Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Exposed In Stratfor Compromise Analyzed

Posted by Unknown on from the forecast-is-for-doom dept.

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.

26 of 141 comments (clear)

  1. "Donations" to Charities by InterestingFella · · Score: 4, Informative

    The credit card numbers they stole and exposed were used to make over one million dollars worth of "donations" to different charities like Red Cross, Save the Children and CARE. Good job Anonymous!

    Except that they were all reversed with chargebacks, which not only took back all the money given, it actually cost the charities around $250 000 in chargeback fees which are now off from what other, legit people donated. Awesome job there! Idiots...

    1. Re:"Donations" to Charities by Herkum01 · · Score: 3, Insightful

      I highly doubt that Charities are getting charged chargeback fees for something that they did not do themselves and you made up the amount of 250,000 because there is no way the banks would be able to justify the fees for a quarter of the total amount.

    2. Re:"Donations" to Charities by vlm · · Score: 4, Funny

      yeah yeah about that, do you have the URL for donation pages for RIAA and MPAA?

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:"Donations" to Charities by InterestingFella · · Score: 3, Informative

      Do you really think that it will be banks covering the costs? That never happens. It's always the merchant. Charity or not. The 250,000 comes from my knowledge of chargeback fees being $25-40 for merchants. With around 10,000 current credit cards exploited, I actually took the lowest possibility of $25 per chargeback and didn't even account for multiple donations per card. The fees can be much higher too, but it is at least $250,000.

    4. Re:"Donations" to Charities by Anonymous Coward · · Score: 3, Informative

      Stratfor Global has us worried. Pls don't donate to AIDG with stolen credit cards, we get hit $35 per fraudulent transaction! #anonymous RT

      Indeed. Good job, Anonymous!

    5. Re:"Donations" to Charities by JWSmythe · · Score: 5, Informative

      It doesn't matter if they're a charity or not. They may have managed to talk the bank out of some of the fines, but that'd be about it.

      One place I worked, which did high volume CC transactions, the typical sale was $25. A chargeback resulted in the bank taking back the full amount ($25) plus fine ($35).

      We worked hard to avoid chargebacks. As I recall, you can lose your merchant account if you exceed 1% chargebacks. Before the chargeback is done, the merchant is given a "chargeback notification". At that point, we can dispute, refund, or ignore it. Since we were an online company, we didn't have a physically signed receipt to prove that the person was actually the purchaser.

      With a signed receipt and someone to confirm that they visually verified the identification, you can dispute.

      We opted to refund, and cancel their account. That way, we simply didn't make the value of the sale, but there were no fines applied. So +$25 on the transaction. -$25 on the refund. $0 total.

      Finally, is the option of ignoring it. +25 transaction, -$25 refund, -$35 fine. -$35 total.

      Typically, the consumer would call first, before the chargeback. We'd assist them in finding out the details of the transaction. We'd give them the time, date, information about the IP, and email address used with it. Most of the time, we could positively say that the transaction occurred in their location (by the IP and ISP). They'd recognize the email address as belonging to someone else in their household. If they wanted, we would cancel the account and refund the full amount. I'd say refunds occurred about 50% of the time. They'd talk to their family members, and find out that they had done the transaction, the card holder just didn't know, but they allowed it anyways.

      For us, it didn't matter that much. We handled millions of dollars a year. Who cared about a few dozen refunds in the same period. It was cheaper to refund and make the consumer happy, than dispute and risk incurring the fines, and risking our merchant account status.

      I know people will stolen card information will test it by donating a small amount to charity. People won't generally notice a $1 or $5 charge on their card, if it's frequently used. They'll catch on when the card is used the second time for a high dollar transaction. The idea of the test transaction is only to verify the card. It's easy, and they don't have to provide a valid delivery address for merchandise. They aren't doing it out of good will, they're exploiting the system a bit more.

      --
      Serious? Seriousness is well above my pay grade.
    6. Re:"Donations" to Charities by gmack · · Score: 2

      After 10 years working in the credit card industry I can tell you that banks rarely pass up and opportunity to hit merchants with fees and charities are nothing more than merchants to them. The theory they go by is that merchants should be able to tell what transactions are fraudulent but really it's just an excuse to charge for the trouble of having to deal with charge backs (and make a little extra money on the side)

    7. Re:"Donations" to Charities by rmstar · · Score: 3, Insightful

      In this case, it would be good PR for a bank to cover it for the charities. Heck, the banks could probably even write it off as a donation.

      Good PR? Give me a break. Banks don't give a rats ass about PR because they mostly 0wn this planet, and there is literally nothing that will stop them from 0wning it more. I mean, they seriously damaged the world economy, put lots of people into excruciating hardship in the US, and there they are. PR didn't really play a role in this.

      So no, they will take the money for the backcharge, and if a charity goes broke, then that will be it.

    8. Re:"Donations" to Charities by SmurfButcher+Bob · · Score: 5, Funny

      In related news, I know a PR guy who's looking for a job...

      --

      help me i've cloned myself and can't remember which one I am

    9. Re:"Donations" to Charities by gl4ss · · Score: 2

      what you're saying is that you could have bankrupted any company with the cards.

      this is high profile enough to just end up as a special case, with the transactions reversed in one large batch by the affected cc processors.

      anyhow, it's up to the card owners to dispute.

      the real wtf is what the hell were they storing the card data for? this means stratfor should lose any possibility to do cc payments in future, having vastly fucked up following guidelines.

      --
      world was created 5 seconds before this post as it is.
    10. Re:"Donations" to Charities by frisket · · Score: 2

      They don't even have to justify anything. Banks in the UK used to charge customers a fee for replying to a letter :-)

    11. Re:"Donations" to Charities by cdrguru · · Score: 4, Informative

      Banks? There are no "banks" involved with chargeback fees.

      When you sign up for a merchant account , you are contracting with a "merchant services provider". They are the ones that are handling the credit card transaction processing. When you get paid, they put money into the transfer account as per your agreement - then a bank is involved. Until the, you are dealing with a reseller (probably) and some place like First Data which is not in any respect "a bank".

      You might be able to get your merchant services provider to back off on some massive fraud and not charge you the full $25 for each and every single chargeback. However, a lot of this is dictated not by your merchant services provider and not even by First Data but relates to the fact that people get involved at both the bank (where your money got put) and also with the customer card accounts themselves. When First Data processes a charge in error and it shows up on some poor customer's statement, they likely have to pay a service fee to the customer's credit card processing company to get the charge taken off. Now that might be a bank.

      So the likelyhood of getting the charges waived is pretty low. It costs real money to screw with credit cards and if you aren't properly valididating the transactions - before submitting them - you are going to run up some big bills. Did these charities do proper validation and find out they were being scammed? Hope so, because then it would not have cost them anything. If they ran the charges through, they are likely going to have to pay.

    12. Re:"Donations" to Charities by cdrguru · · Score: 2

      The only way someone gets bankrupted is if they didn't validate the cards properly.

      Now validation costs money to do properly, but failing to validate can cost a lot more. It is like $0.30 plus staff time to do proper validation vs. $25 or $35 to deal with a chargeback.

      See, validation makes sense, especially if you are subject to lots of fraud. Anytime a credit card number is taken on the Internet you can assume at least 20% of the entries are fraudulent and you better handle that - because if you submit more than 1-2% fraudulent transactions you aren't going to be submitting any more.

    13. Re:"Donations" to Charities by eulernet · · Score: 2

      From the ArsTechnica article:

      According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

      Why the hell did Stratfor store credit card numbers in plain text ?
      They totally deserve what happens to them, I hope they'll have to pay all charges for the credit card changes.
      This is not the first time a company has this kind of problem, but we are now (almost) in 2012, so this problem should have disappeared a long time ago.
      Did they audit their security ? It's pretty sure, but they probably didn't show their custom modules, so it's totally their fault here.

      Would you prefer that their server was hacked by some group other than Anonymous, so that nobody would ever know that there was a problem ?
      Security by obscurity is never good.

      They can try to blame Anonymous, but it's Stratfor's entire fault !

      Who will take the blame ?

    14. Re:"Donations" to Charities by flyingsquid · · Score: 4, Insightful

      Anonymous is nothing more than a bunch of irresponsible children. What the fuck is up with targeting Stratfor? It's not some shadowy clandestine service, it's just a think tank formed by a former politics professor that does analysis. Now, I suppose if your entire worldview is informed by children's cartoons and Hollywood blockbuster movies, that's enough to make them the "baddies" and you the "goodies", but the world doesn't really work that way. Let me explain this to you Anonymous children in terms you can understand: if Batman is walking down the street and sees a guy with a strange costume, he doesn't just beat the shit out of the guy. He goes back to the Batcave, and does his homework, and does some sleuthing, and only after he has figured out that the guy is, in fact, engaged in criminal behavior, *then* Batman beats the shit out of him. See, if you break the law to stop a criminal act, then you're a vigilante. Like Batman. But if you break the law and attack people when you don't have any evidence that they are engaged in criminal activity... then you're not Batman. You're just a fucking criminal.

    15. Re:"Donations" to Charities by Forty+Two+Tenfold · · Score: 2

      And this (the merchant getting hit for fraud and banks raking up the pizzo) coupled wit deregulation is why the banks will never invest in development of less fraud-prone electronic transaction mechanisms. For fuck's sake, they're running rackets and we're bailing them out on a daily basis.

      --
      Upward mobility is a slippery slope - the higher you climb the more you show your ass.
  2. Attacking the American Intelligence Community by Anonymous Coward · · Score: 2, Insightful

    A special Category in the Darwin Awards.

  3. A new way to mitigate credit card fraud by Kardos · · Score: 2

    "Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired"

    Sounds like 80% of the problem evapourated based on card expiry. How do we go about making CCs expire more frequently?

    1. Re:A new way to mitigate credit card fraud by tibit · · Score: 4, Informative

      You must not have any credit cards, then. I haven't had any credit cards (and I have a dozen) that are not renewed with the account number intact. The expiration date is bumped ahead by some predictable number of months (12, 24, 48, etc), and that's it. Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date. You should get it right on 3rd or 4th try at worst. You can then cache the initial expiration date delta with the first 4 digits of the account number as the cache lookup key.

      --
      A successful API design takes a mixture of software design and pedagogy.
    2. Re:A new way to mitigate credit card fraud by Bucky24 · · Score: 2

      So if it's expired just add 4 years or so to the date and the card goes through.

      Whenever a new card is issued, the CVV changes (or is it CCV). Most online credit card forms require this number in addition to the other info on the card, so just changing the year doesn't work.

      --
      All the world's a CPU, and all the men and women merely AI agents
  4. Expired cards by nstlgc · · Score: 4, Interesting

    Where I live, when your card expires, you just get a new one with the same card number but a few years added to the expiration date. Wouldn't this allow the attackers to reuse some of the expired cards?

    --
    I'm Rocco. I'm the +5 Funny man.
  5. Re:If even strong passwords can get leaked... by tibit · · Score: 2

    Cover yourself from both ends: have one password per account (a must!) and have them complex. If you do the former, then you'll need a password manager anyway, so the latter becomes trivial.

    --
    A successful API design takes a mixture of software design and pedagogy.
  6. Re:Another Linux using server compromised? LMAO! by HBI · · Score: 2

    Apache 2.2.15 was released 3/6/10.
    Apache 2.2.21 was released 9/13/11.

    So yeah, they were almost 2 years out of date.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  7. Re:If even strong passwords can get leaked... by jschottm · · Score: 3, Interesting

    Use unique passwords for everything important and use a secure but salted password for various sites. Let's say my generic secure password is $sJ55Pm#

    I salt the secure password between the fives with the initials of the website alternating caps. So my /. password could be $sJ5Sd5Pm# and my World of Warcraft password could be $sJ5WoW5Pm#.

    I only have to remember one good password and a formula. Someone clever enough could hand analyze the passwords and might spot the salting but realistically, very few people are worth that effort.

    which makes me think there's no point in super complex "try and guess THIS one!" passwords.

    One practices good password habits because they help when a site does things properly. Nothing is going to save you if a site is terribly set up but that doesn't mean you should abandon best practices.

  8. Think it through a little more thoroughly: by Hartree · · Score: 2

    "it would be good PR for a bank to cover it for the charities"

    You don't understand. The smart PR move is to let the charges stand without comment. That way the charities talk about it to their donors when asking for more funds to make up the difference.

    The banks are already not well thought of currently. This makes no difference to them.

    Net result: A lot of people who had never heard of Anonymous before their favorite charity mentioned them now hate their guts.

  9. Re:Another Linux using server compromised? LMAO! by fnj · · Score: 3, Informative

    Bzzzt. Thank you for playing. The 2.2.15 doesn't tell you the patch level. Here's from a completely up to date RHEL6 system:

    [fnj@baldur ~]$ rpm -qa | grep httpd
    httpd-tools-2.2.15-15.el6.x86_64
    httpd-2.2.15-15.el6.x86_64

    The -15 tells you the patch level. 2.2.15-15.el6.x86_64 was issued this month. As long as Redhat supports RHEL6, and that will be for a goodly number of years more, they will issue security and other patches. For example, their kernel is presently 2.6.32-220.2.1.el6.x86_64, but they track and backport not only the latest security patches but also a lot of hardware support and new feature improvements.