Data Exposed In Stratfor Compromise Analyzed

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.

"Donations" to Charities

[InterestingFella]

The credit card numbers they stole and exposed were used to make over one million dollars worth of "donations" to different charities like Red Cross, Save the Children and CARE. Good job Anonymous!

Except that they were all reversed with chargebacks, which not only took back all the money given, it actually cost the charities around $250 000 in chargeback fees which are now off from what other, legit people donated. Awesome job there! Idiots...

Re:"Donations" to Charities

[InterestingFella]

Do you really think that it will be banks covering the costs? That never happens. It's always the merchant. Charity or not. The 250,000 comes from my knowledge of chargeback fees being $25-40 for merchants. With around 10,000 current credit cards exploited, I actually took the lowest possibility of $25 per chargeback and didn't even account for multiple donations per card. The fees can be much higher too, but it is at least $250,000.

Re:"Donations" to Charities

Stratfor Global has us worried. Pls don't donate to AIDG with stolen credit cards, we get hit $35 per fraudulent transaction! #anonymous RT

Indeed. Good job, Anonymous!

Re:"Donations" to Charities

[JWSmythe]

It doesn't matter if they're a charity or not. They may have managed to talk the bank out of some of the fines, but that'd be about it.

One place I worked, which did high volume CC transactions, the typical sale was $25. A chargeback resulted in the bank taking back the full amount ($25) plus fine ($35).

We worked hard to avoid chargebacks. As I recall, you can lose your merchant account if you exceed 1% chargebacks. Before the chargeback is done, the merchant is given a "chargeback notification". At that point, we can dispute, refund, or ignore it. Since we were an online company, we didn't have a physically signed receipt to prove that the person was actually the purchaser.

With a signed receipt and someone to confirm that they visually verified the identification, you can dispute.

We opted to refund, and cancel their account. That way, we simply didn't make the value of the sale, but there were no fines applied. So +$25 on the transaction. -$25 on the refund. $0 total.

Finally, is the option of ignoring it. +25 transaction, -$25 refund, -$35 fine. -$35 total.

Typically, the consumer would call first, before the chargeback. We'd assist them in finding out the details of the transaction. We'd give them the time, date, information about the IP, and email address used with it. Most of the time, we could positively say that the transaction occurred in their location (by the IP and ISP). They'd recognize the email address as belonging to someone else in their household. If they wanted, we would cancel the account and refund the full amount. I'd say refunds occurred about 50% of the time. They'd talk to their family members, and find out that they had done the transaction, the card holder just didn't know, but they allowed it anyways.

For us, it didn't matter that much. We handled millions of dollars a year. Who cared about a few dozen refunds in the same period. It was cheaper to refund and make the consumer happy, than dispute and risk incurring the fines, and risking our merchant account status.

I know people will stolen card information will test it by donating a small amount to charity. People won't generally notice a $1 or $5 charge on their card, if it's frequently used. They'll catch on when the card is used the second time for a high dollar transaction. The idea of the test transaction is only to verify the card. It's easy, and they don't have to provide a valid delivery address for merchandise. They aren't doing it out of good will, they're exploiting the system a bit more.

Re:"Donations" to Charities

[cdrguru]

Banks? There are no "banks" involved with chargeback fees.

When you sign up for a merchant account , you are contracting with a "merchant services provider". They are the ones that are handling the credit card transaction processing. When you get paid, they put money into the transfer account as per your agreement - then a bank is involved. Until the, you are dealing with a reseller (probably) and some place like First Data which is not in any respect "a bank".

You might be able to get your merchant services provider to back off on some massive fraud and not charge you the full $25 for each and every single chargeback. However, a lot of this is dictated not by your merchant services provider and not even by First Data but relates to the fact that people get involved at both the bank (where your money got put) and also with the customer card accounts themselves. When First Data processes a charge in error and it shows up on some poor customer's statement, they likely have to pay a service fee to the customer's credit card processing company to get the charge taken off. Now that might be a bank.

So the likelyhood of getting the charges waived is pretty low. It costs real money to screw with credit cards and if you aren't properly valididating the transactions - before submitting them - you are going to run up some big bills. Did these charities do proper validation and find out they were being scammed? Hope so, because then it would not have cost them anything. If they ran the charges through, they are likely going to have to pay.

Re:A new way to mitigate credit card fraud

[tibit]

You must not have any credit cards, then. I haven't had any credit cards (and I have a dozen) that are not renewed with the account number intact. The expiration date is bumped ahead by some predictable number of months (12, 24, 48, etc), and that's it. Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date. You should get it right on 3rd or 4th try at worst. You can then cache the initial expiration date delta with the first 4 digits of the account number as the cache lookup key.

Re:Another Linux using server compromised? LMAO!

[fnj]

Bzzzt. Thank you for playing. The 2.2.15 doesn't tell you the patch level. Here's from a completely up to date RHEL6 system:

[fnj@baldur ~]$ rpm -qa | grep httpd
httpd-tools-2.2.15-15.el6.x86_64
httpd-2.2.15-15.el6.x86_64

The -15 tells you the patch level. 2.2.15-15.el6.x86_64 was issued this month. As long as Redhat supports RHEL6, and that will be for a goodly number of years more, they will issue security and other patches. For example, their kernel is presently 2.6.32-220.2.1.el6.x86_64, but they track and backport not only the latest security patches but also a lot of hardware support and new feature improvements.