Slashdot Mirror
ID Thieves Target Smaller Businesses
wiredog writes, "The Washington Post writes about real-time credit-card theft from small merchants (registration required). An accompanying Security Fix blog commentary from Brian Krebs describes '...10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.' Lesson: Don't buy online from the cheapest retailers. Guess where they are cutting costs to be the cheapest?" The article and blog commentary also cast doubt on the efficacy of online "hacker testing" services.
Okay, that's a bit of a cheap stab, but it's important to remember that white-hats and black-hats are only separated by the particular direction their careers took them (consider that "security consultant" guy in NZ who narrowly escaped a conviction).
There's no such thing as a completely secure system. A security cracking service for testing your systems is paid to identify weaknesses, but there's no way they could make sure you were completely secure - their motivation is to do a decent job and get paid, which means identifying obvious flaws and telling you how to fix them. They're not going to spend their waking lives figuring out how to breach it.
If a black-hat of a similar caliber really wants to, they'll find a way into your system. It just might take time. Mostly though, they want into the easiest systems they can penetrate, so getting a white-hat in to make their job harder is worthwhile - it's just not a guarantee.
Meta will eat itself
Here's what I wonder...
Say I happen to like this online retailer, and they happen to have good prices. Say they might cut corners on security so they can pass the savings on to me, the consumer. Then also say that in my account with them I offer no social security number and pay with a check card. Furthermore, let's assume that in using my check card I transfer only the money I need to use to the checking account from the savings account (this is done easily online with my bank), thus after using said money anybody who did happen to get my card details won't be finding any money in the account anyway.
So, how exactly am I at risk? I have a bank account that stays at basically zero balance except during the exact moments I intend to use the money. Call it a safety net... I mean this as a serious question. How am I at risk? Looks like I'm the one saving money here.
I do not respond to cowards. Especially anonymous ones.
I know this is a bit off topic; presenting a solution (sort of) instead of bitching about the problem, but here goes nothing:
Living in Sweden, I am using an "e-card" system offered (for free, as in beer) by my bank for all my online purchases requiring credit card information. I bet this system is available for you yanks as well as in most other industrial countries, but for those of you who are unfamiliar with the concept, here's a description:
* On any online shop, when you've finished stuffing your shopping basket and head for the counter, you chose "credit card" just like you normally would.
* Instead of using your ordinary credit card, you generate a time limited, amount limited virtual credit card. For all intents and purpose, this "electronic Visa" is no different from a regular Visa card.
The advantage is that - even if a man-in-the-middle-attack - intercepts your order, the amount limit would hinder the culprit from stealing any money. And you don't have to worry about the shop losing the database containing your CC number; it's only valid for a month - and doesn't contain any money anyway.
I've used this solution for a few months now, ordering from companies in Sweden and USA, by online order form and phone order. It works like a charm each time - no fuzz.
SIG: TAKE OFF EVERY 'CAPTAIN'!!
The way I prefer to do online shopping is with a checking account that has a Visa/MC debit card linked to it. That way, I can use online banking to transfer the precise amount I want to spend into my designated "e-commerce-only" account before I do it. It adds an extra step to each transaction, but it's worth it to me since even if someone had the complete CC info for that card, chances are the charge would be denied. And, if you set it up at the right bank, it's all totally free.
Slashdot Burying Stories About Slashdot Media Owned
on a related note, credit card thieves in africa are using non-profits "donation" pages (those who accept CCs) to test their newly stolen cards. one of our customer has multiple occurences of one scammer doing 3 transactions within a few minutes, two times for small amounts (1-2$) and one larger amount (~50$)
This just flat out makes sense. If I am looking to aquire credit card information for identity theft or fraudulent purposes, I want to get it as easily and un-noticed as possible. Big companies like Amazon.com and the like invest large amounts of money into security and fraud prevention. They have trained staff whose only purpose is to stop the baddies. Small companies aspiring to be an Amazon.com don't have the capital to invest and therefore rely on 3rd party vendors liek Yahoo! Shopping to handle thier credit card management. If theey don't then they are an easy target. As my management likes to say, they are "low hanging fruit" and "easy pickings".
So if I want to steal information, I'm going to go where it is easy to get. It's amazing that it took a study and investigative reporting to "uncover" this whole "conspiracy". Then again, it can apply to brick and mortar stores too where small business can make a dirty habit of tossing credit card signature slips in the trash where an unscrupulous person can make use of them. that's not to say a big chain store wouldn't do that but they might be less likely to so. Maybe The Washington Post should investigate that one too?
and they have deep pockets
This is the most inaccurate idea thrown around about credit card companies. That they have plenty of money and that's how they just forgive various charges on your card when you complain or are defrauded. This is only half true, and that part is that they have plenty of money. Sure, they forgive charges to your cards all the time. But who pays for it? Does anyone really know? Well, any merchant knows that it is the merchant that pays for fraudulent and otherwise disputed charges. That, plus a $30-35 charge just like a returned check fee.
Sure the credit card companies have a clause if you only ship the goods to the billing address, have AVS verification, make sure the CSC matches, AND have a signature required for the delivery, they claim that they will eat the cost and not pass it on to the merchant. Aside from the fact that shipping only to the billing address will cause one to lose business, in actual experience, I have observed multiple instances of credit card companies claiming the signature was forged for one reason or another. The merchant has no recourse. There is no appeal process. The only recourse is to discontinue accepting transactions from a card vendor, or to accept fraud expenses as part of the cost of doing business, and adjust consumer prices accordingly.
And to think the article attempts to paint some shade of altruism on these crooks by saying they make a "donation" to charitable causes to verify the card is useable. These crooks are costing these organizations money for the returned charge fees.
cat
You operate under a huge misconception. The credit card companies risk very little. The online merchant who accepts a fraudulent transaction is the one who takes the risk. It is part of your merchant agreement that they can charge back any contested or fraudulent charge. You should worry about security - those fraudulent purchases add to the merchant's bottom line, raising prices to all of us.
I had a computer store for 8 years, I learned a lot about credit card companies the hard way. People who just don't want to pay for services can just call and complain to the CC company and voila! - No more charge and I'm out a hundred bucks. I even had a group of scammers calling one fall with stolen CC #'s and purchasing laptops to ship out of state (we are near a military base and the stories they used made sense at the time). I got hit with over $20,000 worth of fraudulent purchases over a couple of months before we got the first inquiry from the CC companies about them and figured out what was going on.
At that point, I quit taking phone orders. Required ID for every purchase from someone I didn't know. Imprinted every card, every time, even though we were doing electronic approvals.
The credit card companies get you coming & going. As a merchant, I had to pay 4% off the top when I did paper filing only. When I went electronic, the rate went to 2.1%. Add that to the interest & fees the consumer pays on any balances they carry. Add the merchant taking the risk for fraudulent purchases.
Where exactly do the CC companies take losses?