Slashdot Mirror

← Back to Stories (view on slashdot.org)

ID Thieves Target Smaller Businesses

Posted by ryuzaki0 on from the cost-of-shopping-for-the-cheapest dept.

wiredog writes, "The Washington Post writes about real-time credit-card theft from small merchants (registration required). An accompanying Security Fix blog commentary from Brian Krebs describes '...10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.' Lesson: Don't buy online from the cheapest retailers. Guess where they are cutting costs to be the cheapest?" The article and blog commentary also cast doubt on the efficacy of online "hacker testing" services.

19 of 97 comments (clear)

  1. First Proust by Anonymous Coward · · Score: 2, Funny

    Only through art can we emerge from ourselves and know what another person sees.

  2. And up go the prices! by Seiruu · · Score: 2, Insightful

    If the prices of your favorite retailer just went up by 10%, it's not because they've invested more in security, but just in /. articles.

  3. (registration or bugmenot required)? by joe+155 · · Score: 2, Insightful

    It didn't seem to be for me, I guess there's no excuse for not RTFA.

    What I would say on this issue though, and what we should have learnt from AOL is that it's not just the small companies who either get compromised or make huge mistakes, it seems rather harsh to focus just on the small companies as if they are always bad. The best advice that I think that I could give anyone for buying anything online (regardless of who from) would be to use a credit card - then your contract is with the credit card company so it's their issue if your data gets stolen or you don't get your goods... and they have deep pockets ; )

    --
    *''I can't believe it's not a hyperlink.''
    1. Re:(registration or bugmenot required)? by Rob+T+Firefly · · Score: 3, Interesting

      The way I prefer to do online shopping is with a checking account that has a Visa/MC debit card linked to it. That way, I can use online banking to transfer the precise amount I want to spend into my designated "e-commerce-only" account before I do it. It adds an extra step to each transaction, but it's worth it to me since even if someone had the complete CC info for that card, chances are the charge would be denied. And, if you set it up at the right bank, it's all totally free.

      --
      Slashdot Burying Stories About Slashdot Media Owned
    2. Re:(registration or bugmenot required)? by coolgeek · · Score: 4, Insightful

      and they have deep pockets

      This is the most inaccurate idea thrown around about credit card companies. That they have plenty of money and that's how they just forgive various charges on your card when you complain or are defrauded. This is only half true, and that part is that they have plenty of money. Sure, they forgive charges to your cards all the time. But who pays for it? Does anyone really know? Well, any merchant knows that it is the merchant that pays for fraudulent and otherwise disputed charges. That, plus a $30-35 charge just like a returned check fee.

      Sure the credit card companies have a clause if you only ship the goods to the billing address, have AVS verification, make sure the CSC matches, AND have a signature required for the delivery, they claim that they will eat the cost and not pass it on to the merchant. Aside from the fact that shipping only to the billing address will cause one to lose business, in actual experience, I have observed multiple instances of credit card companies claiming the signature was forged for one reason or another. The merchant has no recourse. There is no appeal process. The only recourse is to discontinue accepting transactions from a card vendor, or to accept fraud expenses as part of the cost of doing business, and adjust consumer prices accordingly.

      And to think the article attempts to paint some shade of altruism on these crooks by saying they make a "donation" to charitable causes to verify the card is useable. These crooks are costing these organizations money for the returned charge fees.

      --

      cat /dev/null >sig
  4. Nothing wrong with their efficacy... by tygerstripes · · Score: 3, Informative
    Maybe it's the "services" themselves you should be worrying about...

    Okay, that's a bit of a cheap stab, but it's important to remember that white-hats and black-hats are only separated by the particular direction their careers took them (consider that "security consultant" guy in NZ who narrowly escaped a conviction).

    There's no such thing as a completely secure system. A security cracking service for testing your systems is paid to identify weaknesses, but there's no way they could make sure you were completely secure - their motivation is to do a decent job and get paid, which means identifying obvious flaws and telling you how to fix them. They're not going to spend their waking lives figuring out how to breach it.

    If a black-hat of a similar caliber really wants to, they'll find a way into your system. It just might take time. Mostly though, they want into the easiest systems they can penetrate, so getting a white-hat in to make their job harder is worthwhile - it's just not a guarantee.

    --
    Meta will eat itself
  5. Hmmm. by The+Living+Fractal · · Score: 4, Interesting

    Here's what I wonder...

    Say I happen to like this online retailer, and they happen to have good prices. Say they might cut corners on security so they can pass the savings on to me, the consumer. Then also say that in my account with them I offer no social security number and pay with a check card. Furthermore, let's assume that in using my check card I transfer only the money I need to use to the checking account from the savings account (this is done easily online with my bank), thus after using said money anybody who did happen to get my card details won't be finding any money in the account anyway.

    So, how exactly am I at risk? I have a bank account that stays at basically zero balance except during the exact moments I intend to use the money. Call it a safety net... I mean this as a serious question. How am I at risk? Looks like I'm the one saving money here.

    --
    I do not respond to cowards. Especially anonymous ones.
    1. Re:Hmmm. by rascanban · · Score: 3, Interesting

      Well, for one, you are assuming that this series of activities is going to be available to you every time you want to purchase something online. This involves at least one additional step on your part. Remember Murphy's Law? One extra piece in the puzzle means one more thing can go wrong. The "bad guys" can monitor your account, set up bots to do it, or even guess that in the holiday season you may be using your card more than in March or August. The human factor can help them write code to get your money, even with such steps in place. And, I don't know about you, but my time and brain capacity can be better used that remembering to do the steps you outlined above. And, finally, time is money. Money is power. You spending time on this decreases power, transitively.

      --
      "Beauty is the ultimate defense against complexity." - David Gelernter
    2. Re:Hmmm. by gEvil+(beta) · · Score: 4, Insightful

      If you're doing this you should make sure that you don't have any overdraft protection on your checking account.

      --
      This guy's the limit!
  6. e-card by Big+Nothing · · Score: 5, Interesting

    I know this is a bit off topic; presenting a solution (sort of) instead of bitching about the problem, but here goes nothing:

    Living in Sweden, I am using an "e-card" system offered (for free, as in beer) by my bank for all my online purchases requiring credit card information. I bet this system is available for you yanks as well as in most other industrial countries, but for those of you who are unfamiliar with the concept, here's a description:

    * On any online shop, when you've finished stuffing your shopping basket and head for the counter, you chose "credit card" just like you normally would.
    * Instead of using your ordinary credit card, you generate a time limited, amount limited virtual credit card. For all intents and purpose, this "electronic Visa" is no different from a regular Visa card.

    The advantage is that - even if a man-in-the-middle-attack - intercepts your order, the amount limit would hinder the culprit from stealing any money. And you don't have to worry about the shop losing the database containing your CC number; it's only valid for a month - and doesn't contain any money anyway.

    I've used this solution for a few months now, ordering from companies in Sweden and USA, by online order form and phone order. It works like a charm each time - no fuzz.

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
    1. Re:e-card by silas_moeckel · · Score: 2, Insightful

      I think your missing the point in the US. Visa makes money on CC fraud it's a $35 fee on every chargeback and the chargeback is for the full ammount not the 2%ish removed. Visa like to make everybody think they are being the nice guy and eating the costs but realy they are just fleecing the vendors that are stuck paying the bill or not accepting CC and loosing that business.

      Now I would love to be able to have ecards they would be perfect if they accepted anything as the billing address (something it took forever to get my bank to do)

      --
      No sir I dont like it.
  7. cc fraud by Feyr · · Score: 4, Interesting

    on a related note, credit card thieves in africa are using non-profits "donation" pages (those who accept CCs) to test their newly stolen cards. one of our customer has multiple occurences of one scammer doing 3 transactions within a few minutes, two times for small amounts (1-2$) and one larger amount (~50$)

  8. Virtual credit card... by fahrbot-bot · · Score: 2, Informative
    The best advice that I think that I could give anyone for buying anything online ... would be to use a credit card...

    Better yet, some credit cards offer the ability to create virtual cards for specific amounts and defined time periods. The "cards" validate just like the real thing and are linked to your real card, but are only valid for a defined period, amount, or number of transactions.

    --
    It must have been something you assimilated. . . .
  9. Why is The Washington Post surprised at this? by Ynsats · · Score: 3, Insightful

    This just flat out makes sense. If I am looking to aquire credit card information for identity theft or fraudulent purposes, I want to get it as easily and un-noticed as possible. Big companies like Amazon.com and the like invest large amounts of money into security and fraud prevention. They have trained staff whose only purpose is to stop the baddies. Small companies aspiring to be an Amazon.com don't have the capital to invest and therefore rely on 3rd party vendors liek Yahoo! Shopping to handle thier credit card management. If theey don't then they are an easy target. As my management likes to say, they are "low hanging fruit" and "easy pickings".

    So if I want to steal information, I'm going to go where it is easy to get. It's amazing that it took a study and investigative reporting to "uncover" this whole "conspiracy". Then again, it can apply to brick and mortar stores too where small business can make a dirty habit of tossing credit card signature slips in the trash where an unscrupulous person can make use of them. that's not to say a big chain store wouldn't do that but they might be less likely to so. Maybe The Washington Post should investigate that one too?

  10. That is why you use virtual credit card numbers by RootWind · · Score: 2, Interesting

    The virtual credit number feature is a god send for online shopping. I use the one from Citibank. The virtual card number has a one month expiration date, and is tied to a single merchant (and can have a set spending limit). You can even close the number early if you have to. This is also especially helpful for doing "free trials" since you can close the virtual account after using it so they will never be able to "mistakenly" charge you later. Discover and MBNA also have similar features. I believe Discover actually lets you have a virtual account that lasts longer than a month.

  11. The services suck... I was recruited by scanalert. by sethawoolley · · Score: 2, Interesting

    as I wrote about in my blog about being recruited by one:

    http://swoolley.org/blog.cgi/scanalert

    They can't even keep their own site secure.

  12. Re:Moo by peragrin · · Score: 2, Interesting

    nope still get that kind of problem ia brick and motar store. Routinely i get emails asking for me to send 500+ smoke detectors to some place overseas.

    Recently I got an IRC(internet relay call for deaf people)about a couple of random items plus 800 smokes. I gave the guy my email address, and thinking it was legit but suspiscous we passed one email back and forth and he forked over three credit card numbers just like that. Asked me to spilt the down paymet up between the three. I told him I couldn't do it over the net, and he needed to come into the store. Haven't heard from him since.

    Scammers are branching out. IR calls aren't cheap. Also credit card companies are getting mroe and more stringent in how different companies accept cards.

    --
    i thought once I was found, but it was only a dream.
  13. Re:Liability by RicoX9 · · Score: 3, Informative

    You operate under a huge misconception. The credit card companies risk very little. The online merchant who accepts a fraudulent transaction is the one who takes the risk. It is part of your merchant agreement that they can charge back any contested or fraudulent charge. You should worry about security - those fraudulent purchases add to the merchant's bottom line, raising prices to all of us.

    I had a computer store for 8 years, I learned a lot about credit card companies the hard way. People who just don't want to pay for services can just call and complain to the CC company and voila! - No more charge and I'm out a hundred bucks. I even had a group of scammers calling one fall with stolen CC #'s and purchasing laptops to ship out of state (we are near a military base and the stories they used made sense at the time). I got hit with over $20,000 worth of fraudulent purchases over a couple of months before we got the first inquiry from the CC companies about them and figured out what was going on.

    At that point, I quit taking phone orders. Required ID for every purchase from someone I didn't know. Imprinted every card, every time, even though we were doing electronic approvals.

    The credit card companies get you coming & going. As a merchant, I had to pay 4% off the top when I did paper filing only. When I went electronic, the rate went to 2.1%. Add that to the interest & fees the consumer pays on any balances they carry. Add the merchant taking the risk for fraudulent purchases.

    Where exactly do the CC companies take losses?

  14. I think the difference is deeper than that by blueZ3 · · Score: 2, Interesting

    It's not just that brick-and-mortar stores have had longer to learn about security (though that's true)--it's that there's a whole different level of audacity (for want of a better word) involved in standing in line, paying for an item, and then brazening it out when the cashier asks to see ID.

    Sitting in your parent's basement hacking databases there are layers of obscurity between you and the "scene" of the crime. For a careful hacker, there can be enough layers of indirection that getting caught borders on the impossible. In order to be apprehended, a long chain of events must occur: the retailer has to figure out they've been hacked, you have to make a mistake that leaves tracks for the authorities to trace, and someone in law enforcement has to have the skills, time, and drive to track you down. On top of that, once arrested, the jury must be able to be convinced that those obscure technical details do indeed mean that you were the one who did the deed.

    The perceived danger of remotely hacking a system (and the cost-to-benefit ratio) is lower than standing at the cash register, with the possibility that a security guard, or even a plainclothes police officer, might be nearby. I think this is much like that lack of civility that we seen in online forums; people will write things on Slashdot that they would never dream of saying in the presence of coworkers (I'm thinking here primarily of sexist and racist comments, but some of the more extreme personal insults might fall into this category too).

    It's not so much experience that makes the difference. It's the criminal's ability to assess risk.

    --
    Interested in a Flash-based MAME front end? Visit mame.danzbb.com