ID Thieves Target Smaller Businesses

wiredog writes, "The Washington Post writes about real-time credit-card theft from small merchants (registration required). An accompanying Security Fix blog commentary from Brian Krebs describes '...10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.' Lesson: Don't buy online from the cheapest retailers. Guess where they are cutting costs to be the cheapest?" The article and blog commentary also cast doubt on the efficacy of online "hacker testing" services.

Hmmm.

[The+Living+Fractal]

Here's what I wonder...

Say I happen to like this online retailer, and they happen to have good prices. Say they might cut corners on security so they can pass the savings on to me, the consumer. Then also say that in my account with them I offer no social security number and pay with a check card. Furthermore, let's assume that in using my check card I transfer only the money I need to use to the checking account from the savings account (this is done easily online with my bank), thus after using said money anybody who did happen to get my card details won't be finding any money in the account anyway.

So, how exactly am I at risk? I have a bank account that stays at basically zero balance except during the exact moments I intend to use the money. Call it a safety net... I mean this as a serious question. How am I at risk? Looks like I'm the one saving money here.

Re:Hmmm.

[rascanban]

Well, for one, you are assuming that this series of activities is going to be available to you every time you want to purchase something online. This involves at least one additional step on your part. Remember Murphy's Law? One extra piece in the puzzle means one more thing can go wrong. The "bad guys" can monitor your account, set up bots to do it, or even guess that in the holiday season you may be using your card more than in March or August. The human factor can help them write code to get your money, even with such steps in place. And, I don't know about you, but my time and brain capacity can be better used that remembering to do the steps you outlined above. And, finally, time is money. Money is power. You spending time on this decreases power, transitively.

e-card

[Big+Nothing]

I know this is a bit off topic; presenting a solution (sort of) instead of bitching about the problem, but here goes nothing:

Living in Sweden, I am using an "e-card" system offered (for free, as in beer) by my bank for all my online purchases requiring credit card information. I bet this system is available for you yanks as well as in most other industrial countries, but for those of you who are unfamiliar with the concept, here's a description:

* On any online shop, when you've finished stuffing your shopping basket and head for the counter, you chose "credit card" just like you normally would.
* Instead of using your ordinary credit card, you generate a time limited, amount limited virtual credit card. For all intents and purpose, this "electronic Visa" is no different from a regular Visa card.

The advantage is that - even if a man-in-the-middle-attack - intercepts your order, the amount limit would hinder the culprit from stealing any money. And you don't have to worry about the shop losing the database containing your CC number; it's only valid for a month - and doesn't contain any money anyway.

I've used this solution for a few months now, ordering from companies in Sweden and USA, by online order form and phone order. It works like a charm each time - no fuzz.

Re:(registration or bugmenot required)?

[Rob+T+Firefly]

The way I prefer to do online shopping is with a checking account that has a Visa/MC debit card linked to it. That way, I can use online banking to transfer the precise amount I want to spend into my designated "e-commerce-only" account before I do it. It adds an extra step to each transaction, but it's worth it to me since even if someone had the complete CC info for that card, chances are the charge would be denied. And, if you set it up at the right bank, it's all totally free.

cc fraud

[Feyr]

on a related note, credit card thieves in africa are using non-profits "donation" pages (those who accept CCs) to test their newly stolen cards. one of our customer has multiple occurences of one scammer doing 3 transactions within a few minutes, two times for small amounts (1-2$) and one larger amount (~50$)

That is why you use virtual credit card numbers

[RootWind]

The virtual credit number feature is a god send for online shopping. I use the one from Citibank. The virtual card number has a one month expiration date, and is tied to a single merchant (and can have a set spending limit). You can even close the number early if you have to. This is also especially helpful for doing "free trials" since you can close the virtual account after using it so they will never be able to "mistakenly" charge you later. Discover and MBNA also have similar features. I believe Discover actually lets you have a virtual account that lasts longer than a month.

The services suck... I was recruited by scanalert.

[sethawoolley]

as I wrote about in my blog about being recruited by one:

http://swoolley.org/blog.cgi/scanalert

They can't even keep their own site secure.

Re:Moo

[peragrin]

nope still get that kind of problem ia brick and motar store. Routinely i get emails asking for me to send 500+ smoke detectors to some place overseas.

Recently I got an IRC(internet relay call for deaf people)about a couple of random items plus 800 smokes. I gave the guy my email address, and thinking it was legit but suspiscous we passed one email back and forth and he forked over three credit card numbers just like that. Asked me to spilt the down paymet up between the three. I told him I couldn't do it over the net, and he needed to come into the store. Haven't heard from him since.

Scammers are branching out. IR calls aren't cheap. Also credit card companies are getting mroe and more stringent in how different companies accept cards.

I think the difference is deeper than that

[blueZ3]

It's not just that brick-and-mortar stores have had longer to learn about security (though that's true)--it's that there's a whole different level of audacity (for want of a better word) involved in standing in line, paying for an item, and then brazening it out when the cashier asks to see ID.

Sitting in your parent's basement hacking databases there are layers of obscurity between you and the "scene" of the crime. For a careful hacker, there can be enough layers of indirection that getting caught borders on the impossible. In order to be apprehended, a long chain of events must occur: the retailer has to figure out they've been hacked, you have to make a mistake that leaves tracks for the authorities to trace, and someone in law enforcement has to have the skills, time, and drive to track you down. On top of that, once arrested, the jury must be able to be convinced that those obscure technical details do indeed mean that you were the one who did the deed.

The perceived danger of remotely hacking a system (and the cost-to-benefit ratio) is lower than standing at the cash register, with the possibility that a security guard, or even a plainclothes police officer, might be nearby. I think this is much like that lack of civility that we seen in online forums; people will write things on Slashdot that they would never dream of saying in the presence of coworkers (I'm thinking here primarily of sexist and racist comments, but some of the more extreme personal insults might fall into this category too).

It's not so much experience that makes the difference. It's the criminal's ability to assess risk.