Slashdot Mirror
Why Are CC Numbers Still So Easy To Find?
Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.
Some "script kiddie" tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app. If the numbers were displayed along with people's names and phone numbers, sometimes I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised.
Now, before this gets a lot of people mad, let me say that at first I was planning on holding off writing about this for months if necessary, to give the credit card companies time to do something about it. In other words, I actually had the presumptuousness to think that I had been the first one to discover it, but only because the credit card numbers that I found were still active. (If the trick had been widely known, I reasoned, surely the credit card companies would have found any credit card numbers listed in Google before I did, and gotten them cancelled.) Then I found that the trick had been publicized about three years earlier in a C-Net article by Robert Lemos and was probably widely known even before that. (The article stops just short of describing the actual technique, but one reader posted the full details in a follow-up comment.) Another article from that year in CRM Daily describes an even more efficient trick: Googling for number ranges like 4060000000000000..4060999999999999 to find Visa card numbers beginning with "4060". Google has now blocked that trick, so that trying that as a Google search leads to an error page. But the basic technique of Googling for working credit card numbers, apparently still works. In other words, credit card companies have apparently known about this technique for at least three years, probably longer, and presumably have hoped it would continue being swept under the rug.
At this point, I think the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible. It may result in a short-term spike in people using this technique, but if it results in the problem being fixed, then the total number of fraud incidents will probably be less in the long run.
It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format "3xxx xxxxxx xxxxx", and Googling for the first 10 digits as "3xxx xxxxxx" didn't yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up "treasure troves" of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren't listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found. Simple, but time-consuming with so many different 8-digit prefixes -- but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don't they do this?
It's considered good etiquette among security researchers, when finding a new security hole, to give the affected companies a chance to fix the issue before publicizing it. When I first contacted the credit card companies and described exactly how the exploit worked and how to block it, after getting a polite "We can't comment" from each one, I figured I'd give them a few months to get a system in place that could find leaked cards on a daily basis and de-activate them before they could be used. But then I found the C-Net article from 2004, and figured that if the card companies hadn't taken action in three years, it was fair game to publicize the trick in order to increase the pressure on them to plug the gap. Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it.
I did try the "Good Samaritan" approach, calling the credit card companies when I found one of their customers' card numbers on the Web. For each of the four major card companies, I called their security departments and reported two of the cards that I had found compromised, and then a week later, called the cardholders themselves to see if the card companies had notified them. Surprisingly, of the four companies, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their numbers. But even if all four credit card companies were more proactive about acting on reports of leaked numbers, the problems with scaling this approach are that (a) I usually had to wait on hold for a few minutes with each company and then spell out each card number that I'd found, which doesn't scale for a large number of stolen card numbers, and (b) if lots of people started doing this, then the credit card companies would be inundated with duplicate reports about the "low-hanging fruit", card numbers with common prefixes that appear near the top of some Google search result. Both problems could be avoided if the card companies simply ran their own script that queried Google and brought up a list of any indexed card numbers, whereupon an employee could copy and paste the numbers into an interface that would flag the cards instantly.
Google does have a feature where you can request the removal of pages that contain credit card numbers and other personal data such as Social Security Numbers. Any pages that I found containing credit card data, I submitted for removal, and Google did handle each removal request within two days. But this doesn't guard against the possibility that someone might have found the credit card information before it was removed, and of course it doesn't mean that other search engines like Alta Vista (remember Alta Vista?) might not have indexed the same pages. Running a sample of 8-digit prefix searches on Alta Vista, I found about as many credit cards as I found through Google, including some pages that were not in the Google index (maybe Google never indexed them, or maybe they had removed them already). So removing a page from any engine's search results is more like covering up a symptom of a problem than fixing the problem itself, which is the fact that the card number was leaked to the Web in the first place.
If nothing else, this is another reminder of how terrible the security model is for credit card numbers as a token of payment -- one universal piece of information shared with every merchant, that can be used for unlimited unauthorized charges if it gets compromised, until someone notices. About the only desirable property of credit card numbers from a security point of view is that they can be changed, and most of your existing recurring billing relationships will carry over, but even that is a hassle. Several credit card companies do provide the ability to generate single-use credit card numbers, each one authorized only for a limited purchase amount. The problem with that is that as any security analyst will tell you, if it takes even one extra step, most people won't bother -- as long as all-purpose credit card numbers are the default, that's what most people will use. Perhaps incidents like this will push people towards more 21st-century-aware styles of payment (like PayPal, but without all the horror stories), where you can pay a bill through a system that debits your card or your bank account, without sharing all your information with the merchant.
But in the short term, as long as credit card numbers are still with us, the card companies should make more proactive efforts to find and deactivate the ones that have been leaked on the Internet. If the card numbers are found to be leaked by a clumsy Web interface on one company's site, then that company should be chastised by the card companies that issued them a merchant account. If the numbers are found together in a list posted on some third-party forum, then the companies can cross-reference the charge history against each card in the list, to narrow down which merchant may have been responsible for the leak. I'm sure the card companies do something like this already when they find a list of leaked cards; what they don't seem to be doing is acting aggressively enough to find the leaked numbers in the first place.
Maybe the real moral is not the insecurity of credit card numbers, but the value of transparency and online community relations. If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago. In fact many tech companies, if you report a security problem to them, will thank you and fix it immediately, and some of them will even offer you cash if you find any more, like Netscape used to do with their $1,000 Bugs Bounty program. We get so used to big companies having obvious holes in their security practices and answering every question about security with a flat "No comment", that we forget it doesn't have to be that way -- transparency is not just trendy, it works. After years of having bug hunters poke at the Netscape browser, the security may not have been perfect, but it didn't have any security holes that were as simple and obvious as to be analogous to finding credit card numbers on Google.
Some "script kiddie" tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app. If the numbers were displayed along with people's names and phone numbers, sometimes I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised.
Now, before this gets a lot of people mad, let me say that at first I was planning on holding off writing about this for months if necessary, to give the credit card companies time to do something about it. In other words, I actually had the presumptuousness to think that I had been the first one to discover it, but only because the credit card numbers that I found were still active. (If the trick had been widely known, I reasoned, surely the credit card companies would have found any credit card numbers listed in Google before I did, and gotten them cancelled.) Then I found that the trick had been publicized about three years earlier in a C-Net article by Robert Lemos and was probably widely known even before that. (The article stops just short of describing the actual technique, but one reader posted the full details in a follow-up comment.) Another article from that year in CRM Daily describes an even more efficient trick: Googling for number ranges like 4060000000000000..4060999999999999 to find Visa card numbers beginning with "4060". Google has now blocked that trick, so that trying that as a Google search leads to an error page. But the basic technique of Googling for working credit card numbers, apparently still works. In other words, credit card companies have apparently known about this technique for at least three years, probably longer, and presumably have hoped it would continue being swept under the rug.
At this point, I think the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible. It may result in a short-term spike in people using this technique, but if it results in the problem being fixed, then the total number of fraud incidents will probably be less in the long run.
It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format "3xxx xxxxxx xxxxx", and Googling for the first 10 digits as "3xxx xxxxxx" didn't yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up "treasure troves" of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren't listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found. Simple, but time-consuming with so many different 8-digit prefixes -- but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don't they do this?
It's considered good etiquette among security researchers, when finding a new security hole, to give the affected companies a chance to fix the issue before publicizing it. When I first contacted the credit card companies and described exactly how the exploit worked and how to block it, after getting a polite "We can't comment" from each one, I figured I'd give them a few months to get a system in place that could find leaked cards on a daily basis and de-activate them before they could be used. But then I found the C-Net article from 2004, and figured that if the card companies hadn't taken action in three years, it was fair game to publicize the trick in order to increase the pressure on them to plug the gap. Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it.
I did try the "Good Samaritan" approach, calling the credit card companies when I found one of their customers' card numbers on the Web. For each of the four major card companies, I called their security departments and reported two of the cards that I had found compromised, and then a week later, called the cardholders themselves to see if the card companies had notified them. Surprisingly, of the four companies, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their numbers. But even if all four credit card companies were more proactive about acting on reports of leaked numbers, the problems with scaling this approach are that (a) I usually had to wait on hold for a few minutes with each company and then spell out each card number that I'd found, which doesn't scale for a large number of stolen card numbers, and (b) if lots of people started doing this, then the credit card companies would be inundated with duplicate reports about the "low-hanging fruit", card numbers with common prefixes that appear near the top of some Google search result. Both problems could be avoided if the card companies simply ran their own script that queried Google and brought up a list of any indexed card numbers, whereupon an employee could copy and paste the numbers into an interface that would flag the cards instantly.
Google does have a feature where you can request the removal of pages that contain credit card numbers and other personal data such as Social Security Numbers. Any pages that I found containing credit card data, I submitted for removal, and Google did handle each removal request within two days. But this doesn't guard against the possibility that someone might have found the credit card information before it was removed, and of course it doesn't mean that other search engines like Alta Vista (remember Alta Vista?) might not have indexed the same pages. Running a sample of 8-digit prefix searches on Alta Vista, I found about as many credit cards as I found through Google, including some pages that were not in the Google index (maybe Google never indexed them, or maybe they had removed them already). So removing a page from any engine's search results is more like covering up a symptom of a problem than fixing the problem itself, which is the fact that the card number was leaked to the Web in the first place.
If nothing else, this is another reminder of how terrible the security model is for credit card numbers as a token of payment -- one universal piece of information shared with every merchant, that can be used for unlimited unauthorized charges if it gets compromised, until someone notices. About the only desirable property of credit card numbers from a security point of view is that they can be changed, and most of your existing recurring billing relationships will carry over, but even that is a hassle. Several credit card companies do provide the ability to generate single-use credit card numbers, each one authorized only for a limited purchase amount. The problem with that is that as any security analyst will tell you, if it takes even one extra step, most people won't bother -- as long as all-purpose credit card numbers are the default, that's what most people will use. Perhaps incidents like this will push people towards more 21st-century-aware styles of payment (like PayPal, but without all the horror stories), where you can pay a bill through a system that debits your card or your bank account, without sharing all your information with the merchant.
But in the short term, as long as credit card numbers are still with us, the card companies should make more proactive efforts to find and deactivate the ones that have been leaked on the Internet. If the card numbers are found to be leaked by a clumsy Web interface on one company's site, then that company should be chastised by the card companies that issued them a merchant account. If the numbers are found together in a list posted on some third-party forum, then the companies can cross-reference the charge history against each card in the list, to narrow down which merchant may have been responsible for the leak. I'm sure the card companies do something like this already when they find a list of leaked cards; what they don't seem to be doing is acting aggressively enough to find the leaked numbers in the first place.
Maybe the real moral is not the insecurity of credit card numbers, but the value of transparency and online community relations. If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago. In fact many tech companies, if you report a security problem to them, will thank you and fix it immediately, and some of them will even offer you cash if you find any more, like Netscape used to do with their $1,000 Bugs Bounty program. We get so used to big companies having obvious holes in their security practices and answering every question about security with a flat "No comment", that we forget it doesn't have to be that way -- transparency is not just trendy, it works. After years of having bug hunters poke at the Netscape browser, the security may not have been perfect, but it didn't have any security holes that were as simple and obvious as to be analogous to finding credit card numbers on Google.
Clearly Micro$oft is to blame. Their broken OS is the cause of most all CC number leaks.
What does it matter?
How can a normal fraudster use a credit card number to his personal gain?
Does he get goods delivered to his house?
Anything purchased with it has an audit trail.
It's not like you can turn up in a shop and swipe the printout or screenshot, and making up blank cards isn't yet in the hands of the common criminal.
I will go out on a limb and say most credit card fraud occurs in the real owners home town right about the time of alcohol consumption.
Regret buying that 'funky' leopard skin jacket? "OMG I haz been haxx0red!!"
liqbase
+1 for no mailto: links in TFS...
But how do you know that they haven't already done this?
At the top of TFA:
"I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised."
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Here, I'm going to post some:
... good luck finding the rest of the information you need to use them.
4245 8611 9994 1245
8847 1210 5566 0625
Now
Apology to Ubuntu forum.
Your presumption that credit card numbers share the first eight digits is flawed. The first six digits of the card reference the referring bank. The next eight digits are the account number. The final two digits are the identifier of the card. If you and your wife both have cards for the same account, yours may end in an 03 while hers ends in a 19.
This whole thing should come as no shock. The Internet was not built with security in mind. I don't think anyone imagined the degree to which it would become a method of commerce. Certainly when the first websites were given the ability to accept and process credit cards, the card companies had been dealing with fraud for years, in terms of lost/stolen/duplicated cards. I remember working in a convenience store in the 80's and getting small booklets in the mail from the credit card companies with lists of fraudulent numbers. Like I was going to look them up!
Credit cards could be made much more secure. It would be expensive, no doubt, as it would require fundamental changes to the system, but compare that to the price of all the fraud currently committed and I'm pretty sure the ROI is pretty good.
GetOuttaMySpace - The Anti-Social Network
It's easier for the credit card companies to just write it off as some fraud and not actually go out and do anything. Realistically most of their early warning systems probably limit their losses to under $1,000 to each card (i.e. the amount of money that someone can charge and get away with before the company discovers the card has been compromised). So figure if even ten people a day get their cards stolen by this method, that's 300 a month, or $300,000 in costs. They probably feel keeping the staff and the equipment to do this costs more than what they'll lose. That and they can always write off their fraud charges on their taxes ad bed debts.
According to a 2002 report Visa's commissions alone were over $455 million. If that entire $300,000/month fee was all on Visa, the 3.6 million a year is a drop in the bucket to them, less than 1% of their commission. Trust me, if it cost them less to setup the system than the money that's lost, it would be done.
Has anyone else tried this and not found a goddamn thing? After reading the summary I thought I was never going to have to work again!
Sigs are for suckers.
Well if AmEx format is "xxxx xxxxxx xxxxx" and googling for the first 2 groups (10 digits) limits your "luck", you can try searching for the smaller 2 groups (first and last) and that should increase the chance a little. Just search for "xxxx * xxxxx" and it should increase your chances of success.
:P
In case you have any doubt just post here your CC number and we will all help you on how to do that on Google. heheh
I dunno, maybe you could call the people up? And ask them if the cards are still active?`Like the guy did? And wrote about it in the article?
Maybe?
I am a merchant that deals with internet and in person sales of my products. I'm also a computer engineer and have cursorary knowledge of security.
The credit card companies have no security. They don't care either. It's not them that will foot the bill. As a consumer it is great that you can only get stuck for $50 of fradulent charges. But as a merchant you loose your merchandise and the fraudulent payment. You can receive authorization from the credit card company saying the transaction is good, but they can and do still take the money away from you.
I've had about a dozen cases of obviously fraudulent orders. The first few I would call the credit card company, report the suspicious card, etc. They did nothing. On one I found out the real owner of the card, called them, and they hadn't even been contacted by the credit card company. I had all of the details that the police would have needed to get the scammer and the credit card company wouldn't even take that information.
Now I just delete any order that looks unusual.
When I found a fraudulent charge on my check account debit card, before it had even completely posted, I called them immediately. The issued me a new card, sent me a form to fill out, returned the money and that was it. It was only about $15, and it was a pretty wide scam according to some online forums which had other people hit, but it wasn't much of a hassle for me.
After wondering whether Googling for my credit card number to see if any sites had it (didn't think it would be a great idea in the long run) I remembered a few times that I have stumbled across sensitive info. Everytime it was normally down to some bug in the web developers code, or in one case, trying to run an ASP site on a bog standard HTML host, this lead to all the code, and of course the database behind the site to be viewed and downloaded, I could understand this from amateurish software houses, or kids trying to make their first website, but from a department of the Australian Government? that was just scary. It's very unlikely that the credit card companies don't know about this, but if you consider the time and effort they would have to go through to fix this, the author mentioned removing pages from Google's index, changing the card numbers of the people affected (I can't imagine that really annoying me, my card being changed because of a useless web developer). Unfortunately I can see no easy solution to this, people will always write bad web apps. Luckily in this day and age it is quite difficult to use quite alot of cards if you don't own them, my bank won't authorize payments on my card on a lot of sites without my banking password, this is never submitted to a shopping site, so I can be fairly sure that it's safe. Chris
This has very little to do with the credit card companies and a lot to do with the merchants that process credit cards. The current standard is PCI-DSS (Payment Card Industry - Data Security Standards)discussed here http://it.slashdot.org/article.pl?sid=07/03/31/064 5227&from=rss. My job is working to upgrade software that is not compliant with these standards, so I know the credit card companies are doing something. The problem rests with merchants that are largely clueless about the necessary security precautions that need to be taken when working with computers. They want to be in business, process credit cards, have a website, a network, and they want to pay their nephew $5/hr to set everything up. The bottom line is, that having data compromised from your business, when you haven't met these standards, will leave you liable for the loss, possibly incuring fees of up to $500,000 and potentially losing your priviledge of processing credit cards permanantly. Bottom line is the vast majority of business owners are not adequately computer literate and they are too cheap to pay an expert to deal with their network properly.
Under the influence of Post-Cyberpunk Gonzo Journalism
Actually, you must not have ever had this happen. There's no "fraud police report" or whatever the heck you're talking about there. Here's what happens: 1. Call CC company tell them there are unauthorized charges 2. Person on the line marks said charges and gets you a new CC # in the pipeline 3. Bank mails you an affidavit that you must highlight fraudulent charges on, and sign stating that you're not lying about it. 4. CC company issues you credit with the note that *credit is not final until investigation is complete. 5. 1-2 months later you get a note saying "Credit is final" Thats it, there's very little burden of proof on the consumer.
A few weeks ago, I found a charge on my credit card for Sprint/Nextel in the amount of $65.46... The problem? My wireless carrier is Verizon (yeah, it's a "problem" but that's for another topic.)
I immediately called my credit card issuer to contest the charge, and in less than 15 minutes (with hold-time included), I'd spoken with a customer service rep as well as a fraud protection executive, had my card cancelled, funds reimbursed, and a new card issued.
Apparently, someone got a hold of my credit card number, and used my card to pay someone's cell phone bill. It just surprised me as how dumb this was (but didn't screw me over very much). It's one thing to use a stolen credit card and max it out purchasing various items to be shipped wherever, but who in their right mind would use it to pay off someone's cell phone? The charge was reversed, and I'm really curious as to what Sprint/Nextel did to the customer who tried to pay their cell bill with a stolen card.
I wouldn't be surprised if nothing serious happened, but it's just the thought. You can get away with buying physical stuff with a stolen card alot easier than you can get away with paying a cell phone bill with it.
This is my signature. There are many like it but this one is mine.
I'll save you 11,000 characters:
1) Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form.
2) You'll find lots of credit card numbers
3) Profit
4) Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net. Thank you.
Three Squirrels
Why are credit card numbers so easy to find? Or put another way, why is credit card fraud so easy?
Because it does not cost the credit card companies.
When fraud is reported, the credit card company charges back to the merchants. As such, the credit card company is out relatively little money (it is the merchants who get screwed).
Adding meaningful security to credit cards would cost the credit card companies money. It would also make people less likely to use their cards, costing the credit card companies more money.
Also, the credit card companies can use fraud to justify higher interest rates, annual fees, and as a marketing gimmick to sell their card over others.
So, to recap: fraud costs the card companies little, preventing fraud would cost them much.
Has this helped identify why credit card fraud is so easy?
Datum: A friend of mine was involved with a large e-commerce site. He detected an on-going fraud ring trying to buy large amounts of goods from the site with stolen cards. He reported it to the card companies - "Here are the cards. Here's where they are trying to send the goods. Do you want to nail these guys?"
The response: "Thanks, but no, it's not worth our time. Just don't send them anything."
www.eFax.com are spammers
Companies that issue credits and/or debits see a lot of these cases, so the process is pretty well oiled.
Appended to the end of comments you post. 120 chars.
Credit card companies aren't doing anything because credit card companies don't care about fraud. They don't care, because it doesn't cost them any money.
When someone uses someone else's credit card fraudulently, it's not like the credit card company eats the loss. They just do a chargeback against the merchant who accepted the fraudulent transaction and they have to eat the cost. In fact, the CC company charges the merchant a hefty fee for the privilege of eating the cost.
Of course, that cost just gets passed on to you, the customer, in the form of higher prices.
Ain't credit cards grand?
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
... to the authorities responsible for combating credit card fraud and identity theft. This includes the Secret Service, the Federal Reserve, the relevant committees of both House and Senate, the Federal Trade Commission, the Justice Department, the Attorneys General of the states and DC, and possibly others.
Why do I reuse the same guessable number, in plaintext, that I carry on a plastic card, and share with any number of fly-by-night vendors? Many of whom aren't even in the US, faceless on the Internet? And also with failed actors barely pretending to be waiters while I'm too drunk to remember anything?
Why doesn't my card give onetime passwords to them, attached to the transaction amount, and also reported directly to my bank for a single, auditable transaction in that amount?
And why do I use an easily guessable short numeric-only PIN at every ATM over and over? Including the ones at convenience stores run by recent immigrants who will soon flee back to faraway countries, often with little cybercops of their own, and not infrequently wracked by civil wars and even allied against the US in sponsoring terrorism, with all its attendant need for funds and lack of rule by law?
I know the insurance companies insure credit card transactions over $50. But those smaller ones add up, and the insurance costs a lot of money. To say nothing of the costs of ID theft/fraud.
Most people who have credit cards have mobile phones. Those phones should be wallets, securing these transactions with onetime passwords reported to the bank/credit corp to secure the exact transaction amount. And sync to my personal DB of transactions that I can replay. With cryptosigned receipts (and encrypted over-the-air comms).
It would save everyone a lot of money, except the thieves. And make new money for the telcos. While making my life safer and easier. Why is this taking so long?
--
make install -not war
No seriously, it has been established a long time ago that the security of cc #'s rests with the merchant. Ever issue a charge back on your credit card? Guess who gets screwed, no its not the cc company. Merchants can get hurt a lot more by leaks of credit card information. Personally I think it makes sense, what better way to get merchants to act responsibly than to have it cost them when they aren't. What you should do is notify the cc company of the merchant where you found numbers. That merchant will be drawn and quartered and posted around Visa headquarters. I can understand thinking the responsibility of the cc company to watch over its merchants that it "allows" to use their cards, but currently thats not how things work.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
Sorry to burst the bubble, but you're tilting at windmills with this approach.
The prime security weakness lies with the web service providers, who are failing to adequately secure their backend systems, not the credit card companies. It is the same problem as eating at a restaurant where they are skimming cards in the back room - you just can't be sure that your card has remained safe after every transaction. The logistics of ensuring a brand new card number for each and every transaction for each and every card holder (and ensuring card systems understand it) are immense, costly, and practically impossible (even if they are theoretically acheivable).
Because your financial providers and credit card companies have ensured that they do not shoulder liability in the event of a credit card breach, and that account holders are generally protected against all but a nominal amount, it is the merchants who lose out every time there is a breach or a fraudulent transaction. There is no financial incentive for VISA, AMEX, MasterCard, etc to do anything about fixing the underlying problem. The resources that they will need to apply to fixing the issue will not generate any appreciable ROI, so there is not much that can be done to force them to do anything. VISA will point to their PCI initiative, which is designed to ensure that VISA approved merchants have sufficient security mechanisms in place to limit the risk of fraudulent transactions / card data theft.
Search engines aren't the only way to find compromised lists of credit card numbers. Some hacking groups are also notorious for failing to ensure their systems are adequately protected against leaking information to anyone who comes looking.
Even if merchants are applying 'industry best practices', it doesn't take much to lead to a loss of data, and once it has happened nothing can unleak it. The same risks apply to your bank account numbers and online banking authentication data, which the average user is more likely to have compromised.
InfoSec that matters, when it counts.
Because it's going to rain hellfire back on me, I'll clarify #8: it depends on the situation, and the service agreement with the merchant. Yes, in some cases the merchant can foot the bill for bad transactions, but if they've got a lawyer and some time, they never will. Nor, IMHO, should they. The burden of security should be on the issuer, not the receiver of the payment. Obviously, if a merchant is knowingly accepting fraudulent payments, that's a whole other matter...
Appended to the end of comments you post. 120 chars.
there is no security involved in having a CC. they can mess with your paybills then they shut down your CC, and if they don't they publish it on the internet, because there are GIS on the CC leadership
?
Fraudalent activity is very inconveniant for the customer - who has to get a new card and update the 47 places they have set up automatic billing to their card with. Costly if they don't notice it soon enough as well.
Fraudalent activity is costly for the business taking the transaction - the CC company does a chargeback and they are not only out the money but also out a fee.
Fraudalent activity is irrelevant to the CC company - it does generate some revenue via chargeback fees I guess so there is some incentive to not do anything about it. I can't think of any incentive for the CC company to care - it doesn't cost them anything.
Really?
The reason credit card companies don't make any effort to stop this sort of thing is becuase at a financial level it is just not their problem. If you want to commit fraud using someones credit card details but not their actual card it means that you have to do what's called a cardholder not present transaction, i.e. mail order, over the phone or internet. Credit card companies offer businesses who accept credit cards no protection whatever from fraudulant card holder not present transactions. If someone buys somehting from you using a credit card over the internet or the phone and it turns out to be fraud the credit card companies issue a what's called a chargeback and take the money back. There is very little you can do to fight a chargeback, if the cardholder reports a transaction as fraud then the credit card companies just issue a chargeback and take the money back. Until some government outlaws this practice and makes credit card comapnies liable for fraud committed using their cards they will never take any serious steps to prevent cardholder not present fraud because they simply have no financial incentive to do so. Meanwhile the bill is footed by businesses who do business over the internet and phone and is then subsequently passed on to consumers as higher prices.
I've said it before; I've worked in the banking industry, and it is widely known that requiring a PIN number for every transaction would reduce credit card fraud to almost zero. The infrastructure to require a PIN number is already in place, but credit card companies don't want to deal with the hassle, since they do not feel the pinch of the fraudulent charges.
Why do banks require PIN numbers on ATM and Debit transactions? I'll tell you why - they are directly liable for any funds that leave the bank fraudulently. This is not the case for credit card companies since they can charge-back the vendor and recover their funds.
-ted
Second, automatic deactivation of card numbers is not necessarily a good thing. What if someone creates a list of thousands of potential credit card numbers on a website -- does Mastercard then terminate all cards on the list? This would be pretty easy to abuse for kicks.
And how does Mastercard (and Visa, etc) deal with the the additional problems of people trying to use their cards that have been automatically canceled, before they get the replacement and notification of the cancelation? What about the costs of replacing those cards, the cost of the CSRs necessary to deal with people calling in to complain?
In the long run, it may be more cost-effective all around (for the consumer, for the merchants, for the credit card companies) to just deal with fraud cases as they arise from this method.
100% security would be nice -- but not when it costs more for everyone than the alternative.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Knowing the quality of most software, especially on the cheap side of web development, I have always favored a token exchange system where the actual CC processing resides on the issuing company's internet presence -- like the way paypal works, although it can be implemented in a better manner. Most people do not do the research, testing, or debugging and auditing necessary to implement a secure credit-card processing web app. The cost is too high.
The average small business wants to spend a couple thousand on their web site every seven years, and when you pay that kind of money, you get hacked up custom code by inexperienced programmers, and old versions of osCommerce hacked poorly to fit into discount web presence providers.
I am grateful for the disposable AmEx cards that I can use online and then pitch out (or rather, recycle) because they limit my liability and time, which is a greater commodity most days than money.
technical writing / development
I've had it easier then that once. Called bank when I saw something on my card statement that was questionable. CSR pulled up that receord and stated with that specific transaction, the card was not actually swiped, it was manually entered. I confirmed it was not my purchase. I was immediately credited the money and about a month later I got a letter stating that the results of the investigation were final and the case was closed.
Now I've also had it harder.. A bill collector that I made a one time payment too via my credit card (stupid me, stupid me, stupid me) decided to use that same card number to charge an additional amount for two more months a "collection fee". When I disputed it, the same process was started but this time, the perp actually stated that I authorized the additional charge and we had a contract. It took a while and a avvidavit but I eventually got the case finalized. It was basically his word against mine. Obviously this guy does this for a living and knows how to game the system. I'm sure he proably has a decent rate of return fighting those with the CC companies and has done it enough to know what to say to them during a dispute. I know for a fact I authorized a one time payment of $120 that I owed, not an additional two payments of $50 for a collection fee. This was for the balance of a densit bill that my insurance company did not pay and I thought had been resolved. I moved from the area and the dentsist could not track me down. I wanted to pay the dentist directly but since the debt was sold to this crook, it was too late.
Seriously. Why does every rant of Bennett Haselton's get posted here? "Crusade Against Spam", "How To Steal Websites", "How To Steal Credit Cards", and probably many more I'm forgetting to mention. Stop it already!
It seems to me that he equates any of these to:
1) Do something "clever".
2) ????
3) Profit!
Obviously the system isn't going to change for him, so attempting to exploit them as a way for making money is the only alternative motive I can imagine. That and he's a 28-yr old computer programmer who is realizing he will amount to nothing in the big scheme of things. Guess what, buddy: That's life.
As others have said, this is not the case. I had fraudulent charges on my Chase card about a year ago; a few <$50 charges, and a couple >$1000 charges, enough to go over the limit. So I called them up, the lady on the line (who was very nice) looked at the transaction history, and immediately noticed that there were charges to places far outside of my normal buying area, some even in India. She marked and canceled the charges, ran through the rest of the charges that were on my current statement, canceled the card, and issued me a new one. I got the new card in three days, a statement that I had to sign and return a few days later, and heard nothing more of it. As far as I can tell, my credit has not taken any sort of hit (I was later able to get another card with another bank at a similar limit and APR).
The way I understand it, the CC companies take no liability for fraudulent charges. They make the merchant that processed them pay for it. I see this as a good thing. If the merchant bears all financial liability for fraudulent charges, it gives them a reason to make sure that the person buying the product/service is who they say they are.
As a side note... can we get a -1 Idiot or -1 Wrong moderation? It would have been really useful here.
Everything I say is a lie. Except that... and that... and that, and that, and that, and that... and that.
Fraud is a money-maker for CC companies. They refuse to pay, then charge the store for accepting a fradulent charge. I don't know if they also charge the user. But it's the retail outlets, the same class (and possibly same ones) that leaked the numbers in the first place that end up getting hit.
Your ad here. Ask me how!
I didn't find jack by searching for common numbers on Google. But, by search Altavista for the first 8 digits of my expired Sears Mastercard, I found links to PDFs of filed bankruptcy claims with loads of personal information.
Trying a few of the other CC numbers listed in such a PDF found me an absolute treasure trove of numbers, complete with all the info I'd need to make purchases with those cards, including the little "security codes" (which I thought were not even supposed to be recorded).
Oops.
End of lesson. You may press the button.
Ok, Ok, that makes it one step more difficult for the police/FBI to track you down. But not much. Ok, so now the credit card orders point to the people who bought the stuff on Ebay. So, the person who received the goods then explains to the police that they bought it in an Ebay auction. The police go to Ebay and ask Ebay who the funds for those auctions were sent to, and *then* they go to the guy's house and arrest him. This adds one additional layer of obfuscation, but it doesn't seem like a very good scheme to me. You will still probably be caught.
If it ended up in an article where you could read it, that probably indicates they *did* catch the guy. (Or at least have a good idea who it is - he might be on the run somewhere, so not yet in custody).
For those of you (like the submitter) that aren't aware:
1. The banks do not "pay" for fraud. Merchants who have the fraudulent transactions pay for fraud. Therefore, the cost of fraud is assumed by all consumers in the form of higher prices. In fact, the banks profit from fraudulent transactions by charging the merchant penalties.
2. There is a well implemented and secure banking standard that is in many places in the world. Except no bank in the U.S. wants to implement it because of the costs the bank has to assume in order to implement it. It's called EMV.
It's been this way for at least twenty years. If you have read this far, the situation has gotten more perilous because the supreme court just eliminated State over site of corporations running banks in multiple states. Who's minding the store eh?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
back around 7 years ago someone started googling for .htm to find any internet exposed terminal server websites and to see which ones weren't protected. easy way to root a box.
this is basically the same thing
And thanks to kdawson, who gives the full-disclosure treatment to the widely known and surprisingly simple technique for using a web spider to harvest un-obfuscated email addresses :)
Yeah, this is how it works all right... in the US!
I'd hazard a bet that the majority of the leaks, especially the ones the article talks about, are fifty-cent web applications running on a LAMP stack on an ultracheap web host somewhere.
The problem with that line of reasoning is that LAMP, though free and cheap is obviously better than IIS. The same thing can be applied to retail software. In the free software world, you are never alone. Instead of slapping together a second rate web app yourself, you can install a good one that does not have this five year old problem. Nasty problems that never get corrected are a mostly a non free software problem.
Friends don't help friends install M$ junk.
Why are you bothering to call the CCard companies? Credit card fraud is *illegal*. Call the police instead. "Hi Officer Friendly, A criminal just tried to defraud me. Here's his address, here's the details. Sic 'em!"
The problem is the company that deals with fraudulent use for Visa, Mastercard, etc. (but not AmEx), is the issuing bank. Capital One or Bank of America is who you would report fraud to, not Visa or Mastercard. They are also the ones who would phone you about suspicious charges.
Although, while we are complaining, I called Ford and explained that their locally-owned dealerships commonly let me take a test drive without even leaving my license. I waited several months before taking this public, to give Ford the opportunity to fix the problem. It should be a simple matter for Ford to have an employee call every dealership once a month and remind them not to do this. I found out later that they don't even plan on checking the security of the dealerships, so I'm not going to publish this outrage. I was still able to do this at several dealerships when I checked yesterday! I bumped into the manager on my way out, distracted by thinking about the firm letter I would send to Ford.
Your ad here. Ask me how!
The author is right, the merchants with poor security for their customers are to blame, but it's unfair to say that the credit card companies are the only ones in an easy position to fix the problem. I would think the likes of Google, Yahoo, and the other search engines could easily modify their crawlers to locate this kind of security issue. HECK, if Google refused to list *any* content from sites where their crawler picks up a customer's "private" information, these merchants would get in line real quick.
I think that going after the credit card companies alone will not solve this problem, and is short-sighted. I think Google should also bear some responsibility (socially and morally, not legally of course) to help clean this mess up.
My family never uses them.
They are prone to theft(like described article) and cost more then plain cash purchases.Most people who insist on
using such a card have a money to watse and need a convinient way to waste it.
Yes, but a lot of the numbers look as though they are the result of key loggers, not slipups by the merchants.
This is a no shocker. Anyone can produce a a 16 digit number and eventually hit an active card. and there are test sites provided from major Card Issuers to validate cavv's. But to solve this problem Visa and MasterCard rolled out the 3-D Secure programs (Verifed by Visa and MasterCard SecureCode) to provide merchants with guaranteed payments. Which also eliminate the "I didn't make that purchase" types of charges from card holders. Once a Merchant is using 3-D Secure they only have to attempt to authenticate transactions during the checkout process and the liability is shifted from the merchant account to the Card Issuer.
I have a friend that works for a major bank. He recently told me he hated people like me(i pay my balance in full whenever i ave one to avoid interest charges) and when i asked him who he loved, what was his response? Small time eBay scammers. They actually make money off of fraud. How else are they going to sell their "Protection Plans"? If the system was secure, as it could and should be, there would be no reason for anyone to "Sign up for the Credit Protection Plan for the low fee of..."
I've just got done on my credit card. The transaction in question was named as wwwcard. When you look this up it's a virtual credit card. What happens is you use your real credit card to charge up a virtual one. You can then generate single use credit card numbers on your wwwcard. I guess the main use it to buy porn without your wife knowing since the actual purchase is not shown on your real credit card bill, just the wwwcard.
What I guess happened to me is that someone used my details to charge up their wwwcard and then made a payment with it. The problem here is that nothing is being delivered to my house so all the posters that say, "What's the problem - you've can't collect the goods because they are delivered to the cardholder's bill address?", it ain't so.
Such a service as wwwcard almost seems designed to facilitate credit card fraud.
Ah, the delivery part is simple to get around. Always set it up for pick-up.
If you want food, call in a pickup order at the restaurant and pay by credit card over the phone. Wear a hat and keep your head down so the security camera's don't catch your face. Pick up the food, if they want to see your card "oops, left my wallet at home", 80% of the time they only want a signature, and will leave it at that. This works for most pizza places, and now you can do this with McD's and BK (make it larger purchases, call in an order for 10 value meals, etc., they will not question it).
If you want goods, call in to the larger box stores and just say you are working with a contractor/subcontracting, etc. Call in the order of what you want (shop online to make sure you have the correct items and their numbers). Have them put the purchase aside for pickup later that day or week. Provide the credit card over the phone. Get your car/truck muddy before pickup, real muddy. The cameras that catch license plates aren't very good (especially if a plate is muddy) and as long as you have a common car, it's no going to be easy to pick out. Wear a hat and keep your head low again. Just check their invoice, sign your name, and viola, goods. If they ask for the physical card, make an excuse and leave. About 60% of the time, they just want a signature from contractors. Depends on what/how much you purchased.
If/When they ask for an address over the phone, give the one the card goes to. Your picking the goods up, the line ends there.
I would recommend buying lots of copper wiring, then strip it down and sell it to a scrap yard, then you have legitimate money that's untraceable. Just don't sell the same amount of copper you just bought. Make two or three trips.
Credit cards and ATM cards have one enormous difference: companies keep credit cards for repeat payments. If companies could keep ATM cards to make repeat payments, you'd see this problem spread to ATMs at the same level it has spread to credit cards. That's the real difference here: these small web firms can't lose control of your ATM data because they never had it in the first place.
A pin wouldn't help for the same reason that the security code doesn't help - these records are being exposed by accident, so any data that needs to be kept will be exposed at the same time. Required to write down a security passphrase? Someone's maiden name? Address, backwards, in Greek? No problem: it's all automated for the store, and since that automation is what's being broken, it's just one more field to read.
The fundamental problem is that no amount of security will halt the loss of data from a poorly written customer processing system. Any system that can automate payments has enough information to be used as a seed site for fraud.
The problem is nowhere near as simple as you suggest. Banks do, in fact, spend a tremendous amount of money on this problem, even if it's not through directly funding the merchants' errors. This money comes out of them in customer education, system deployment, insurance, and a variety of other places. Furthermore, customer confidence determines how often these cards are used, and banks make money when these cards are used; the less confidence the consumer has in the system, the smaller that revenue stream gets.
Banks understand that these thefts diminish that revenue stream. They are taking significant action. It's not easy to upgrade a network with tens of millions of ubiquitous, frequently completely unmanned terminals across the globe.
Am I saying the system is good enough? Hell, no. But, I do think you're dramatically undervaluing the difficulty of fixing it, as well as the amount of work being put towards improvement.
StoneCypher is Full of BS
I found this article very interesting, so I used the methods listed to find a treasure trove of credit card numbers in the form of an excel order sheet complete with names phone numbers and addresses. I emailed the website, a local private school, to tell them of the problem. Within minutes I received this reply:
I just received your e-mail and very much appreciate you bringing this
to my attention. I had no idea that this file had been posted to the
internet. This was the one and only time we ever did anything where we
had credit cards and it was for a third party. That is why I was so
insistant that we do not use credit card numbers. I will take
appropriate action, immediately.
Gratefully,
Roberta *********
Executive Director
While it's good that this person is responsive, it is also amazing to me that people can be so careless with sensitive information. There were 17 credit card numbers in an excel file. Two of the numbers were expired, so I would guess that the file had been posted for over a year. I am sure people have been defrauded for this. There should be a license required to build web pages. . .
I have an ecommerce web site that sells intangible goods. Every month I detect around 100 fraudulent transactions. I have the credit card numbers, and other data (exp date, CVV, name, address). I tried to report them to the credit card companies, but no one seems to care.
There should be some place for this, and Visa could pay a few cents per reported card, I don't understand why they don't.
A compromised card which is revoked but not used by an attacker COSTS money! Big money.
Its only if a compromised card is USED by an attacker that there is a problem. But since cards get stolen as well, they have heavy misuse detection to catch this, and if they let a few slip through, they aren't the ones holding the bill anyway, as it usually ends up being chargebacked to the merchant who accepted the bogus card.
Test your net with Netalyzr
That's not how it worked for me regarding my AmEx card. There was a small-value charge on my AmEx one month that was not mine, and I called in, and asked if I needed a new card number, too. I was assured that I didn't need a new one, I'd be credited, and they'd hit the vendor. Next month, I got the same charge, so I went back and looked, and AmEx had never removed the original charge, either. I called and said look, you lied to me, either remove these charges and issue me a new number now, or close my account and remove the charges. They had the old # turned off immediately and I had a new card in a week. This was a few years ago, before identity theft was so well known as a threat, but it still rankles that AmEx didn't treat this seriously the first time around. I was never asked to mail in anything or sign any affidavit, either, so I'm guessing they just ate the charges (under $20 each time) and went on.
1.Make merchants liable for credit card number theft if it can be shown that the merchant had a hand in it (for example, a merchant who was skimming card numbers on the side would be liable for the theft in both $ terms and loss of merchant account. Same with merchants who don't keep credit card numbers safe and allow them to appear on public website).
2.Make the BANKS, not the merchants liable for credit card fraud (in the same way as they are liable if someone steals your ATM card and PIN and uses it to withdraw cash from an ATM).
3.Implement more secure payment systems so that even if a website has a breach or hack attack or something, the information that is revealed isn't enough for a hacker to go and buy random stuff with peoples credit cards and make such secure payment systems mandatory.
4.Do more to actually track down scammers who are using stolen credit cards to buy stuff. The more people who actually get charged with the appropriate offense (especially if you can do a deal with the grunts to get at the Mr Bigs), the less likely it is that people will try to carry out the practice (since they will be more fearful of getting caught and going to "federal pound me in the ass prison" or having to pay a pile of money that they don't have)
and 5.Make it easier to get your credit rating restored if it is tarnished because some scammer stole your card.
Exactly... And I don't think it's still the case, but for quite a long time, MasterCard was actually listed as a *non profit corporation*! As a non-profit, they practically HAD to find large write-offs, to attempt to prove they weren't generating profit. I'm sure fraud losses were a big component of that whole business model for them.
Every day, you hear stories in the news about how people's "lives were ruined' when someone got hold of their credit card information or SS numbers and bought stuff. Is it really that much of a problem? Why go to all the trouble to protect this information?
The reason I'm suspicious about this is because there's now a huge market for "identity theft protection" solutions. Aren't they just stirring up foam to get people panicked about losing money?
Anyone who doesn't pay attention to their credit card statements at the end of each month deserves what they get. If you see something you didn't pay for, just call the bank and it's taken care of almost automatically. I've had to do this 2 times in the last 10 years. As long as you keep your receipts and keep your eyes open for anything suspicious, this shouldn't hit you too badly.
It seems to me like the vast majority of ID theft happens to the inattentive.
As for the credit card companies not moving to stop this, why bother? They are making tons of money anyway. If 1% of a $2 trillion set of transactions is fraud, you're still making a huge cut if you take 3% up front in merchant fees, and who-knows-how-much in interest charges and fees to the customer.
I wouldn't hold my breath waiting for interest rates to drop if fraud suddenly dropped. Once they got the bankruptcy law they asked for, the credit card companies didn't move to lower rates for people. In fact, there's now more fees and higher interest rates if you pay late, simply because they know you can't discharge the debt in bankruptcy anymore. In short, don't worry about credit card companies. They can more than afford to absorb a little fraud.
Credit card companies don't want people changing credit cards, period.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Reduce, reuse, cycle
Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app.
The first 6 digits ID the issuer, They are common because you were looking for cards that came from the same issuing company and branch. The next 9 are the number and the last digit is the checksum.
This is based on a mathematical calculation. The checksum is based on a "Luhn" or "Mod 10 check.
Once you have the formula, you can easily write a program to check the validity of a card or (with a starting card number) generate lots of card numbers that are mathematically valid.
Now, to get a good working number just call some one out of the phone book. Tell them you are with their bank and have seen 1000$ charges coming through on their card. You know the charges are fraudulent and would like to remove them but you must validate that the card is still in their possession, then ask them to read you the card number and CVV number from the back of the card.
80% of the people out there do it with out a question.
You can try to fix the internet but lets face the truth, YOU CAN'T FIX STUPID!
And I don't think it's still the case, but for quite a long time, MasterCard was actually listed as a *non profit corporation*
Definitely not the case any longer.
I live in France, and work in Luxembourg (yeah, in Europe you can commute crossing borders :), how cool is that) and here it is pretty common for you to have to type your PIN when you pay in a restaurant, or at the supermarket. It feels safer.
BTW, sorry to be so dailywtf-ish, but CAPTCHA : profited. This one DID make sense.
The problem with this, speaking from personal experience, is that if the CC companies cancel all of the fraudulent transactions, then the police won't do anything, because you're not out any money (despite the criminal INTENT of the perpetrator).
You somehow have to find out the details of the perpetrator before you get the charges reversed, then call the police while you still have missing / stolen currency.
All your sig are belong to us.
If I change the Google query to be one number off (i.e. not a valid credit card prefix) I don't get this security warning. Has anyone else ever seen this? I have a very bad feeling that I've got some kind of credit card sniffing trojan on my PC, so I'll probably be spending my evening reformatting my hard drive. Oh joy.
And if you object or point out were they screwed up and refuse to pay you end up on the Terminated Merchant List and might as well close shoppe. CC Companies are evil bastards run by twisted little men who go home and get beaten by their wifes/husbands at night.
Is a card that you purchase money on like Wal-Mart sells. You go down to you local Wal-Mart and buy the amount you are about to go online and shop for. If the card number gets stolen, then they can only get the petty change that remained from your online purchase. You could even keep the card for future purchases and only fill it a few minutes or hours before you use it again. This way the thieves can't make use of it most of the time. And if three unsuccessful attempts to remove money from it occur, you'd get a notice that you must get a new card when you try to fill it again. Take the pending card into Wal-Mart to transfer what little change you left on it to the new card, but must be done in person with the physical card.
They just do a chargeback against the merchant who accepted the fraudulent transaction and they have to eat the cost. In fact, the CC company charges the merchant a hefty fee for the privilege of eating the cost.
The merchant is the person closest to the person using the card fraudulent, so the burden to discover the fraud and prevent it should rightly fall on their shoulders. Instead, the merchant chooses to be lazy and doesn't even look to see if the card actually belongs to the person handing it to them. They could ask for ID, other verifying information, compare signatures, etc. But, it's easier to just swipe the card and hand it back isn't it?
If they're online, it's even easier. Require a ship-to address to match the bill-to address of the credit card. You want to ship it somewhere else? We'll call you on the number your credit card company gives us.
Merchants foot the bill for fraud, because they are on the front lines and should be responsible for preventing it. Credit card companies could implement all kinds of security devices, but in the end, it's the merchants who are dropping the ball, and who will find someway to make security devices meaningless through their own apathy.
What?
The merchant has options.
1. Actually check to make sure the person handing you the card is who they claim to be.
2. Require customers to pay cash.
Why should the merchant get a free ride to be negligent in accepting payments? Merchants should treat credit cards like checks, because they're just as responsible for taking a bad credit card as they are for taking a bad check. But instead, so that you can get through the line 5 seconds quicker, they make it easier and easier for you to use a stolen card. So part of the blame is on consumers, and part of the blame is on the merchants.
What?
Step 1: Get the credit card companies to do a constant search for 'compromised' credit card numbers and disable them.
Step 2: Put up websites that randomly generate possibly valid credit card numbers so that the credit card companies can automatically invalidate them and piss off their customers!
Step 3: Profit?
Credit card fraud is probably one of the most analyzed types of fraud for a very simple reason. The party with the ability to make changes to enhance the security are the ones who will take the loss if they do not make these changes. There have been comments here about how credit card companies just charge the fraud back to the merchants, but that is not the case. If the merchant has upheld their end of the bargain, then there is no reasonable way to charge it back to them. What happens is that they have to pay higher fees, or eventually lose their merchant account if they are the source of too much fraud. Visa quotes fraud losses on their annual report, so merchants don't get it all charged back.
Lastly, I have to point you all over to Bruce Schneiers blog http://www.schneier.com/blog/ where he has made that point about security again and again, and uses the credit card companies as a good example. The best way to improve security is to make the guy who can fix the problem the one that is responsible for the possible loss. This gives the right incentive to address the problem. And they already know that the way to secure the credit cards is to focus on the security of the transaction, not the security of the card number.
If the merchant bears all financial liability for fraudulent charges, it gives them a reason to make sure that the person buying the product/service is who they say they are.
OK, so I'm buying something online. On ebay or whatever. How do you verify my ID?
OK, so I've got a fake copy of a Visa. The fake card has whatever signature I cared to put on it. If I can make a fake CC, I can also make fake ID. How do you verify my ID?
Online, we now have "verified by Visa" etc, which is helping the situation. However, the amount of controls CC companies offer to combat theft are minimal at best, since - as mentioned - they're not liable, so there's no reason for them to offer better safety methods to merchants when it just costs them money to do so (and takes away those nice tasty fines they can lay on the merchants for processing a bad CC #)
This little program (originally part of something I was writing to fill in bogus details on phishing sites) allows you to get all the credit card numbers you could possibly want!
.5) { .= $digit; //, $ccnum) { .= $digit;
#!/usr/bin/perl -w
use strict;
my $ccnum = "";
my ($luhn_sum, $digit, $mung);
my @munged = (0,2,4,6,8,1,3,5,7,9);
if (rand >
$ccnum = "5"; # mastercard always starts with 5
}
else {
$ccnum = "4"; # visa always starts with 4
};
foreach (1..14) {
$digit = int ((rand) * 10);
$ccnum
};
# Now we have 15 digits; only need the check digit
$luhn_sum = 0;
$mung = (length $ccnum) % 2;
foreach (split
$digit = $mung ? $munged[$_] : $_;
$luhn_sum += $digit;
$mung = 1 - $mung;
};
$digit = (10 - $luhn_sum % 10) % 10;
$ccnum
print "$ccnum\n";
exit 0;
Of course, the "bare" credit card numbers by themselves will be bollocks without CVV numbers (3 random digits), expiry dates (a random month and year up to 18 months in the future) and cardholders' names and addresses (google "curriculum vitae.doc" for plenty of namers and addresses).
Je fume. Tu fumes. Nous fûmes!
Sorry, but the credit card business doesn't work that way. When a transaction is fraudulent, it is the merchant that takes the loss, not the credit card company. This gives the credit card companies little incentive to improve security.
It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way.
You're suggesting that they cancel cards that show no sign of having been misused, shutting off the customer's ability to purchase immediately.
Between the lost revenue on the cardholder's purchases during the several days it would take for a re-issued card to arrive in the mail, plus the disrupted regularly-scheduled payments (notice MasterCard in particular pushing its customers to use cards for monthly utility payments!), plus the number of calls they have to deal with from ticked-off customers whose cards suddenly don't work, plus the cost of doing this every time a customer or online site is foolish enough to leave a new card number vulnerable -- it probably *is* more cost-effective to just deal with the cases of actual fraud.
Did I say overlords? I meant protectors.
There are many informative and interesting posts in this thread, but I have failed to see where we hold the people directly responsible.
There is a sense of responsibility on the Consumer, that no one here seems to be addressing. Your information is YOUR information. If you are careless with YOUR information then you, the consumer are responsibile.
Don't be so willing to provide your name and address to anyone. Don't read or give anyone your SSN like it's candy. Protect all credit card receipts and credit cards. Don't leave wallets and purses out so thieves can steal your info.
Don't sign up for every freaking credit card offer available.
Read your statements. Make sure you are aware of every purchase and at the first sign of a compromised account, you simply call your credit card company and get a new card issued.
Shred old paperwork with personal info, I don't mean strip shredding, I mean really shred that stuff good.
If you dispose of an old credit card, don't just shred it, throw away pieces in different places so that the info on the old card can't be used later.
If all this is too much, then go back to writing checks and hand delivering them to a location where you can pay your bills. Deal with cash only. People are much more careful when they have that physical green in hand. They should treat their info with the same care.
Yes this is alot of responsibility, but this would stop a majority of fraud right away. Then it would be easier to stop the other fraudulent activities because they would be so exposed.
Life takes interesting turns, but the most interest is when you're off the beaten path.
The whole problem here is that the credit card and debit system have it backwards. You have to tell a third party/merchant how to get money from your account. What if we turned it around? I.e., the third party/merchant has to tell you how to put money in their account. Then you go to the bank and have them send the money. Everybody would have deposit-only numbers which represent no security risk. It wouldn't matter if the bad guys have your number, because the only thing they can do with it is give you money.
Not trolling, that's just the unfortunate reality. Merchants and business owners are obviously getting the raw end of the deal in this scenario, while CC companies are not hit in the pocketbook very hard. I know it's an added cost to bear, but if a merchant googles the CC number of every purchase made and rejects the transaction for any number found online, at least they wouldn't get screwed. Yes, the "legit" customer is going to take his business elsewhere, but wouldn't it be worth it to not lose thousands of dollars in merch? Companies who accept forged CC info are going to become even greater targets for fraud, shrinking their margins in the long run.
Alternatively, business owners could "unionize" against this and create uniform practices for testing CC#'s against obvious fraud (#'s exposed via the web). Reject any card they easily find, and say "Your CC information is exposed, complain to your bank." CC companies would almost have to respond to that...
Well, duh. It's usually considered proper that the individual or organization that screws up pays the price - and the bulk of credit card fraud happens only because the merchant fails to live up to the terms of his contract and ensure the transaction is valid before submitting it. Why should the credit card company or processor pay for someone elses mistake?
When you are a financial institution, it's your responsibility to make sure the money is handled properly. That's not always fair, but life isn't always fair.
Appended to the end of comments you post. 120 chars.
There's verified by visa which is a password system for credit card purchases. Also the CVN(Security number on the back) is suppose to be like a pin. Merchants are not suppose to ever store this number but they do anyway.
Have you ever been to a turkish prison?
There's also an "Easier" to do this too ;)
I should have caught that. I guess I spent too much time checking the there and their context.
lol
No
Oh come on now.
How do you know they're bogus? I had an ecommerce site refuse my credit card once. They actually charged my card then a few days later reversed the charge saying they couldn't verify my info. So I guess my card number is now in their database as a bogus card even tho it was legit. So how do you know those 100 transactions were really bogus? I'm assuming you didn't get chargebacks because then you wouldn't have to report it to the credit card companies as they would already know.
Credit card companies are in the business of clearing credit card transactions, and if they clear the transaction, it should be their problem if the transaction was fraud.
Ultimately, the ones who pay the cost of fraud is you and me, in the form of higher prices.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I don't usually plug credit card companies, but Citibank actually offers a service that makes this whole discussion moot, if you're with Citibank, that is. I happen to be with them because they offered a card with 20,000 bonus miles and 1 mile per dollar. There is a $50 annual fee after the first year... but I think it's worth it.
Anyway, the way it works is you download this app to your computer and login to it using the same login and password you would use to login to your account via their website. The tool lets you generate a virtual card number (including the CVC code and exp date) for every online purchase you make. Each number is set to expire the following month, and each number can only be used at a single merchant. If this isn't enough for you, you can set exact spending limits for each number, as well as extend the expiration date.
You can also check the tool to see when numbers were charged and if any numbers are still active. It's been pretty handy for me. I think I've used it about 20 times since February.
The credit card companies are big enough, why can't they instead work out a special program with each of the search engine vendors? That is, whenever the search engine crawler detects a page that appears to have credit card numbers, why not have it push this information to the credit card companies? It could even sort by number range, so that AMEX only get AMEX numbers, Master Card only gets MC numbers, Visa only gets Visa, and so on. Each CC company would get the list of potential card #s along with the URLs where they were spotted. The URL information could be used for prosecution purposes, as well as identifying what merchants etc. are leaking card data.
Obviously, the CC vendors would have to pay a fee, but isn't that cheaper than the rampant credit card fraud they have to deal with? Its price could be comparable to the cost of the proposed scanning hack, but the results would be higher quality and would put less of a load on the search engines.
Granted, this is a mitigation strategy, not a solution. But to me it's like eating well and exercising in addition to having doctors and hospitals. You need both proactive and reactive strategies.
--JoeProgram Intellivision!
What's up with Americans and their idiot credit card payment system. Here's how we do it where I live. The user has a online banking account which is protected by a password and ssl encryption. Once the user clicks to pay the site redirects to the bank. The user puts in the password and gives a ok for the payment. To confirm the payment the bank sends a code to the mobile phone of the user. The user enters the number and gives a final ok and gets redirected back to the original site. The agreed amount is instantly written of the users banking account. And remember it's a debit account not credit, so no risk in spending money you don't have. Sure it isn't full proof, but it is way better than some number anyone who gets his hands on it can abuse.
http://www.zug.com/pranks/credit-cards/
No they may not. It's in every merchant agreement with Visa/MC/etc. that the merchant absolutely may not require ID as a condition of paying pay credit card. Merchants will be fined for that, too.
Really? I'm looking at MC's Merchant Manual right now and it says as a requirement that merchants: "For unique transactions processed in a face-to-face environment (with the exception of truck stop transactions and card-read transactions where a
non-signature CVM is used), request personal identification of the cardholder in the form of an unexpired, official government document. Compare the signature on the personal identification with the signature on the card."
What?
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
The big difference is that PIN numbers can be easily and frequently changed. A good PIN policy forces PIN numbers to be changed regularly.
Most banks do not maintain their own PIN systems. Their transactions go through a clearinghouse service (like STAR). Companies like STAR handle the logistics of PIN numbers.
The difference is this: PINs can be changed easily and often.
FFIEC guidlines recently required banks to implement something other than single factor authentication for electronic bank transactions. I don't see how credit card transactions are any different.
The simple reason that credit card companies do not do this, is that is is not worth the effort; the losses from fraud cost less (than a network upgrade to require pins) due to the many ways credit card companies can recover/write-off bad debt.
And yes, I've talked to managers at Visa, STAR, Open Solutions....etc. They all confirm this to be true.
-ted
The credit companies rarely take the hit for credit card fraud. The merchants take the hit via chargebacks.
There isn't anything evil about credit card fraud. Quite frankly, it's not a real problem. What I mean to say is that it's not worth the cost of solving it.
First off, customers aren't accountable for fraudulent charges. And they are as easily detected as reading your statement once a month.
Second, the work to find, negotiate, detect, or otherwise locate fraudulent actions is not only intensive, it's worthless. Let's solve piracy of $20 movies before we solve theft of thousands of dollars at a time. Talk about an organized underground.
Third, it's a convenience thing. After all of the commissions and transaction fees, we're all covered.
Stop causing mayhem for the legitimate consumer because of criminals' criminal actions. Start arresting criminals and charging them appropriately -- that being exhaustively.
Getting your own mailbox requires just showing your ID (or have a copy notarized if a MB is in another city). I've just got one in Nevada for my company. I doubt that anyone checks them afterwards, unless some fraud triggers investigation.
But mailboxes are not actually required to cash your credit card number. Here are my 2 real-life examples, that my card was used by fraudsters.
1. Retail store. We made a purchase, forget to take a slip (newbies). The card was charged an hour later the second time to buy a box of wine bottles. Most probably it was a cashier - who else? We noticed immediately - those $200 were our last money - were scared like hell and offered full cooperation to the bank and the store. No one was interested. A shift manager gave us money back and that was it (yes, we were stupid enough to make a trip to the store to settle things - their attidute was: why are you bothering us?).
2. $9.95 charge. There was a charge in this amount on my monthly bill. And there was a website url conviniently next to the amount. I went to website to remind myself what I had bought there. 3 products, all of them - electronic ones (like e-books), all of them of no interest to me. And next to the products was the link - press here if charged by mistake... The owner was easily located - he answered cell phone listed in domain registration info (yes, I've talked to him - this time I was just curious). His pitch - if we charged you wrongly we will reverse the charge in a second.
So. The first fraudster need no PO Box - he got his wine and doesn't care if he get caught or not. No one cares to catch him too. The second fraudster is probably a end-point of some massive cashing operation. But no one will go after him, since 80% of people charged $9.95 would not ever notice, and 80% of those who notice will just reverse the charge and that would be it. The website was alive half a year after I've notified my bank...
Lots of posts here take the stance that the CC companies don't care because they just screw the merchant. bullshit.
First of all, it is the merchant's responsibility to verify the card. Unfortunately, careful merchants still can get screwed b/c of other (shitty) merchant's bad actions (lack of security, etc.). But all the major issuers do have an indemnification program, where they charge you a little extra for each transaction but you won't get charged back for fraudulent transactions. This is really just the cost of doing business for the merchant.
Merchants always have that "We reserve the right to refuse service to anyone" thing going for them. They can request your ID and if you don't want to show them that, then that can just invoke their right to not serve you. Remember, they are providing a public service. They don't OWE you the right to buy something from their store.
- 5-10 business days (called this because business' use these terms when 13-15 days sounds too long)later, the balance is restored on your account, the institution eats the costs and files it with the IRS as lost profits to get a little of that alleviated.
Incorrect. The institution issues a chargeback against any merchants the fraudulent card was used at, essentially ripping the cost of the fraudulent charges out of the merchant's account. Also, they issue a ~$75 chargeback fee per instance to the merchant.Ah, yet another Bennett, eh? Another one for "the list".
I work for a bank and deal with this stuff everyday. Your list is basically how it works. We rarely have a day go by that we don't get two or three disupte forms. As far as the merchants, nine out of ten times the merchants are uncooperative and refuse to do anything to help our customers. One merchant went so far as to deny they had charged the card. One really odd thing I have noticed is at least half of our fraud reports are being used to make purchases at hottopic.com. I think that speaks for itself.
Only if they ID everyone, cash or credit.
If they only ID credit card users, they can be fined and they can lose their privileges to accept credit cards.
Remember, they are providing a public service. They don't OWE you the right to accept credit cards at your store.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Because if you go read the visa-merchant agreement you see that Visa does not allow merchants to make showing ID a condition sale, i.e. merchants are SOL when it comes to stopping fraud. I guess that's the golden rule for you, along the "he who has the gold makes the rules" line.
Relax I just want some peanuts.
Perhaps that's how it works at your bank, but not all of them. As a few others have already noted, their experiences were different. When I had this happen my bank required me to file a fraudulent charge(s) report, which had to be accompanied by a police report before they'd remove the charges and extra fees (over the limit fees caused by some of the charges). I ended up not having to pay a cent of the bogus charges or the fees they caused, but I had to wait over a month for them to be removed. Even though they did cancel that card number and issue me a new card, I wasn't able to use it for weeks while I waited for them to process the fraud report. Getting the police report was a bit of a pain since the fraud took place in another town about 200 miles away and I had to get it filed by phone and fax, but it took less time to get than the bank took to process the fraud report and the police were much more helpful. (It took me 2 days to get the police report, it took a bit over 4 weeks for the bank to process the fraud report and remove the charges from my account. Then I had to call them to remind them to remove the over-the-limit fees, they had "forgotten" to remove them.)
Don't assume your experience is how it works everywhere and be glad your bank's not an ass about these things.
Your step 8 is incorrect. The bank does not eat the charges - instead it's the MERCHANT(S). I'm in business for myself helping others be in business for themselves and I see this all too often. The burden for the fraudulent transaction lies with the merchant, who, in addition to losing the amount of the original transaction, is also out whatever merchandise was sold, will still have to pay the fees on the original transaction, will almost always be hit with a chargeback fee (of $30-35) and may have his rates increased by his processor if this happens too often.
Back when my card number was stolen the crooks had a card with my number on it but their name. It didn't scan (nowadays it'd probably scan even) but the stores that the crooks hit did check their IDs. Of course the name on their photo IDs matched. One store went so far as to keep an etched copy of the card (rubbing a pencil over paper with the card underneath) on file and were able to provide that to the police. In fact it's thanks to that store that I found out so many details about the fraud.
So tell me how any of those merchants were supposed to know that the guys were crooks? The card number went through, they checked ID, the ID matched the card info, the card number went through. Everything looked like a valid card that's stripe info had somehow gotten messed up. Perhaps if banks required stores to input the name + the number on manually entered cards then merchants could combat this type of fraud as well, but until then (and if they've started doing this since I applaud them) the issuer seems far more liable here, their policies are allowing the crooks to defraud merchants in ways that merchants cannot detect.
If a merchant has too high a percentage of fraudulent transactions to overall transactions, they lose their ability to accept credit cards. This is per business type, so certain businesses have more leeway than others. ie. restaurants will not be allowed as many fraudulent transactions as porn websites.
I am wondering about how easily it would be to abuse Best Buy or Circuit City's order online and pick up at a store program. If so, what is to stop someone from buying something large online while on a stolen Wi-Fi connection and picking it up with a stolen or fake ID at a store a hundred miles away. Honestly, bartenders and bouncers take fake IDs every day, and they scrutinize them twice as much as some store clerk.
Looks like he's pointing out what would happen if the same standards that applied to AACS license keys and warez applied to credit card numbers. It's clearly satire.
How this is overrated at 1 is beyond me, unless someone wants to hide arguments that they don't like the implications of but can't be bothered to address.
Think a little deeper into the social implications of things.
Microsoft was not the first company to push a feature list, but they have most consistently and for the longest time used the feature list as an anti-competitive tool.
Does that make it any clearer for the yea-sayers?
Or do I need to state the obvious, that as long as long as the Steve and Bill act continues to run, it's going to be really hard to get any software that does the right thing, security wise or otherwise, into the public venue.
It's not just your credit card, you know.