no such thing as a completely secure system. A security cracking service for testing your systems is paid to identify weaknesses, but there's no way they could make sure you were completely secure - their motivation is to do a decent job and get paid, which means identifying obvious flaws and telling you how to fix them. They're not going to spend their waking lives figuring out how to breach it.
If a black-hat of a similar caliber really wants to, they'll find a way into your system. It just might take time. Mostly though, they want into the easiest systems they can penetrate, so getting a white-hat in to make their job harder is worthwhile - it's just not a guarantee.
Meta will eat itself
Better yet, some credit cards offer the ability to create virtual cards for specific amounts and defined time periods. The "cards" validate just like the real thing and are linked to your real card, but are only valid for a defined period, amount, or number of transactions.
It must have been something you assimilated. . . .
You operate under a huge misconception. The credit card companies risk very little. The online merchant who accepts a fraudulent transaction is the one who takes the risk. It is part of your merchant agreement that they can charge back any contested or fraudulent charge. You should worry about security - those fraudulent purchases add to the merchant's bottom line, raising prices to all of us.
I had a computer store for 8 years, I learned a lot about credit card companies the hard way. People who just don't want to pay for services can just call and complain to the CC company and voila! - No more charge and I'm out a hundred bucks. I even had a group of scammers calling one fall with stolen CC #'s and purchasing laptops to ship out of state (we are near a military base and the stories they used made sense at the time). I got hit with over $20,000 worth of fraudulent purchases over a couple of months before we got the first inquiry from the CC companies about them and figured out what was going on.
At that point, I quit taking phone orders. Required ID for every purchase from someone I didn't know. Imprinted every card, every time, even though we were doing electronic approvals.
The credit card companies get you coming & going. As a merchant, I had to pay 4% off the top when I did paper filing only. When I went electronic, the rate went to 2.1%. Add that to the interest & fees the consumer pays on any balances they carry. Add the merchant taking the risk for fraudulent purchases.
Where exactly do the CC companies take losses?
There is no reason I can think of for a mechant to store CC data in their e-commerce application's database. All they need is to go to their CC gateway's
console, and they can deal with all of their transactions.
Need to reprocess the card due to a glitch? Pick up the phone, your customers
will appreciate the personal touch.
Storing card numbers is like stockpiling nukes. A bad accident waiting to happen.
No thanks.
I have enough worries having to maintain a password file for customers who want to have "accounts".
My Heart Is A Flower