Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Your Rights Online

60,000 Credit Cards Numbers Stolen Online 232

robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."
This discussion has been archived. No new comments can be posted.

60,000 Credit Cards Numbers Stolen Online

Comments Filter:
  • now i can finally afford some /. credits!
  • Credit Card (Score:2, Insightful)

    by phorm ( 591458 )
    This is why I have fraud protection on my card. I can backcharge anything, and VISA goes after those who frauded me. No fault, no charge. Anyone who messes with VISA goes against some of the most expensive lawyers there are... and a whole lotta pain can ensue....
    • Re:Credit Card (Score:5, Interesting)

      by GigsVT ( 208848 ) on Saturday September 14, 2002 @02:28PM (#4257608) Journal
      That fraud protection is ironically a scam.

      You are already guaranteed limited liability to $50 and chargeback rights by law. The credit card companies sell that fraud protection because they know it doesn't really cost them anything, since it's mostly what they have to provide anyway.
      • And, if your credit card company likes you, they might not even ding you for the $50. I once had a spree of charges on a card and AT&T removed all the odd charges, issued me a new number. No fuss, no muss, no $50.

        This was about 12 years ago, and was a card that never left my posession - I suspect an oil-change reciept stolen from the car was used to "burn" a new card.

        The most hilarious thing charged was about $1400 to a legal firm!
        • on many cards, the $50 limitation is only if your CARD is used fraudulently... as in, someone steals it and uses it without your permission.

          If you read most contracts, you will find you have zero liability if someone scams your number somehow and uses it.
          • on many cards, the $50 limitation is only if your CARD is used fraudulently... as in, someone steals it and uses it without your permission.

            No, it is only if there is a signature that the $50 deductable applies. If it is a MOTO transaction the deductable is ZERO, you are covered in full.

            I don't see the point in the scam. While the scam artist now knows that the 60K cards were valid he has tipped off the card companies to the fact the numbers have been stolen.

      • I have heard that if you sign up for one of those plans it lowers your credit rating. I guess they figure you are either stupid or are planning fraud.
      • Re:Credit Card (Score:3, Informative)

        by gmack ( 197796 )
        It's worse than that. They will take the money back from the reseller plus a pealty. The credit card companies actually make money on the deal.

        Scam is putting it mildly.

    • A few years back, some girl in Sacremento somehow made a card with name and number (who said criminals are intelligent) and went to Kmart charging a few thousand dollars in purchases. In one day. Visa took care of everything, cancelling the charges, and only asked me to sign a statement that I had not authorized that person to use my card. The card companies seem to be good at spotting unusual behavior.
      • A not uncommon trick is to take an otherwise valid card and re-do the magstrip with information from another card.

        The clerks NEVER check the CC# which is scanned and, in the unlikely event they actually check the name and signature of the person in front of them it matches the card because the card was indeed issued to the person holding it. Only the CC# wasn't. Doesn't work if they are making a purchase where the card is imprinted, but that is so rare now...

        • Re:Credit Card (Score:5, Interesting)

          by IIRCAFAIKIANAL ( 572786 ) on Saturday September 14, 2002 @03:13PM (#4257744) Journal
          I've posted this story before, but half the time clerks don't check signatures because customers are jerks if you do check.

          My girlfriend is working as a cashier at a drug store. Somebody came in and bought around $50 worth of stuff. He wanted to put it on his visa - she takes the card, runs it through, and puts the card down beside her register while the transaction goes through. The guy asks for his card back and she says she'll give it back after she verifies the signature - and the guy freaks out!

          (Keep in mind, she's very polite and friendly, not speaking with a "fuck off, I'll give it back when I'm ready" type attitude)

          He reaches across the counter, grabs the card, rants about how much money he makes and how stupid she must be (incidently, she has a university degree and will be starting her first technical writing contract soon).

          I used to get annoyed that cashiers don't check signatures - now I see why. Credit card fraud happens all the time but my girlfriend never had it happen on her register (unlike others at her store).

          • I sympathize with her -- I used to work at Sears, and I may have been the only clerk who always checked signatures and/or ID.

            And just so people know -- no, "My mom told me to go shopping" doesn't cut it, not even if I were dumb enough to call the number you give me for "verification".

            And for Christ's sake, sign the card. Don't worry about giving the thief a signature sample, because he doesn't need a sample if you leave the strip blank -- he'll just sign it himself. Some cards, in fact, must be signed to be valid, and in some cases the signature must match the name on the front (so Daddy's card with Junior's signature isn't valid.)

            Just tell her that she's protecting the customer because sh's a decent and responsible human, even if the customer is too fuckwitted to understand. I used to phrase it as, "protecting the cardholder", which was deliberately vague as to whether or not it was the cardholder standing in front of me.

            • Re:Credit Card (Score:2, Informative)

              by pinny20 ( 415459 )
              One of the major banks in the UK has a great and simple fraud prevention scheme.

              When the customer applies for a credit or debit card they bring in a passport photo of themselves and provide a specimen signature. These are then printed onto the back of the card.

              The customer doesn't forget to sign the card, it doesn't rub off like normal cards, and it's easy for the cashier to tell if the person standing in front of them looks like the picture on the back of the card.

              Fraudsters might be able to print cards with these details too, but perhaps by adding a hologram then this wouldn't be a problem either?
    • Re:Credit Card (Score:5, Informative)

      by NineNine ( 235196 ) on Saturday September 14, 2002 @02:30PM (#4257625)
      EVERYONE with a Visa or Mastercard has fraud protection. It's a federal law. You probably didn't know that, and were suckered into paying extra for it.
      • Re:Credit Card (Score:3, Informative)

        by rudedog ( 7339 )
        I was under the same impression, but listen to my sad story.

        On August 17, while on vacation, I discovered some bogus transactions on my card on August 9 - 5 transactions, $800, to some card processor in Israel. I called my bank the same day and told them the transactions were bogus and they issued me a new card.

        Yesterday my bank called back and said that the merchant had verified the transactions and that I would be responsible for them. The merchant's "proof" was a single page fax that basically said that the charges had been done for an online casino account that had been opened in my name. Since the account was in my name, and the account "had a unique username and password", that is all the proof that the bank needed that I had authorized the charges.

        The fact that the casino account was opened on the same day that the charges were made didn't seem to make a difference. The fact that I had never heard of the casino, nor had I authorized them to open an account in my name didn't make a difference. The fact that on the day in question, I was on vacation and driving from Seattle to Montana (a 10 hour drive, with credit card receipts to prove it) didn't seem to make a difference.

        According to my bank (this is US Bank), I am responsible for the charges, and my only recourse is to take it up with the casino and their credit card processor.

        So much for anti-fraud protection.

        I am still planning to fight this, BTW, so if anyone has any suggestions about a course of action, I'm all ears.
        • If you happen to live near the bank, go there in person and demand to see managers of managers until you get as high as you can go, and be adamant. It's a lot harder for an institution to press an issue which is clearly unreasonable when an irate person is there in their face.

          Sufficient persistence applied this way could save you the legal fees it would take to correct the situation the hard way.

          Good luck.
        • Re:Credit Card (Score:3, Insightful)

          by Zeinfeld ( 263942 )
          Yesterday my bank called back and said that the merchant had verified the transactions and that I would be responsible for them.

          Send a letter in as follows:

          Re fraudulent charges to account XYZ charges [list]

          Under penalty of perjury I deny authorizing the charges specified above.

          I hereby require you to produce the signed transaction receipts as required by Regulation E of the Federal Reserve regulations governing the use of credit cards.

          As your legal department will confirm the laws of the United States govern all transactions concerning credit cards issues in the United States. These laws make the card issuer responsible for all fraudulent charges and not the consumer, the merchant or any other party.

          These charges are in dispute. Any allegation made to a third party such as a credit agency alleging refusal to pay a legitimate debt shall be considered defamatory and action may be taken accordingly.

        • Was the card a Visa or Mastercard? If so, call them, not you bank. Banks have had their credit card privelges revoked (and all cards cancelled) because of shit like this. I know Ford and Dodge dealers that have had the service centers shutdown and dealership stuff put under a microscope because of the same type of things but with cars. Also, go to the bank in person WITH ANYONE PERSON and speak to the big cheese himself. Be prepared with the reciepts. Know exactly how long you and your family has been a customer and how many accounts your family has conbined. Be nice but very firm. If they don't act, file a BBB complaint and contact you AG. They can't weasel out of it for ever.
        • Was this a Credit Card or a Debit Card?

          The law-based/automatic fraud protection and $50 liability that applies to Credit Cards DOES NOT apply to Debit Cards. If you are using a Debit Card, you are fully responsible for charges until you report your debit card is stolen.
    • They don't go after the thief first. The first thing they do is a chargeback to the merchant that accepted the bad card. Merchants have none of the legal protections of cardholders and end up eating the vast majority of fraudulant charges.
    • I have fraud protection on my CC too. It's called a Visa Check Card. It has only a limited amount of money in there (beer > anything) and if they really want to steal that # (the only # I use to make purchases online) they are more than welcome to.

      It's great protection for me. I am not really worried about CC # theft, but if it does happen I have not only Visa to back me, I also have the limited amount they can charge.

      If you don't have the ability to get a 1x only CC # (like AMEX) then I suggest using this method of personal protection.

      Just my worthless .02
      • Re:Credit Card (Score:2, Informative)

        by blincoln ( 592401 )

        Are you sure that your debit card has fraud protection? most debit cards do not [essortment.com], as they are regulated differently than credit cards [cardweb.com].

        My Visa debit card, for example, does not, so I put all my online transactions on my actual credit card.

        • Mine is protected. Still going through this. I hate, no, despise credit cards. So I only have a debit card against an account for cash and non-cash investments. Pretty risky behavior.

          Came home last week (ironically from laying down a down payment on a new car) to a message on the answering machine stating that my Visa card # has been compromised and that the card's been cancelled. I panicked, and checked the account, but no strange charges were appearing. When I asked them what evidence they were going by, and they said they get a daily list of compromised cards from Visa. She said that when a card # shows up, "that usually means they were able to buy your card # off a hacker website." I was glad that no unauthorized charges came through, but I asked about their policy and they said I wouldn't be responsible for one dime. All I have to do is point out the unauthorized charges and it'll be taken care of.

          Which reminds me, I should check the account and see if anything has trickled in since then.. :) Sometimes it takes a few days to post transacations.
      • But then if someone takes your check card, the money they charge is temporarily taken out of your account. That's your money, not loaned money. You could end up at an ATM staring at a $0 balance instead of $500.

        Your checks will probably also start bouncing if you don't check your balance that often.
        • Of course if you use a secondary checking account only for debit purchases, you'd be OK. I have a couple of friends who do this. One account gets the direct deposit, and only has ATM rights. All of the normal bills are paid out of that account. When they absolutely have to use a Visa card (say to buy an airline ticket), they transfer the necessary funds into account 2 and then use the debit card.

          OK, so I have weird friends. A low-limit credit card would be just as effective. Tell me something I didn't know already!

    • This is why I fucked up my credit beyond repair. I'd LIKE to see one of those foreign credit card thieves get something approved on MY credit. Muuaaaahahahahahaaaaaaa

      Financial irresponsibility is your only real protection.

  • by great throwdini ( 118430 ) on Saturday September 14, 2002 @02:22PM (#4257593)

    Duh. From the article:

    This is not the first time credit card thieves have used hacked online merchant accounts to test cards.

    They then go on to talk about an earlier MSNBC expose reported in April. I suspect the testing of credit gateways happens far more often that MSNBC suggests. Actually, I was a "victim" of this sort of authorization fraud last month -- someone in Czechoslovakia breached a transaction system in North Carolina, posting $0.01 charges, then following up with larger charges for goods delivered to El Paso. Lovely. I only got hit up for the initial cent before cancelling the card, but the person with whom I spoke mentioned that many more people were tapped through their system.

    People: check those statements. So many friends of mine don't, holding on to bank-issued VISA debit cards and not bothering to account for their money apart from "do I have anything in my account now that I'm standing in from of an ATM?"

    • What else would Online Data be running [netcraft.com]? Duh, the validation sofware saw nothing unusual in 140,000 $5.07 transactions? OK. Here, Mr. Vendor, just use this super secret closed software that we promisse will be safe and secrure because no one has ever auditied or validated it. Weeee! Another fine "product" to run on the world's most secure platform.
      • Oh yes! This is so typical! Reading further into the MSNBC article we see the usual M$ respone, blame the user:

        While Verisign actually performed the authorizations, Dunne blamed the reseller, Online Data, for the incident. She said the company issued poor passwords to its customers.

        "We encourage resellers to assign strong passwords. The issue here appears to be the nature of passwords assigned to merchants," she said.

        But Rante said the merchant was to blame for not changing its password often enough.

        "All of us need to change our passwords," Rante said. "We issue a starter password just like most companies do. We strongly urge the merchant to go in and change their password. This merchant failed to change their password and they were hacked.

        So remember that kiddies, you are RESPONSIBLE for your password and any foul deed commited when someone breaks the crummy buggy crap software that accepts it! So clueless. The software was inadequate and those inadequacies obviously aided criminals. The criminal is at fault, but the maker of the software deserves blame for protecting against an obvious event.

        Business at the speed of stupid.

  • by NanoProf ( 245372 ) on Saturday September 14, 2002 @02:22PM (#4257595)
    The initial password assigned to the hacked account was OnlneAp16501. I wonder if the merchant before them had password OnlneAp16500? Sigh.
  • by weave ( 48069 ) on Saturday September 14, 2002 @02:23PM (#4257598) Journal
    When shopping online, I only use American Express's Private Payments. [americanexpress.com]

    Go online, log on, generate a one-time use number, plug that into the web site, only good for one transaction.

    • That is great if you don't mind paying the yearly fees and have a decent credit record. When I started out... I wanted the same security but didn't have any credit at all so American Express turned me down for a card... For others that have that problem, PayPal offers the same exact service. Say what you will about paypal, but I have been using them for years for making and spending money online and have yet to have a single problem. They have actually impressed me, compared to any other credit company I have dealt with since. I went hog wild with my paypal card one weekend. And while I was out on my spending spree, I got a call on my cellphone from PayPal, just checking to make sure it was me swiping the card :)
    • by aaarrrgggh ( 9205 ) on Saturday September 14, 2002 @03:31PM (#4257821)
      This still doesn't help you with the fact that your primary number is easy enough to guess... a 16-digit credit card number only has a maximum of 11 digits for a given bank (4-digit bank code, and at least one checksum digit).

      When a merchant is hacked like this, even brute-force number generation can be done with a little bit of information to yield a good number of valid credit card numbers.

      The problem is that the credit card companies are allowed to make their money back (from fraud) on interest, so they have no real incentive to reduce the fraud imposed by the lack of numberspace. The "one-time numbers" are just something to make people feel more comfortable about spending money online.
      • Many of the more reputable online credit card-accepting merchants don't merely check the number: They also pass the address and CVV2 number (that number above and to the left of the account number on an AMEX card or in the signature area on the back of a MasterCard or VISA) along to the authorization gateway.

        Better gateways can verify both the CVV2 and address before accepting a transaction. This goes a long way towards preventing brute-force attacks, but is only really useful if all authorization gateways start requiring them in order to validate requests.
      • The problem is that the credit card companies are allowed to make their money back (from fraud) on interest, so they have no real incentive to reduce the fraud imposed by the lack of numberspace.

        Actually, the merchant is the one that eats the cost of fraud in most cases. If you dispute the charge, the merchant has to supply either:
        A signed receipt (with the card either imprinted or read via magstripe)
        Proof of delivery.

        Without that, the merchant eats the charge. Either way the merchant pays a chargeback fee ($25ish). Get too many, and they pull the mrrchants acount.

        Some card providers do check the expiration date, and most processors support using address verification (compares the first 4 digits in the street address and the 5 or 9 digit zip). Using the extra digits on the back of the card (CVV2) also helps. Some of the processors have services like Authorize.net's FraudScreen service, that watch for patterns, and flag suspicious orders.
    • In 1998 I was one of thousands of victims in an international hundred million dollar credit card fraud. Some of the suspected principals of that case are said to be back in operation [doublebillers.com].

      I had a few minutes of limited fame back then, including an appearance on Japanese tv. The story of that fraud, and a dicussion of cc fraud in general, is here [faughnan.com]. (Alas, the site is hosted by myhosting.com, and as on many Sunday mornings it is now down!)

      Only the banks can fix the problem, but with the very notable exception of American Express they've done very little. I now use AMEX for all recurring internet transactions, and if they ever got their Quicken support working reliably (they've failed for 3 years) I'd use them for all online transactions. AMEX has the best attention to security, and the best response to fraud, and the most sustained interest in combating fraud.

      Barring litigation, the VISA/MC franchise will only fix this problem if customers stop using their cards. So use AMEX instead.

      john faughnan
      jfaughnan@spamcop.net
      www.faughnan.com
    • They're not actually one time use, they can be used for up to one month from the time they are issued as many times as you want.
  • Since it was so obviously testing stolen credit card numbers one would hope that all the cards would be immediately cancelled.

    If so, the thieves must be kicking themselves for being so greedy.

    Although knowing the way that institutions work, I somehow doubt that that has happened yet! :-(
  • Anyone remember him he had hacked the a cd reseller website ( cduniverse.com afaik ) and stole
    about 25,000 credit card numbers and publish them on the net!
    Check here for his page [pc-radio.com]

    Though he never get caught....

    Related Links :
    http://www.internetnews.com/ec-news/article.php/4_ 278091 [internetnews.com]
    http://www.wired.com/news/technology/0,1282,33539, 00.html [wired.com]

    • I remember him: my number was one of the ones stolen from cduniverse. My card was cancelled, but they didn't tell me until I was at the front of a many-deep line at Best Buy. In fact, the clerk "called it in" and contacted Discover security, who then wanted to talk to me. When you're seventh in line, it's not moving, and the clerk and the customer are on the phone, now you know why. Sorry, I didn't enjoy it either.

      Ironically, my number was stolen and the card pre-emptivly cancelled for a second time just two weeks ago. Fortunately, through both incidents, I haven't had to pay a dime.

  • Online transaction systems should always be set up to require a zip code and decline the transaction if it's bad. This problem is just negligence on the part of the merchant.
  • by TheSHAD0W ( 258774 ) on Saturday September 14, 2002 @02:28PM (#4257617) Homepage
    If you'd read the article through, you would've seen that the merchant account was never credited with the $300K-plus authorized. The main worry is that now the criminals have a large number of valid card numbers; but all those numbers are on record and can be canceled, and new numbers issued. Transactions using those numbers can be traced.

    Admittedly the incident caused a lot of annoyance and no small expense for card issuers, and there are ways security could be improved, but in the end, the hack didn't cause a disaster.
    • by CyberKnet ( 184349 ) <slashdot@@@cyberknet...net> on Saturday September 14, 2002 @02:41PM (#4257653) Homepage Journal
      the hack didn't cause a disaster... yet.
      Assuming they re-issie card numbers to the people affected.

      People who have to wait for a new card.

      People who might not be at liberty to pick it up (ie what if they were overseas, with a now defunct credit card, or worse, have to keep using a compromised credit card?.

      People who still have to look for erroneous charges to their old card.

      People who would then still have to re-instate any auto-debits they have charging to that card number.

      There was annoyance to more than just the card issuers... and it wasn't even the card issuers fault, they shouldn't have had the annoyance any more than the card owner!

      It's high time that credit card transaction processors were forced to pay up for the inconveniences as well as the charges they cause when their systems are breached.
      • Sorry if I wasn't clear, I meant annoyance in general, not just to the card issuers. They did bear the burden of expense, though.

        And you're right; Mastivisa might decide not to cancel the old card numbers. Still, considering the banks would have to bear most of the burden of any false charges, they will probably do so.
    • The company, Card Cops, has tried numerous times to turn these credit cards over to the respective credit card companies. The problem is that the credit card companies don't want them! Due to the cost of reissuing 60k+ credit cards, they would rather assume the fraud debt, passing the cost along to the merchants who take credit card transactions, as well as the average consumer. After all, not all of these cards will be used for an illegal purpose.

      This type of behavior won't change until the credit card companies change their systems, reengineering them for increased security and better verification procedures. They need to quit jerking their customers around and find effective solutions. The only people who suffer from this are the consumers and businesses; credit card companies will always make sure they are getting their share. It's up to the public to put pressure on these credit card companies to make effective changes.
      • Nice rant, but FYI, Visa sends out a daily "compromised cards" list to all issuers. Its up to the issuers to do something about it. Wachovia immediately cancels all of their cards that turn up on the list. I know. It happened to me a week ago. So if you're not getting good protection, maybe you should switch issuers.
  • Insurance (Score:3, Informative)

    by T-Kir ( 597145 ) on Saturday September 14, 2002 @02:29PM (#4257621) Homepage

    I was pissed off recently because I can't use my Switch (Debit Card) on Dabs [dabs.com], but looking at it realisticly, it makes sense because with most banking online in the UK, most (if not all)Credit Cards have insurance against online theft (wheras I don't think the Debit Cards have the same protection).

    But I know that isn't the point (relying on the insurance), because the systems (and banks) need to catch up with the standards that the internet/online world requires. Not only the banks have problems, but remember Amazon.com keeping quiet about major breaches of security and customers bank details being overly exposed... I never saw the image, but didn't someone modify their logo so that it said 'Shhhh!'?,

    Just my 2 fruadulently obtained cents (processed through 'Online Data Corp's credit card transaction processor).

    • Actually I've got a Barclays Connect card, and when some little (*(* head went on a 2k spending spree with the card number Barclays phoned me, found out it was fraud refunded me the dosh and reissued my cards.

      So most bnanks debit cards are protected...
    • Credit cards are an entirely different matter than debit cards like switch.

      Credit cards don't *NEED* insurance against online theft usually... fraudulent charges are NOT your responsbility, PERIOD.

      It is the responsbility of the merchants to ensure that transactions are legit, or they lose out, not you.

      A single call from a cardholder declaring a transaction as unauthorized is all it takes to get you off the hook for the cash. They will investigate, of course, but the onus is heavily on the merchant to prove he had authorization to make the charge.

  • OK, so the hackers now have a list of 60K credit cards that worked on this test. But the credit card company also has a list of credit cards tested by the hackers, right?

    It shouldn't take too long for the credit card company to block all those cards. Of course, they've got 60K pissed off customers whose cards will have to be replaced, and that's not going to be that cheap!
  • Yet another problem for Verisign. I wonder how this will affect their image...
  • by tcc ( 140386 ) on Saturday September 14, 2002 @02:36PM (#4257644) Homepage Journal
    Face it, most of us will never buy a 30,000$ piece of equipment on a e-commerce site. And even companies, that's why you have Purchase orders and/or accounts/checks. If you're crazy enough to buy that 30$ item or that 200$ basket with a GOLD Visa that has no protection, you're asking for trouble.

    The most basic way to protect yourself is to 1. You get a visa or mastercard with insurance/protection for that kind of fraud. If it's not available then go for a LOW limit on it, I did that with one, got about 700$ credit limit on it, I've taken the worst case scenario buying, more than that, if, let's say I would buy something for 2000$ off ebay, I'd simply send a cheque or if I don't trust the seller, I'll use an escrow service. For most e-commerce sites, 700$ for my personnal needs is okay, if I get frauded, it'll be ~500$ (balance) in the average, much less than if I'd use a 5K$ visa.

    Banks are to blame on this though, we are users, we pay good money and good interests for this service and even in recessions they are still the ones making the most money, so why can't they come up with a better system? I don't have to THINK about that system, someone there is paid to do exactly that. I saw a report on TV the other night about how easy it is to empty bank accounts if you only have an account number and the complete address of the account number's owner... I mean... come on... basic service here. I'd gladly take an extra step that could make it less convinient to get better protection, this kind of situation shouldn't happen.

    If you say "banks have nothing to do with E-merchants that don't protect their data" I'll say this: Banks indorectly or directly giving e-merchant status to people/companies, it's their responsibilities to make sure that their systems are safe and that their name won't be associated with being frauded to the bones. While I agree nothing is safe at 100%, there are some BASICS that should be covered, and the one in this article with over 100,000 queries is kinda OBVIOUS.

    I fear we'll see more and more of this since now everything is continuing to be programmed at a higher and higher level without really knowing the insides and completely trusting the source tools (.NET for example, makes everything so much easier, but you don't even have to be a good programmer to use this). if the command becomes "securecheckout(items,price) return total; Charge(inputcreditcard)" well, if you are a good programmer, you'll check that "charge" function and how it works, if you are like most programmers out there, on a rush with a crazy deadline, you won't bother or take the time, hense, this will happen more and more. (I won't get into the rushed/incomplete software developping as well we all know the effects of that).

    my .02

    • If you're crazy enough to buy that 30$ item or that 200$ basket with a GOLD Visa that has no protection, you're asking for trouble. The most basic way to protect yourself is to [...] get a visa or mastercard with insurance/protection for that kind of fraud.

      No, the most basic form of protection is to not have a card at all. Seriously, though, as others have pointed out elsewhere, there are federal liability statues that limit fradulent purchase charges to, at most, $50. Enrolling in fraud protection programs offered by credit card companies it just not worth it -- over the lifetime of the card, balanced against the risk of a fraudulent charge appearing on your statement in excess of $50, you're paying for more than you're getting.

      Banks are to blame on this though[...]

      I suspect a fair amount of exaggeration here. I will agree that "bank cards" that act as credit accounts area danger. They are not subject to the same fraud protection that "true" credit accounts are. I wouldn't fault the banks for that headache, though, I'd blame consumers who flash them around without considering the consequences. Sometimes, I wonder whether VISA check cards and their ilk were such a good idea at all.

      Your points about the significance of proper software development are important. However, the issues aren't confined to "e-merchants", as brick and mortar merchants are quite open to credit fraud, too.

      • I myself use a bank card as a form of protection for making online purchases. I transfer money into that checking account before immediately before making purchases, so if my number were ever to be stolen, it would just be rejected anyhow, as no funds are available unless I make them so.

        -Tommy
        • I wouldn't be too sure of that. A fried of mine once bought some stuff from an online retailer using a debit card. He had enough money in the account to cover the purchase, but the retailer screwed up and charged too much. The bank hit him with large overdraft fees, compounded by the fact that he didn't check his account status for a while after he had made the purchase. He had no idea anything was wrong until he got his banks statement showing the overdraft and all the fees. Fortunately, since it was the retailer's mistake, they paid the fees, but don't think that just because you don't have money in the account the bank won't take money out of it. Especially when they stand to make lots of money in fees.
        • So your trading 0 risk (or maybe $50) in exchange for all the risk of someone entering a wrong amount and this is a good idea?

          If someone hits your account (because of fraud, entering a wrong amount,...) then you get hit with bank fees for going over the amount. Every try to get thouse undone? With most large banks, you can't with debit cards or it will take far more time than its worth. Credit cards already put the risk on the bank (who pushes it on to the merchant).

          I've been hit by credit card fraud a few times over the past 15 years and my total time to deal with it was less than 5 minutes. A single mistake involing a debit card will take at least a few hours to clear up.
      • See the previous post. You already have fraud proection.
    • You already have fraud insurance. As has been pointed out at least two dozen times, it's require by law in almost every country.

      The rest of it is pretty silly. Credit cards are useful because you can use them lots of places. Banks simply can _not_ audit everybody's software. That's impossible. If they tried it, you'd pay way much higher interest than you do already on your credit card - as if it wasn't bad enough.

      It works fine as it stands. Somebody steals your credit card number, you don't pay a dime, the credit card company nails the company that was the root of the problem (the one with the security hole), and that's the end of it.
    • but you don't HAVE to "buy" protection from this kind of fraud; at least in Canada & the US, it is federally guaranteed.

      You are not responsible for fraudulent use of your card. Period. At all. In any way.
      The only way you ARE responsible is usually for up to $50 IF THE CARD ITSELF IS STOLEN., and that's only if the charges happen before you report the card as stolen.

      Merchants are hte ones who get stung when cards are used fraudulently, not visa, and not the cardholder.

  • Stolen Credit Cards (Score:3, Informative)

    by smoondog ( 85133 ) on Saturday September 14, 2002 @02:37PM (#4257645)
    Why does /. always consider stolen credit card numbers a consumer/yro problem? Stolen numbers that are used are nearly always reimbursed by the company (debit cards are different, unless you know the rules, you shouldn't use them online).

    Big, enormous, credit card companies could make usage of credit cards more secure (and difficult) but they haven't because they probably don't want to do anything that will lower or hinder usage.

    Because these guys make an enormous amount of money from credit card interest, I don't think they will make any major changes anytime soon.

    -Sean
    • by shoppa ( 464619 )
      Why does /. always consider stolen credit card numbers a consumer/yro problem? Stolen numbers that are used are nearly always reimbursed by the company

      Yeah, but it can be a bit of a pain. It takes at least a phone call, and in some cases it'll require cooperating with police, insurance companies, random companies you've never dealt with before but who lost money, and swearing affidavits, something that can require considerable time.

      It's also indicative of the poor security that many (most?) corporations give to personal data, which is a true "consumer/yro" issue.

    • by Anonymous Coward
      False chargest that are later cancelled still show up on your credit record, with notes explaining the situations. As anyone who has worked with databases will understood, these records are then queried in credit checks with queries that do not have a human's ability to understand that the credit charge was bogus.

      Therefore until the record has to be removed by law, your credit record can be hosed. And since nothing was actually stolen from you, if the credit card company chooses not to pursue (which from their point of view is a risk/reward issue involving the amount that a lawsuit would cost), you have no standing to sue about it.

      The same thing happens with identity fraud, but tends to be larger because they can rack up quite the bill before anyone figures out that you don't live at the black hole that the bills are going to.

      For more see Database Nation [oreilly.com].
  • Quote (Score:2, Interesting)

    "You've generated 140,000 charges, thats more than your normal volume."

    Hmm... Would you expect a store to want to deliberately shut down its systems because it is getting too much business? I mean what if slashdot had given them a posting about some great new product they had, or cnn.com, or any large media outlet. Can you really expect a merchant to build in a shutdown to its system on the extremely small chance that some hacker is going to use their site as a testbed, and potentially lose millions of dollars in sales? I do not think you can really blame the system here, for either its lack of foresight, or lets say they did forsee this scenario, or its unwillingness to refuse lots of orders. The article was kind of sparse on details but I am guessing this was an all at once kind of transaction, and even if there was some kind of alert sounded, that by the time anyone realized what was going on, the transactions would have taken place already. The passwords, while a little on the weak side, did contain a mixture of letters and numbers, and I am going to go under the assumption that the number was randomly generated. I dont think you can really place much blame on the merchant here- Could their security have been made stronger? Yes. Would stronger security have even prevented the event? Maybe.
    • The shut-down system doesn't need to be so drastic that it prevents any purchase to be made/money to be credited to the seller, it could just trigger a warning, keep recording transactions the CC-users have made, but warn the appropriate folks that an unusually high volume is happening, and to have a look if it's something evil or just hundreds of yuppy kids excited about Segway being finally released.
      • The shut-down system doesn't need to be so drastic that it prevents any purchase to be made/money to be credited to the seller, it could just trigger a warning, keep recording transactions the CC-users have made, but warn the appropriate folks that an unusually high volume is happening, and to have a look if it's something evil or just hundreds of yuppy kids excited about Segway being finally released.

        That is exactly what happened.

        Velocity checks are the primary responsibility of the merchant acquirer. The gateway merely secures the connection to the merchant acquirer system.

        If you have a sudden vast number of bogus transactions go through then warning lights are going to go on. However that does not mean that the system is going to shut off the service.

        If the bad guys have hit you with 1000 charges of which 60% were blocked cards you are going to want the connection to continue as long as possible so you can mark the other 40% of the cards as probably compromised. If you have the capability you would probably like to do a network trace and call in the cops. However that type of thing is difficult to set up on the fly. Most card scammers do not do anything so conveniently obvious.

        The main protection built in against this type of fraud is that the merchant does not get paid straight away. There is no real point in verifying so many card numbers in a way that is so obvious that it causes the cards that verify to be cancelled.

    • by Tet ( 2721 )
      "You've generated 140,000 charges, thats more than your normal volume."

      Hmm... Would you expect a store to want to deliberately shut down its systems because it is getting too much business?

      Yes, I would, because that's almost guaranteed to be fraudulent use, and it's a pain in the ass for the store to have to clear up the resulting mess. But apart from that, I wouldn't expect the *store* to do it anyway. I'd expect the card processor (First Data or similar) to do it. I work for a UK based credit card [accucard.com], and we *do* have systems in place to check for abnormal usage (although I don't know if they'd have helped in this case -- they certainly pick up unusual patterns per card, but this was only one transaction per card). I'd hope that FDE [firstdatacorp.co.uk] have similar checking, but I don't know for sure. I'd assumed it was routine, but found out it wasn't when my girlfriend's card was cloned. Sure, her bank eventually refunded the fraudulent transactions, but made no attempt to stop them in the first place. From speaking to our fraud people, it seems it's up to the individual issuer whether or not they do it.

  • Funny... (Score:2, Insightful)

    by mtrupe ( 156137 )
    I've never had a fear of credit card theft.
    1. I can dispute charges (I suppose you can't do this with all credit card companies).
    2. They ALWAYS call me if there is any "suspicious activity" on my card.

    There have been times when I used my card 5 times in a single day, and of course the call me to make sure its all legitimate. I guess I don't know if all credit card companies extend such benefits to the customers, but my cards always have (Platinum, gold, and even those crappy ones you get in college when all you really wanted was a candy bar.)

    Granted, this does not excuse sloppy software and ISP's leaving our credit card numbers exposed to the world, but it does increase my confidence in my credit card.
    • "They ALWAYS call me if there is any "suspicious activity" on my card.

      There have been times when I used my card 5 times in a single day, and of course the call me to make sure its all legitimate. I guess I don't know if all credit card companies extend such benefits to the customers, but my cards always have (Platinum, gold, and even those crappy ones you get in college when all you really wanted was a candy bar.)"


      I don't know either, but my Canadian student visa card from my bank with a relatively low spending limit gets this protection. Just about 3 weeks ago I got a call from the bank telling me they had cancelled my card due to suspicious activity (passed through an unauthorised scanner) and were sending me a new one. They went through the last few charges on the phone with me and everything seemed in order.

      Strangely enough, a few weeks earlier the same thing happenned to my dad with his card provided from the same bank.

      But still, it was good for piece of mind, and for knowing that the number for the card I had use in many (SSL secured) online transactions was now useless to any potential fraudsters.

      I don't want to give out who my credit card issuer in a public forum but e-mail me if you are interested in getting such a thing for yourself and I will tell you which bank it is.

  • it says that I am responsible for unauthorized charges and I'll start caring.
  • Not always true... (Score:5, Interesting)

    by singularity ( 2031 ) <nowalmart@NOSPam.gmail.com> on Saturday September 14, 2002 @02:51PM (#4257688) Homepage Journal
    I used to work at a small video rental chain (nine stores) in the corporate office/warehouse.

    Each year, we would have a huge warehouse sale. We would gather about 10,000 previewed VHS tapes and sell them for anywhere from $1 up to $10. There were some really great deals.

    Anyway, since the warehouse was actually behind and attached to one of the stores, we would just run one of the telephone lines and charge machines to the warehouse.

    During that weekend, we would see tens of thousands of dollars in transactions, up from the normal activity on our account, usually measured in the hundreds of dollars a day in charges.

    Each year we were called by the authorizing agent during the sale to make sure the sales were not fraudulent. In addition, one year we had to show a random sampling of the signed receipt copies from the sales.

    I find it strange that the credit card company did not look into the matter any quicker than it did.
    • by Nf1nk ( 443791 )
      A 400 mhz machine used as a server can handle 50-60 simultanious connections (thats what I have, thats what I can handle I pray I don't get slashdotted and I don't post links to my site), A commercial ebusiness should have dozens of time the capicity of me. so lets go with math time

      lets just say they can handle 100 transactions a second (not unreasonable) then all 140000 transaction could happen in 23 minutes,

      so lets say a computer flagged unusual activity and after 40000 transactions it would still take a t least fifteen minutes for the guy who saw the flag to ask his manager what he should do about it and make the call, by that timeit could be over.

      This could happen much faster than the video stores big business day.
  • Spitfire, a small e-commerce company that generates five to 30 transactions a day, suddenly was deluged with (62,000!) credit card authorizations.

    Damn. And nobody noticed until irate customers started calling? Who dropped the ball here? Presumably Spitfire is ultimately responsible for not paying attention to the transactions through their own website, but I imagine Online Data comes in for some of the blame, since they were actually processing the payments. Interesting to see where the most fingers end up pointing (probably depends on who has the best legal department).

    Also: In a situation like this, is Verisgn obligated to contact 62,000 credit card holders to warn them about a possible fraudulent transaction using their card?

  • by witten ( 5796 ) on Saturday September 14, 2002 @03:08PM (#4257731) Homepage
    I work for TrustCommerce [trustcommerce.com], a credit card processing gateway that just happens to compete with Verisign, the gateway mentioned in this article. What I want to know is why the Verisign rep said nothing about the velocity controls that should have been in place on the account in question. Velocity controls work like this: If a merchant goes over a certain number of transactions per day or per card, no more transactions are let through. The whole point of these controls are to prevent exactly this sort of basic fraud from occurring in the first place.
  • by sterno ( 16320 ) on Saturday September 14, 2002 @03:11PM (#4257741) Homepage
    Go on-line to your favorite search engine and do a search for information about how to encrypt credit card transmissions using SSL. You will find a ton of useful information and hordes of people wanting to sell you certificates for your servers.

    Now, go on-line and try to find information about STORING credit cards. There's very little in the way of useful information on how to do this securely. Most of the good security people simply advise not doing at all. In spite of that many on-line businesses are doing credit card storage and you quickly get the sense that few of them have any idea how to store this information in a secure way.
    • Nuts, you beat me to it :)

      That's right, online merchants should never store a CC number and I won't shop anyplace that does (not that I shop online - or over the phone either).

      Incidently (so I don't get modded redundant) do online merchants use the 3 digit security number on the back of cards? I'm Canadian and in order to check my balance, etc, online with my CC I have to use it when I login (well, I did until they moved to a more secure password protected security model).
      Is that 3 digit code a Canadian thing or is it global?
  • why I don't own a credit card.
    The numbers get stolen all the time and abused and they charge you for things you haven't bought like expensive cars, tall buildings and anti-tank missiles. And then you get into trouble.
    The other reason why I don't own such a silly credit card is only known to the credit card companies, which won't tell me.
  • Heh... want to talk about credit card fraud?

    The place I work at (which I'm not going to disclose right now) asked us for:

    - Rent receipts
    - My financial breakdown
    - Cost of schooling
    - Credit Card receipts

    on our job application, so that I can "prove" I need the job badly enough (it's a student job, partly paid for by gov't wages).

    How's that for fraudulent? I'd sue, but I don't think I'd win (the place I'm working for is pretty damn big). Ho hum.

    Needless to say, they're not getting the receipts until the talk to me personally. Hasn't been a problem yet.
  • by tlambert ( 566799 ) on Saturday September 14, 2002 @03:28PM (#4257805)
    Does anyone else find it incredibly ironic that Verisign is blaming Online Data for assinging weak passwords instead of strong passwords, and Online Data is blaming merchants for not changing their passwords?

    Online Data, the payment processor, is a reseller of Verisign credit card gateway services.

    And Verisign sells digital certificates, which provide authentication, identification, and non-repudiation of data signed with those certificates.

    And yet they are relying on passwords, rather than requiring the use of an X.509 certificate for an established security association, so that no client machines other than the ones owned by the merchants themselves can be used to make credit card authorization requests.

    And each of these people *has* a certificate in hand, since they have to have one to run an HTTPS (SSL based) server in the first place!

    That's a bit like the U.S. Marines deciding to hire school crossing guards to provide the security for Fort Knox, isn't it?

    And now they are blaming people for not hiring the right school crossing guards, or not firing olld school crossing guards, and hiring different ones "often enough"...

    -- Terry
  • We issue a starter password just like most companies do. We strongly urge the merchant to go in and change their password. This merchant failed to change their password and they were hacked.

    Hynek told MSNBC.com the merchant password issued to him by Online Data was âoeOnlneAp16501.â

    In related news, the Pentagon said that all of its intelligence computers also use a certain top-secret, confidential password by default. MSNBC.com was told that this password is âoe0$@m@.â

  • Sure, it's not a bank, your money's not secure, some people have trouble with them and they're headquartered overseas. But to have this level of responsibility in my hands as a small (tiny, obscure, whisp of a) business would be daunting.

    Those poor folks. Saved some time and money building their web app by cutting requesty generation tracking out of the order system and the result was massive fraud. All their fault -- and yet, I can't see the proposal for these features being too popular at a staff meeting, either.

    Hell, I had to fight to get SSL up -- and we're too poor to afford a cert.
  • It's all 'cause they Freed Kevin. It's the only possibility.
  • Passport (Score:2, Funny)

    by javacowboy ( 222023 )
    Time to sign up with Microsoft Passport. At least then, I'll know my credit card information will be safe :)
  • And once again, this is a problem for Visa, not for me.

    The onus is on the merchant to PROVE that I authorized those charges, and not the other way around. It SHOULD be like this on every other visa card issuer out there. If it's not, change (i'd be surprised)

    IF you see a charge on your card that isn't yours, a single phone call is all that should be required to get rid of it.

    WE have to remember, the credit card is the property of the issuer, not the holder. The money was not stolen from you, it was stolen from VISA.

  • The credit card numbers weren't STOLEN. They were COPIED. Information wants to be free! Oh wait, this argument only applies to music, movies and software...
  • First of all, stop this whole credit card business on the net. It is WAY dumb to have a stupid little code and an expiery (sp?) as the only thing identifing you.

    Here is an example:

    Have an ID system a la passport (preferably a company with no other interests at hand other than providing this service and high security). Now I can identify myself.

    I login to shop.on.the.net and register myself (I let them know who I am), I can set what kind of news I want, and I can shop for stuff. Goodie. I choose to buy thing A, thing B, and thing Q, and I press "ORDER".

    Now I have to log into my bang account, here I see that shop.on.the.net wants $XXX from me, and I say "yes I would like that". Now you have had two different systems that had to be broken before you can hack it.

    Now what happens is that the order is sent to one of a few addresses that I have registered at my bank, no other addresses will be sent to. There is also a mentioning on my pages on the banks site of where it was sent.

    Now, this system would not be hard to use (probably would take less time to order than for me to write this down for you), and it could probably be improved upon further, in terms of ease of use and security. And it is surely much better than a system with a stupid number and almost no control over it.
    • Here is an example:

      OK, don't take this criticism personally. Here it is:
      Quit spouting off solving the problems of the world without first taking a small look at the problems and the consequences of the solution.

      Merchants won't like this system. You keep forgetting that if your great aunt Tilly would be confused, no merchant will touch it.

      Second, the merchants will see this as "taking control away" from them. Never mind that it isn't, that's how they will see it.

      Third, Visa/Master Card won't like this system. It will cut down fraud, which is one of the items they roll out when accused of usury. "All that fraud going on, we have to make more money!". Also, Visa, and Master Card won't like it because it will take some control away from them. You are talking a second level of control here, and controlling the card is what the issuer does.

      Fourth, Visa/Master Card will really hate it because it puts the authorizing company in line for some of the commission, and none of the charge backs.

      Over all, it's not a bad idea, just one that will never be put in place. I've been involved (indirectly, getting asked "can we do..." kind of things) with a few round table discussions on this. Bottom line, they don't want to change anything because there is no or negitive incentive to do so.

      Amex used to generate a kind of sub-credit-card number for their customers, but I haven't seen it lately. They used to generate a one-time number with a specific credit limit you selected. The first time the number is used is the last time it's good. That worked well because people didn't have too much to do to make it work. On the other hand, you had to dial a number or visit a web site to set up a sub-number before you could purchase anything.

  • I thought this story was gonna be about a website where you could test the "validity" of your credit card by typing in the number and waiting for the results...

    Obligatory Simpsons reference:

    Snake: "OOhhhh.. wallet inspector."
    Nerds: "I think everything's in order." (hand over wallets)
    Snake: "I can't believe that worked."
  • Geez, I wonder how the Online Data Corp web site got hacked so easily... Let's see on Netcraft...

    Yep, "The site www.onlinedatacorp.com is running Microsoft-IIS/5.0 on Windows 2000" [netcraft.com] (and with an uptime of less than a day at that).

    And what about the vendor with a guessed password? Netcraft it again... You, ahem, guessed it: The site TalkingTP.com is running Microsoft-IIS/5.0 on Windows 2000 [netcraft.com].

    I dunno about you, but whenever I see a web page with the magical .asp suffix, I carefully avoid to even turn on cookies. Much less give them my name and CC number. Because I know that it's only a question of time before they get hacked, owner and stripped from their customer files.

    -- SysKoll

GREAT MOMENTS IN HISTORY (#7): April 2, 1751 Issac Newton becomes discouraged when he falls up a flight of stairs.

Working...