Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Are CC Numbers Still So Easy To Find?

kdawson posted more than 7 years ago | from the years'-old-hole dept.

Security 317

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.
Some "script kiddie" tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app. If the numbers were displayed along with people's names and phone numbers, sometimes I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised.

Now, before this gets a lot of people mad, let me say that at first I was planning on holding off writing about this for months if necessary, to give the credit card companies time to do something about it. In other words, I actually had the presumptuousness to think that I had been the first one to discover it, but only because the credit card numbers that I found were still active. (If the trick had been widely known, I reasoned, surely the credit card companies would have found any credit card numbers listed in Google before I did, and gotten them cancelled.) Then I found that the trick had been publicized about three years earlier in a C-Net article by Robert Lemos and was probably widely known even before that. (The article stops just short of describing the actual technique, but one reader posted the full details in a follow-up comment.) Another article from that year in CRM Daily describes an even more efficient trick: Googling for number ranges like 4060000000000000..4060999999999999 to find Visa card numbers beginning with "4060". Google has now blocked that trick, so that trying that as a Google search leads to an error page. But the basic technique of Googling for working credit card numbers, apparently still works. In other words, credit card companies have apparently known about this technique for at least three years, probably longer, and presumably have hoped it would continue being swept under the rug.

At this point, I think the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible. It may result in a short-term spike in people using this technique, but if it results in the problem being fixed, then the total number of fraud incidents will probably be less in the long run.

It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format "3xxx xxxxxx xxxxx", and Googling for the first 10 digits as "3xxx xxxxxx" didn't yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up "treasure troves" of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren't listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found. Simple, but time-consuming with so many different 8-digit prefixes -- but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don't they do this?

It's considered good etiquette among security researchers, when finding a new security hole, to give the affected companies a chance to fix the issue before publicizing it. When I first contacted the credit card companies and described exactly how the exploit worked and how to block it, after getting a polite "We can't comment" from each one, I figured I'd give them a few months to get a system in place that could find leaked cards on a daily basis and de-activate them before they could be used. But then I found the C-Net article from 2004, and figured that if the card companies hadn't taken action in three years, it was fair game to publicize the trick in order to increase the pressure on them to plug the gap. Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it.

I did try the "Good Samaritan" approach, calling the credit card companies when I found one of their customers' card numbers on the Web. For each of the four major card companies, I called their security departments and reported two of the cards that I had found compromised, and then a week later, called the cardholders themselves to see if the card companies had notified them. Surprisingly, of the four companies, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their numbers. But even if all four credit card companies were more proactive about acting on reports of leaked numbers, the problems with scaling this approach are that (a) I usually had to wait on hold for a few minutes with each company and then spell out each card number that I'd found, which doesn't scale for a large number of stolen card numbers, and (b) if lots of people started doing this, then the credit card companies would be inundated with duplicate reports about the "low-hanging fruit", card numbers with common prefixes that appear near the top of some Google search result. Both problems could be avoided if the card companies simply ran their own script that queried Google and brought up a list of any indexed card numbers, whereupon an employee could copy and paste the numbers into an interface that would flag the cards instantly.

Google does have a feature where you can request the removal of pages that contain credit card numbers and other personal data such as Social Security Numbers. Any pages that I found containing credit card data, I submitted for removal, and Google did handle each removal request within two days. But this doesn't guard against the possibility that someone might have found the credit card information before it was removed, and of course it doesn't mean that other search engines like Alta Vista (remember Alta Vista?) might not have indexed the same pages. Running a sample of 8-digit prefix searches on Alta Vista, I found about as many credit cards as I found through Google, including some pages that were not in the Google index (maybe Google never indexed them, or maybe they had removed them already). So removing a page from any engine's search results is more like covering up a symptom of a problem than fixing the problem itself, which is the fact that the card number was leaked to the Web in the first place.

If nothing else, this is another reminder of how terrible the security model is for credit card numbers as a token of payment -- one universal piece of information shared with every merchant, that can be used for unlimited unauthorized charges if it gets compromised, until someone notices. About the only desirable property of credit card numbers from a security point of view is that they can be changed, and most of your existing recurring billing relationships will carry over, but even that is a hassle. Several credit card companies do provide the ability to generate single-use credit card numbers, each one authorized only for a limited purchase amount. The problem with that is that as any security analyst will tell you, if it takes even one extra step, most people won't bother -- as long as all-purpose credit card numbers are the default, that's what most people will use. Perhaps incidents like this will push people towards more 21st-century-aware styles of payment (like PayPal, but without all the horror stories), where you can pay a bill through a system that debits your card or your bank account, without sharing all your information with the merchant.

But in the short term, as long as credit card numbers are still with us, the card companies should make more proactive efforts to find and deactivate the ones that have been leaked on the Internet. If the card numbers are found to be leaked by a clumsy Web interface on one company's site, then that company should be chastised by the card companies that issued them a merchant account. If the numbers are found together in a list posted on some third-party forum, then the companies can cross-reference the charge history against each card in the list, to narrow down which merchant may have been responsible for the leak. I'm sure the card companies do something like this already when they find a list of leaked cards; what they don't seem to be doing is acting aggressively enough to find the leaked numbers in the first place.

Maybe the real moral is not the insecurity of credit card numbers, but the value of transparency and online community relations. If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago. In fact many tech companies, if you report a security problem to them, will thank you and fix it immediately, and some of them will even offer you cash if you find any more, like Netscape used to do with their $1,000 Bugs Bounty program. We get so used to big companies having obvious holes in their security practices and answering every question about security with a flat "No comment", that we forget it doesn't have to be that way -- transparency is not just trendy, it works. After years of having bug hunters poke at the Netscape browser, the security may not have been perfect, but it didn't have any security holes that were as simple and obvious as to be analogous to finding credit card numbers on Google.

cancel ×

317 comments

Blame M$ (1, Funny)

Anonymous Coward | more than 7 years ago | (#19251581)

Clearly Micro$oft is to blame. Their broken OS is the cause of most all CC number leaks.

Re:Blame M$ (2, Insightful)

FooAtWFU (699187) | more than 7 years ago | (#19251675)

I hate Microsoft as much as the next guy, but please! I'd hazard a bet that the majority of the leaks, especially the ones the article talks about, are fifty-cent web applications running on a LAMP stack on an ultracheap web host somewhere.

Why would you think that? (2, Interesting)

twitter (104583) | more than 7 years ago | (#19253097)

I'd hazard a bet that the majority of the leaks, especially the ones the article talks about, are fifty-cent web applications running on a LAMP stack on an ultracheap web host somewhere.

The problem with that line of reasoning is that LAMP, though free and cheap is obviously better than IIS. The same thing can be applied to retail software. In the free software world, you are never alone. Instead of slapping together a second rate web app yourself, you can install a good one that does not have this five year old problem. Nasty problems that never get corrected are a mostly a non free software problem.

How much is it a problem? (2, Insightful)

LiquidCoooled (634315) | more than 7 years ago | (#19251627)

What does it matter?

How can a normal fraudster use a credit card number to his personal gain?
Does he get goods delivered to his house?

Anything purchased with it has an audit trail.
It's not like you can turn up in a shop and swipe the printout or screenshot, and making up blank cards isn't yet in the hands of the common criminal.

I will go out on a limb and say most credit card fraud occurs in the real owners home town right about the time of alcohol consumption.

Regret buying that 'funky' leopard skin jacket? "OMG I haz been haxx0red!!"

Re:How much is it a problem? (2, Informative)

stackdump (553408) | more than 7 years ago | (#19251703)

I would think the best thing to do would be to learn how to make a bogus credit card. That way you could visit a store out of the way w/ no surveillance and could spend money while signing with some bogus scribble.

Re:How much is it a problem? (2, Informative)

Anonymous Coward | more than 7 years ago | (#19252173)

Gas stations are always a good way to skim money off stolen credit cards ... criminals will routinely recruit bored/underpaid gas bar attendants to run a few dozen cards for several hundred dollars each, make up the difference with cash out of the till, and split the proceeds by some agreed-upon percentage.

Several years ago when one of my credit cards was compromised, I saw a whole bunch of bogus charges made at gas stations all over southern California.

Re:How much is it a problem? (3, Informative)

Anonymous Coward | more than 7 years ago | (#19251709)

Something like this would work... http://news.bbc.co.uk/1/hi/uk/6642465.stm [bbc.co.uk]

Re:How much is it a problem? (1)

minx (81273) | more than 7 years ago | (#19251777)

Simple really,

Get the credit card info, make purchases online, have them shipped to a P.O. Box with a false ID. Or trick someone into receiving and forwarding the package to you on your behalf.

takes a while before the CC company can catch on and stop you.

Re:How much is it a problem? (3, Interesting)

pytheron (443963) | more than 7 years ago | (#19251859)

How can a normal fraudster use a credit card number to his personal gain?
Rent a flat/bedsit somewhere. Get someone to rent it for you for some cash. There's your address. Getting goods is trivial. The hard part is getting people to accept a card without the corroborating data, like chip-and-pin, signature, D.O.B etc etc.

"The hard part is getting people to accept..." (0)

Anonymous Coward | more than 7 years ago | (#19252225)

Really? [zug.com]

Re:How much is it a problem? (2, Informative)

Average_Joe_Sixpack (534373) | more than 7 years ago | (#19251871)

Dateline NBC exposed the workings of these frauds a few months back Part 1 [youtube.com] .
 
   

Re:How much is it a problem? (5, Interesting)

Gulik (179693) | more than 7 years ago | (#19251875)

How can a normal fraudster use a credit card number to his personal gain?
Does he get goods delivered to his house?


I recall reading that one guy had a bunch of credit card details, and of course came up against that very problem. His solution was to put up a pile of auctions on eBay for various big-ticket items. When those auctions ended and he got the funds, he used the credit cards to order the items and have them shipped to the winners' homes. By the time the people whose cards were used found out, the only information available was for the folks who won the auctions, and the seller was nowhere to be found.

Re:How much is it a problem? (1)

sammy baby (14909) | more than 7 years ago | (#19252057)

That's a pretty interesting story.

The irony here is that, in theory, if the fraudster had offered to cut his victims in on the deal, it would have been just a regular old business partnership. (But of course, his take would have been much less.)

Re:How much is it a problem? (1)

AndersOSU (873247) | more than 7 years ago | (#19252671)

If the fraudster had cut the original victims in on the deal he wouldn't have been able to sell things for a loss and turned a profit. The scam works because if you sell a brand new $1200 TV for $800 and aren't liable for the original purchase you make $800 instead of losing $400.

Not so clever? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19252785)

Ok, Ok, that makes it one step more difficult for the police/FBI to track you down. But not much. Ok, so now the credit card orders point to the people who bought the stuff on Ebay. So, the person who received the goods then explains to the police that they bought it in an Ebay auction. The police go to Ebay and ask Ebay who the funds for those auctions were sent to, and *then* they go to the guy's house and arrest him. This adds one additional layer of obfuscation, but it doesn't seem like a very good scheme to me. You will still probably be caught.

If it ended up in an article where you could read it, that probably indicates they *did* catch the guy. (Or at least have a good idea who it is - he might be on the run somewhere, so not yet in custody).

Re:Not so clever? (1)

indiechild (541156) | more than 7 years ago | (#19252819)

I agree. The scheme makes no sense at all. It's just one more hoop for law enforcement to jump through. Maybe the scammer felt that was enough to make them not bother hunting him down.

Re:How much is it a problem? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19251887)

How can a normal fraudster use a credit card number to his personal gain?
Does he get goods delivered to his house?


Are you kidding??? Not everything you can buy is physical and gets delivered. If it was as simple as that, there wouldn't be any card fraud at all.

Re:How much is it a problem? (4, Interesting)

WalterSobchak (193686) | more than 7 years ago | (#19252051)

Yes you can use these numbers to shop in a store. Real easy.

My bank called me to ask if I was in Istanbul, Turkey, over the weekend. When I said "No", they said: "But your Visa Card was", and they did not seem at all surprised that the physical card was still in my possession.

They gave me a nice list of events: First the thugs bought something small, then tried something big. As the card was declined, they tried something small again, and then a couple of medium purchases (like $100 a piece).
All in all, they had racked up about $1000 when the call came, but I did not have to cover any of that, luckily.
Again, all of these were in-store purchases.

Alex

Re:How much is it a problem? (2, Insightful)

cpt.hugenstein (1025183) | more than 7 years ago | (#19252259)

I do a lot of online shopping and as a result I have remembered my cc number and accociated inforation. I have had stores take my cc as a number alone with out ID. I then asked if that is their standard policy and told them that I could have easily been using a stolen number. They are always surprised at my question but I give them my drivers liscence and another piece of ID where they seem satisfied. It may be because I am in Canada and we have the presumption of honesty and innocence but it is not hard to find a store to take you number.

Re:How much is it a problem? (0)

Anonymous Coward | more than 7 years ago | (#19252335)

When it happened to me they had someone in the store they were splitting it with and that person actually typed the number into the pad for them. They then bought a few small gift cards and then used those in another store.

Its not that hard to get a piece of plastic with a number. What shocked me was the fact when it was caught I was buying something at the exact same moment on both coasts of the US. They wanted to deny my charge and let the fraudulent one go. Even though I TOLD them to deny both. They refused to deny the other charge...

Plus they have little incentive to do anything. As they just charge back to the store that the item was bought from. If they had to bear say 50% of the charge you would see something done about it very quickly.

Re:How much is it a problem? (5, Insightful)

Anonymous Coward | more than 7 years ago | (#19252079)

The "audit trails" you are describing do nothing to deter serious criminals. I dated a girl that was charged with CC fraud. She simply ordered by online and had the package delivered to a nice house in a nice neighborhood that was for sale, one where the owner had already moved out. You can find dozens or hundreds of such houses in any city by checking the real estate listings. UPS drops the package off on the porch, and the fraudster drops by in the late afternoon to pick up the loot. The neighbors see people coming and going all day (real estate agents and prospective buyers), so one more visitor with a package tucked under the arm is not noteworthy. It doesn't work 100% of the time, but it works pretty damn frequently.

So as you can see, the fact that you think an "audit trail" prevents such crimes comes down to a lack of imagination on your part, and a very false sense of security. It is exactly that false sense of security and lack of imagination which explains why identity theft is rampant.

Re:How much is it a problem? (1)

b.thompson (542104) | more than 7 years ago | (#19252265)

It can be a big problem. It doesn't have to be something physically delivered home.

We saw a charge on our debit MC for (thankfully only) $7, but neither one of us recognized the charge. After doing a bit of digging, I found out it was a web site for buying bulk email lists. I reported the charge to my CU and they found it was charged to my wife's card. They reversed the charged for us and immediately canceled her card. She went over a week with out a debit/credit card. Thankfully it wasn't a large amount of money, but someone got 20,000 email addresses to spam at our expense and hassle.

Re:How much is it a problem? (1)

Catil (1063380) | more than 7 years ago | (#19252307)

Does he get goods delivered to his house?
No, but maybe to his IP adress through a large proxy chain or TOR. I guess you can purchase downloadabel stuff like movies, games, ebooks and music via CC.

Re:How much is it a problem? (4, Informative)

plover (150551) | more than 7 years ago | (#19252339)

I'm not sure if you're trolling or not, but it's not too difficult at all for a thief to turn a credit card number into products or cash. There are various laundering procedures that some people go through (Dateline's "To Catch An I.D. Thief" exposed an elaborate one) but the sad reality is that most one-off fraudulent purchases aren't even followed up on by the banks, not until the dollars pile up. (They will be tabulated, of course, and people who try using a dozen stolen cards and have the merchandise shipped to the same address do get picked up.)

Card data can also be turned into products in most stores. The stolen info can be burned on to an expired card, and the thief anonymously walks out of a store with an HDTV. More clever thieves will go to a store that's out of their norm, one that doesn't see as much fraud -- perhaps a craft store or a furniture store -- and buy a bunch of merchandise, and resell it on the streets or at flea markets. There are sophisticated organized theft rings that will purchase certain kinds of stolen merchandise and pose as legitimate wholesalers that resell it to small merchants.

The underground economy revolving around stolen merchandise and credit cards is rapidly approaching a hundred billion dollars annually in America alone (last figure I saw a year or two ago put the estimate over 60 billion, not counting the MAFIAA.) It's obviously pretty easy to do, if you think like a criminal.

Re:How much is it a problem? (1)

xav12 (602450) | more than 7 years ago | (#19252345)

I found out a couple of days ago that my credit card number was being fraudulently used. It appears that it was used to set up a couple of accounts on web-based auction and advertising sites, so nothing needed to be delivered and the amount put on the card was only small (so might not be noticed by some people).

What was interesting is that these sites deal with used car sales. I suspect that the perpetrators are trying to sell stolen cars via these sites. My cc number was just a means to an end, not the final target of the con itself.

Re:How much is it a problem? (2, Informative)

Grax (529699) | more than 7 years ago | (#19252429)

Ways to personal gain from a CC number

1. Long distance calling cards
2. Online delivery of movies, software products, porn, or anything else with instant gratification.
3. Print Fake Credit Cards with the numbers on them and go shopping (Yes. This is in the hands of the common criminal)

My wife's card number was stolen and used to purchase hundreds of dollars of items at a mall over 1000 miles from our home. We did get the charges reversed but it took a number of phone calls (even though their fraud department proactively discovered the fraud on the day it happened and called us right away)

Re:How much is it a problem? (2, Interesting)

profplump (309017) | more than 7 years ago | (#19252549)

More commonly I've seen that they obtain access to a merchant account an process ~$10 transactions themselves. THe hope is that they can use the merchant account for a couple of months before people notice -- a $10 transaction doesn't call much attention unless you really do accounting -- and then when they lose access to their merchant account they move on to another.

This can be done either by obtaining merchant accounts directly (not as difficult or traceable as you might think) or just convincing the clerk at any store with a valid account to process a bunch of bogus transactions and pay them out from the till.

Re:How much is it a problem? (1)

0100010001010011 (652467) | more than 7 years ago | (#19252769)

Amazon Gift Cards / Paypal.

I had this happen to me. Someone bought some Amazon gift cards I had on eBay for $50 or so. I sent the codes (which is my own fault for being trusting on the internet) about 2 weeks later I got the paypal "This was bought using a stolen credit card, etc etc".

I guess this has happened in the past and Amazon has refused to give out the account information it was used on. $50 isn't worth their time, after all they didn't 'lose' anything.

Take this one step further. Re-sell the Amazon gift cards, sure you're only going to be making 90%, but it's free money as far as you're concerned. You now have 2 levels of removal from the credit card.

Heck, if I was planning this (and I'm not). Set up some PayPal accounts using tor / proxy servers. Wait until the beginning of the billing cycle so that the bill won't show up too soon. Buy a ton of gift cards, eCurrency, anything "digital". Then're sell all of this using another PayPal / eBay Account made with a different IP address. Ebay/Paypal never see the Amazon codes, so they're never going to know if "you" bought and sold the same thing. Since time is limited, I'd find a few auctions I wanted to stalk and set up my selling auctions to end 12 hours after the other ones. Their auction ends, I get the code, 12 hours later my auction ends, I send the code.

Then to get to use the funds: Buy something digital. Hosting, anything that accepts PayPal. Or, Buy "something" from yourself. With PayPal account #2. The one with all the funds. Go ahead and Buy a Dell Laptop or an iPod. Something that gets traded 100x daily on eBay. Pay your self to PayPal account #3, the one linked with your bank account. Go to the USPS and get a tracking number, put it on an envelope and send it to Joe Smith, NY, NY. The tracking number will eventually get used. Some guy is going to get an empty envelope and go WTF. You have a shipping confirmation number to give to pay pal to show that it was a 'verified' transaction.

Given everything I've seen that PayPal has done to protect my money (This wasn't the first, nor the last incident with them...) I highly doubt even 1/2 of this is necessary.

Re:How much is it a problem? (4, Insightful)

LighterShadeOfBlack (1011407) | more than 7 years ago | (#19253013)

Discarding the ways to make a profit from credit card numbers, how about using police ignorance to screw people over. Only a month or so ago details were revealed about the massive flaws in police operations such as Operation Ore in which thousands of people in the UK were arrested in connection with paedophilic-related charges due to their credit card numbers being used to buy access to porn affiliate networks.

Now, using the above methods may not allow you to target anyone specifically, but let's not kid ourselves into thinking that there aren't plenty of people who would happily take a whole load of these credit card numbers and use them to implicate complete strangers in this way. Just for the hell of it.

Money lost on stolen credit cards can be reclaimed. Lives destroyed by false charges cannot.

Seriously, mailto? (3)

Anonymous Coward | more than 7 years ago | (#19251633)

+1 for no mailto: links in TFS...

Important Missing Step (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#19251635)

Okay, I agree that CC companies could easily deactivate these card numbers. But how do you know that they haven't already done this? It's not as though the numbers will be removed from the web once they are no longer valid!

Re:Important Missing Step (4, Informative)

Himring (646324) | more than 7 years ago | (#19251673)

But how do you know that they haven't already done this?

At the top of TFA:

"I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised."

Re:Important Missing Step (0, Redundant)

Goaway (82658) | more than 7 years ago | (#19251841)

I dunno, maybe you could call the people up? And ask them if the cards are still active?`Like the guy did? And wrote about it in the article?

Maybe?

Finding credit cards numbers is easy (1)

UbuntuDupe (970646) | more than 7 years ago | (#19251685)

Here, I'm going to post some:

4245 8611 9994 1245
8847 1210 5566 0625

Now ... good luck finding the rest of the information you need to use them.

Re:Finding credit cards numbers is easy (2, Interesting)

Sobrique (543255) | more than 7 years ago | (#19251855)

Thing is though, why would those numbers be listed on a web page at all, unless it were for billing? I've seen quite a few examples of poorly protected .htaccess files, which go something like:

#4455 6677 9933 2233 Mr. A Bravo, 231 Some Road, Some Where, XX4 6YY, CVN 123
username:3DESPASS

Clearly it's a result of a disgusting signup form, but ... well, the OP mentions he rang 'em up, so I'd assume the details were a little more complete than just the CCN.

Re:Finding credit cards numbers is easy (0)

Anonymous Coward | more than 7 years ago | (#19251861)

CC: 4245 8611 9994 1245
exp: 06/10
CVV: 825 Name on Card: Ubuntu Dope
Billing Zip Code: 48169

Happy shopping!

Re:Finding credit cards numbers is easy (1)

Civil_Disobedient (261825) | more than 7 years ago | (#19251975)

No credit card starts with 88, so that's half as much work right there.

Re:Finding credit cards numbers is easy (5, Funny)

Anne_Nonymous (313852) | more than 7 years ago | (#19252209)

>> 4245 8611 9994 1245

That's amazing. I've got the same combination on my luggage.

Re:Finding credit cards numbers is easy (2, Informative)

antifoidulus (807088) | more than 7 years ago | (#19252219)

Did you read TFA? The author states that often he found other pieces of info besides the card, such as names and telephone numbers(he called some of the owners of cards he found)

Sheesh, if you are going to be pompous at least be correct

Re:Finding credit cards numbers is easy (1)

cheese_lord (834106) | more than 7 years ago | (#19252223)

Hey. I can play that game too. Although I wont say who, I found a website with several credit cards and lots of personal information (including a list of prescription drugs being taken). But the think is this is a persons website and not some cave dwelling business persons website.

Re:Finding credit cards numbers is easy (1)

WebCrapper (667046) | more than 7 years ago | (#19252609)

The main point is, they're complaining about web wannabe's and such writing custom shopping carts with a Frontpage form saves info to the web.

I found a nasty case of this a few years ago on an incorporation website that stored SSNs, CCs, Company and Owner Names (along with partner names and SSNs), etc. After I called the guy - he wanted me to fix it for free for him and told me it was my civic duty to fix the problem...

Banks save nothing (-1)

edfardos (863920) | more than 7 years ago | (#19251705)

If someone uses your CC info to purchase stuff, you have to prove it to the bank, including a fraud police report and all your evidence to prove you are innocent. If the bank feels like you've proven yourself worthy, they'll simply dump the charges on the store that took the card. If not, they'll ruin your credit, you'll wont get any kind of loan for 7 years (no home, car, school, etc), and you get a phone call every day.

So the bank is protected. Why bother changing anything? It's their game, they'll win every time.

Don't play.

--edfardos

My bank... (0)

Anonymous Coward | more than 7 years ago | (#19251849)

When I found a fraudulent charge on my check account debit card, before it had even completely posted, I called them immediately. The issued me a new card, sent me a form to fill out, returned the money and that was it. It was only about $15, and it was a pretty wide scam according to some online forums which had other people hit, but it wasn't much of a hassle for me.

Re:Banks save nothing (5, Informative)

SrJsignal (753163) | more than 7 years ago | (#19251909)

Actually, you must not have ever had this happen. There's no "fraud police report" or whatever the heck you're talking about there. Here's what happens: 1. Call CC company tell them there are unauthorized charges 2. Person on the line marks said charges and gets you a new CC # in the pipeline 3. Bank mails you an affidavit that you must highlight fraudulent charges on, and sign stating that you're not lying about it. 4. CC company issues you credit with the note that *credit is not final until investigation is complete. 5. 1-2 months later you get a note saying "Credit is final" Thats it, there's very little burden of proof on the consumer.

Re:Banks save nothing (5, Informative)

ronadams (987516) | more than 7 years ago | (#19252015)

Sorry, doesn't work that way. I'm not sure where you're getting the "7 years" from (perhaps bankruptcy laws in your state), but I can tell you from personal experience on both sides of the fence (that is, being frauded and working for a company that handled a fraud case) that the process is not as you describe it. Here's what actually happens:
  1. You get hax00rred.
  2. 1337 H4X00R spends money at a few dozen online stores.
  3. Profit!!! ...sorry, couldn't resist.
  4. You find a gigantor balance on your card, and call the financial institution who issued the card.
  5. They transfer you to the fraud department, where you sit on hold for 15 minutes and get to listen to choice cuts from Phil Collins: The Early Years
  6. Someone picks up, you tell them there's been some purchases on your card that aren't yours. They record the information, and fax you a form to fill out.
  7. You fill out the form and fax it back, after plugging in the fax machine you only keep around to fill out credit card fraud reports.
  8. 5-10 business days (called this because business' use these terms when 13-15 days sounds too long)later, the balance is restored on your account, the institution eats the costs and files it with the IRS as lost profits to get a little of that alleviated.
  9. Your account number is changed and a new card is rushed to you (because every minute you're without a card, they are without your ever-increasing interest money).
  10. A notation is put on the account, just in case you claim another dozen or two of these cases in the future, sometime after your bar tabs run a little high...

Companies that issue credits and/or debits see a lot of these cases, so the process is pretty well oiled.

Re:Banks save nothing (1)

ronadams (987516) | more than 7 years ago | (#19252117)

Because it's going to rain hellfire back on me, I'll clarify #8: it depends on the situation, and the service agreement with the merchant. Yes, in some cases the merchant can foot the bill for bad transactions, but if they've got a lawyer and some time, they never will. Nor, IMHO, should they. The burden of security should be on the issuer, not the receiver of the payment. Obviously, if a merchant is knowingly accepting fraudulent payments, that's a whole other matter...

Re:Banks save nothing (1, Interesting)

Anonymous Coward | more than 7 years ago | (#19252515)

I've had it easier then that once. Called bank when I saw something on my card statement that was questionable. CSR pulled up that receord and stated with that specific transaction, the card was not actually swiped, it was manually entered. I confirmed it was not my purchase. I was immediately credited the money and about a month later I got a letter stating that the results of the investigation were final and the case was closed.

Now I've also had it harder.. A bill collector that I made a one time payment too via my credit card (stupid me, stupid me, stupid me) decided to use that same card number to charge an additional amount for two more months a "collection fee". When I disputed it, the same process was started but this time, the perp actually stated that I authorized the additional charge and we had a contract. It took a while and a avvidavit but I eventually got the case finalized. It was basically his word against mine. Obviously this guy does this for a living and knows how to game the system. I'm sure he proably has a decent rate of return fighting those with the CC companies and has done it enough to know what to say to them during a dispute. I know for a fact I authorized a one time payment of $120 that I owed, not an additional two payments of $50 for a collection fee. This was for the balance of a densit bill that my insurance company did not pay and I thought had been resolved. I moved from the area and the dentsist could not track me down. I wanted to pay the dentist directly but since the debt was sold to this crook, it was too late.

Re:Banks save nothing (3, Informative)

jizziknight (976750) | more than 7 years ago | (#19252525)

As others have said, this is not the case. I had fraudulent charges on my Chase card about a year ago; a few <$50 charges, and a couple >$1000 charges, enough to go over the limit. So I called them up, the lady on the line (who was very nice) looked at the transaction history, and immediately noticed that there were charges to places far outside of my normal buying area, some even in India. She marked and canceled the charges, ran through the rest of the charges that were on my current statement, canceled the card, and issued me a new one. I got the new card in three days, a statement that I had to sign and return a few days later, and heard nothing more of it. As far as I can tell, my credit has not taken any sort of hit (I was later able to get another card with another bank at a similar limit and APR).

The way I understand it, the CC companies take no liability for fraudulent charges. They make the merchant that processed them pay for it. I see this as a good thing. If the merchant bears all financial liability for fraudulent charges, it gives them a reason to make sure that the person buying the product/service is who they say they are.

As a side note... can we get a -1 Idiot or -1 Wrong moderation? It would have been really useful here.

Re:Banks save nothing (0)

Anonymous Coward | more than 7 years ago | (#19252961)

Yeah, this is how it works all right... in the US!

It's six digits, not eight. (2, Informative)

Anonymous Coward | more than 7 years ago | (#19251717)

Your presumption that credit card numbers share the first eight digits is flawed. The first six digits of the card reference the referring bank. The next eight digits are the account number. The final two digits are the identifier of the card. If you and your wife both have cards for the same account, yours may end in an 03 while hers ends in a 19.

Re:It's six digits, not eight. (1)

tepples (727027) | more than 7 years ago | (#19251993)

Your presumption that credit card numbers share the first eight digits is flawed. The first six digits of the card reference the referring bank. The next eight digits are the account number.
But you're still going to have a heck of a lot of numbers that share the same first two digits of the account number.

Re:It's six digits, not eight. (1, Informative)

Anonymous Coward | more than 7 years ago | (#19251999)

The first six digits of the card reference the referring bank.

Credit card numbers are often written in groups of four digits separated by spaces. Most search engines use spaces as separators between "words" and usually allow you to search for whole words only. Therefore you search for two blocks of four digits = eight digits.

Oy (2, Interesting)

Billosaur (927319) | more than 7 years ago | (#19251763)

This whole thing should come as no shock. The Internet was not built with security in mind. I don't think anyone imagined the degree to which it would become a method of commerce. Certainly when the first websites were given the ability to accept and process credit cards, the card companies had been dealing with fraud for years, in terms of lost/stolen/duplicated cards. I remember working in a convenience store in the 80's and getting small booklets in the mail from the credit card companies with lists of fraudulent numbers. Like I was going to look them up!

Credit cards could be made much more secure. It would be expensive, no doubt, as it would require fundamental changes to the system, but compare that to the price of all the fraud currently committed and I'm pretty sure the ROI is pretty good.

Re:Oy (1)

japhering (564929) | more than 7 years ago | (#19252043)

Credit cards could be made much more secure. It would be expensive, no doubt, as it would require fundamental changes to the system, but compare that to the price of all the fraud currently committed and I'm pretty sure the ROI is pretty good.


I doubt that the ROI is there. Given that most CCCs are charging 10-25% interest per month and most (not all) endusers carry a balance. Combine that with all those wonderfull fees.. overlimit, late, etc.. and I bet the CCCs are still making way more money than they are
loosing

Re:Oy (0)

Anonymous Coward | more than 7 years ago | (#19252619)

Fundamental changes to the system are being made, you know...

Also, why do you hate me? :(

Because... (5, Insightful)

NightWulf (672561) | more than 7 years ago | (#19251769)

It's easier for the credit card companies to just write it off as some fraud and not actually go out and do anything. Realistically most of their early warning systems probably limit their losses to under $1,000 to each card (i.e. the amount of money that someone can charge and get away with before the company discovers the card has been compromised). So figure if even ten people a day get their cards stolen by this method, that's 300 a month, or $300,000 in costs. They probably feel keeping the staff and the equipment to do this costs more than what they'll lose. That and they can always write off their fraud charges on their taxes ad bed debts.

According to a 2002 report Visa's commissions alone were over $455 million. If that entire $300,000/month fee was all on Visa, the 3.6 million a year is a drop in the bucket to them, less than 1% of their commission. Trust me, if it cost them less to setup the system than the money that's lost, it would be done.

Re:Because... (0)

Anonymous Coward | more than 7 years ago | (#19251867)

Take a look at the Payment Card Industry Data Security Standards.

Re:Because... (4, Insightful)

cyphercell (843398) | more than 7 years ago | (#19252125)

Maybe the card companies are still turning a profit, but estimated losses are around 49 billion, that's twice M$'s annual revenue. It's worth going after.

Re:Because... (1)

HerringFlavoredFowl (170182) | more than 7 years ago | (#19252365)

Really?

We had someone rack up $24K on my wifes card before SHE CAUGHT IT because the card was denied for suddenly being over limit. Our only saving grace with the card company was the fraudster used it to buy lottsa funiture which had not been delivered yet, just billed.

Otherwise we would have been on the hook. Funny how they don't call you when buying $24K in furniture half way across the country, but will call you if you use it to book a hotel room two states over.

Re:Because... (1)

AvitarX (172628) | more than 7 years ago | (#19253001)

In the USA you would not be liable.

Re:Because... (0)

Anonymous Coward | more than 7 years ago | (#19253057)

Especially since the credit card companies push most of the loss to the merchant. What is the incentive to fix anything?

Already Fixed? (1)

killjoy966 (655602) | more than 7 years ago | (#19251805)

Has anyone else tried this and not found a goddamn thing? After reading the summary I thought I was never going to have to work again!

AmEx (0)

Anonymous Coward | more than 7 years ago | (#19251817)

Well if AmEx format is "xxxx xxxxxx xxxxx" and googling for the first 2 groups (10 digits) limits your "luck", you can try searching for the smaller 2 groups (first and last) and that should increase the chance a little. Just search for "xxxx * xxxxx" and it should increase your chances of success.

In case you have any doubt just post here your CC number and we will all help you on how to do that on Google. heheh :P

because the credit card companies don't care (5, Interesting)

jjeffers (127519) | more than 7 years ago | (#19251845)

I am a merchant that deals with internet and in person sales of my products. I'm also a computer engineer and have cursorary knowledge of security.

The credit card companies have no security. They don't care either. It's not them that will foot the bill. As a consumer it is great that you can only get stuck for $50 of fradulent charges. But as a merchant you loose your merchandise and the fraudulent payment. You can receive authorization from the credit card company saying the transaction is good, but they can and do still take the money away from you.

I've had about a dozen cases of obviously fraudulent orders. The first few I would call the credit card company, report the suspicious card, etc. They did nothing. On one I found out the real owner of the card, called them, and they hadn't even been contacted by the credit card company. I had all of the details that the police would have needed to get the scammer and the credit card company wouldn't even take that information.

Now I just delete any order that looks unusual.

Re:because the credit card companies don't care (5, Insightful)

The Lurker King (171562) | more than 7 years ago | (#19251995)

The credit card companies don't care because they get their money either way.

If someone places a fraudulent order and the merchant ships the the product(s) even if they receive authorization from the credit card company, the credit card company will debit the merchant for the entire order, including the transaction fees.

Not only did the credit card company not lose any money on the bad transaction, they will also charge the merchant a fee for the fraudulent order. So the merchant is out the cost of the goods that were shipped, plus shipping, plus a fee.

The credit card company makes money on the fraudulent transaction.

Re:because the credit card companies don't care (1)

cyphercell (843398) | more than 7 years ago | (#19252595)

Same thing happens with counterfeit money. At the end of the day merchant is held liable for processing funds that are invalid. If it was any other way, then a crooked merchant could literally sit there defruading the government/credit card co. If you think about it though, it makes a bit of sense, if anything else is stolen from the merchant, do they get it back, just because it's not fair? This kind of thing is what the insurance industry exists for.

Re:because the credit card companies don't care (0)

Anonymous Coward | more than 7 years ago | (#19252007)

you loose your merchandise
Loose [bluewavedigital.net] , do you?

Volume of sensitive info accessible online (1)

mrhammi (1098441) | more than 7 years ago | (#19251889)

After wondering whether Googling for my credit card number to see if any sites had it (didn't think it would be a great idea in the long run) I remembered a few times that I have stumbled across sensitive info. Everytime it was normally down to some bug in the web developers code, or in one case, trying to run an ASP site on a bog standard HTML host, this lead to all the code, and of course the database behind the site to be viewed and downloaded, I could understand this from amateurish software houses, or kids trying to make their first website, but from a department of the Australian Government? that was just scary. It's very unlikely that the credit card companies don't know about this, but if you consider the time and effort they would have to go through to fix this, the author mentioned removing pages from Google's index, changing the card numbers of the people affected (I can't imagine that really annoying me, my card being changed because of a useless web developer). Unfortunately I can see no easy solution to this, people will always write bad web apps. Luckily in this day and age it is quite difficult to use quite alot of cards if you don't own them, my bank won't authorize payments on my card on a lot of sites without my banking password, this is never submitted to a shopping site, so I can be fairly sure that it's safe. Chris

Retailers (3, Informative)

cyphercell (843398) | more than 7 years ago | (#19251891)

This has very little to do with the credit card companies and a lot to do with the merchants that process credit cards. The current standard is PCI-DSS (Payment Card Industry - Data Security Standards)discussed here http://it.slashdot.org/article.pl?sid=07/03/31/064 5227&from=rss [slashdot.org] . My job is working to upgrade software that is not compliant with these standards, so I know the credit card companies are doing something. The problem rests with merchants that are largely clueless about the necessary security precautions that need to be taken when working with computers. They want to be in business, process credit cards, have a website, a network, and they want to pay their nephew $5/hr to set everything up. The bottom line is, that having data compromised from your business, when you haven't met these standards, will leave you liable for the loss, possibly incuring fees of up to $500,000 and potentially losing your priviledge of processing credit cards permanantly. Bottom line is the vast majority of business owners are not adequately computer literate and they are too cheap to pay an expert to deal with their network properly.

Re:Retailers (1, Interesting)

Anonymous Coward | more than 7 years ago | (#19251977)

I've been working on PCI-DSS related initiatives for over a year now. Tier 1 providers are spending significant amounts of money to comply. Non-compliance fines are being handed out regularly.

Reading the thread, I'm surprised the majority of IT dopes here knew nothing about these standards. You guys could have made a mint doing PCI-related consulting work over the past year. It's been more lucrative than Sarb-Ox over the past year.

Not too late to jump onto that bandwagon.

Re:Retailers (1)

cyphercell (843398) | more than 7 years ago | (#19252347)

Exactly, your value increases phenomenally, when your client has hundreds of thousands of dollars in frozen funds. The article itself is accurate, but still severely out of touch with what is going on.

Not the brightest bunch (1)

Non-CleverNickName (1027234) | more than 7 years ago | (#19251911)

A few weeks ago, I found a charge on my credit card for Sprint/Nextel in the amount of $65.46... The problem? My wireless carrier is Verizon (yeah, it's a "problem" but that's for another topic.)

I immediately called my credit card issuer to contest the charge, and in less than 15 minutes (with hold-time included), I'd spoken with a customer service rep as well as a fraud protection executive, had my card cancelled, funds reimbursed, and a new card issued.

Apparently, someone got a hold of my credit card number, and used my card to pay someone's cell phone bill. It just surprised me as how dumb this was (but didn't screw me over very much). It's one thing to use a stolen credit card and max it out purchasing various items to be shipped wherever, but who in their right mind would use it to pay off someone's cell phone? The charge was reversed, and I'm really curious as to what Sprint/Nextel did to the customer who tried to pay their cell bill with a stolen card.

I wouldn't be surprised if nothing serious happened, but it's just the thought. You can get away with buying physical stuff with a stolen card alot easier than you can get away with paying a cell phone bill with it.

Re:Not the brightest bunch (0)

Anonymous Coward | more than 7 years ago | (#19252495)

Yeah, well, just like a lot of people will download and install crap that turns out to be virus/trojan/spyware because they don't think about what they're doing, they also don't bother to check the charges on their card statements every month. They just pay the bill, and that's what the users of hot card numbers are counting on.

Re:Not the brightest bunch (1)

vidarh (309115) | more than 7 years ago | (#19252843)

It sounds weird, and it might be some numbskull who just didn't think. However, a lot of the time people using stolen card numbers make smallish test transactions to check if they go through and go unnoticed before they start doing serious damage. It might not have been their own phone bill they paid. Or it might have been some idiot trying to frame someone.

Re:Not the brightest bunch (1)

damn_registrars (1103043) | more than 7 years ago | (#19252897)

Similar situation happened to me recently.
I looked at my bank statement, and there were charges made to my card from several different online dating websites - including match.com, yahoo personals, and jdate.com (jewish dating). A problem, though, is that I am neither single nor Jewish.
The three listed all we willing to reverse the charges after a short phone call explaining that they charged me incorrectly. One other particularly unscrupulous dating site, however, insisted that they had the charges right. They claimed that the person had my CC, expiration, and CVV all correct for my card, as well as my address. But yet said dating site would not release the information that was posted to their site using my card. Nor would they reverse the charges.
Thankfully, my bank was willing to reverse them for me, and issue me a new card. The total for all of them was less than $150. I had the first three back in less than a week, and my bank refunded the last less than a week later.
Unfortunately, my bank was not willing to help in the investigation. Had I known this, I would have contacted the police earlier about it. Too much time has lapsed since, and nothing can be done legally about it anymore. The real travesty to that is that I will never know how this person got all my information, or what else they know about me.

Edited for the time impaired (5, Informative)

rueger (210566) | more than 7 years ago | (#19251959)

I'll save you 11,000 characters:

1) Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form.

2) You'll find lots of credit card numbers

3) Profit

4) Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net. Thank you.

Re:Edited for the time impaired (1)

cyphercell (843398) | more than 7 years ago | (#19252783)

Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net. Thank you.

Deactivating the cards doesn't eliminate the problem. Those same merchants will be losing credit card numbers again next week, that's why the current deterrent is "if" card numbers are stolen "and" you don't meet these security standards, you may be fined and lose your ability to process credit cards. ie. ruin the dimwit that's posting cc#s on the Internet.

Re:Edited for the time impaired (1)

wombatmobile (623057) | more than 7 years ago | (#19253101)

Thank you. I'm not time impaired but the article was too long. Your abridged version is all that was required.

Why? because it does not cost the CC companies.... (3, Informative)

wowbagger (69688) | more than 7 years ago | (#19251985)

Why are credit card numbers so easy to find? Or put another way, why is credit card fraud so easy?

Because it does not cost the credit card companies.

When fraud is reported, the credit card company charges back to the merchants. As such, the credit card company is out relatively little money (it is the merchants who get screwed).

Adding meaningful security to credit cards would cost the credit card companies money. It would also make people less likely to use their cards, costing the credit card companies more money.

Also, the credit card companies can use fraud to justify higher interest rates, annual fees, and as a marketing gimmick to sell their card over others.

So, to recap: fraud costs the card companies little, preventing fraud would cost them much.

Has this helped identify why credit card fraud is so easy?

Datum: A friend of mine was involved with a large e-commerce site. He detected an on-going fraud ring trying to buy large amounts of goods from the site with stolen cards. He reported it to the card companies - "Here are the cards. Here's where they are trying to send the goods. Do you want to nail these guys?"

The response: "Thanks, but no, it's not worth our time. Just don't send them anything."

Re:Why? because it does not cost the CC companies. (0)

Anonymous Coward | more than 7 years ago | (#19253131)

Why are you bothering to call the CCard companies? Credit card fraud is *illegal*. Call the police instead. "Hi Officer Friendly, A criminal just tried to defraud me. Here's his address, here's the details. Sic 'em!"

CC Companies Don't Care -- Merchants Get Screwed (3, Informative)

Slashdot Parent (995749) | more than 7 years ago | (#19252023)

Credit card companies aren't doing anything because credit card companies don't care about fraud. They don't care, because it doesn't cost them any money.

When someone uses someone else's credit card fraudulently, it's not like the credit card company eats the loss. They just do a chargeback against the merchant who accepted the fraudulent transaction and they have to eat the cost. In fact, the CC company charges the merchant a hefty fee for the privilege of eating the cost.

Of course, that cost just gets passed on to you, the customer, in the form of higher prices.

Ain't credit cards grand?

This article should be forwarded immediately... (3, Interesting)

grandpa-geek (981017) | more than 7 years ago | (#19252027)

... to the authorities responsible for combating credit card fraud and identity theft. This includes the Secret Service, the Federal Reserve, the relevant committees of both House and Senate, the Federal Trade Commission, the Justice Department, the Attorneys General of the states and DC, and possibly others.

The Money Call (1)

Doc Ruby (173196) | more than 7 years ago | (#19252067)

Why do I reuse the same guessable number, in plaintext, that I carry on a plastic card, and share with any number of fly-by-night vendors? Many of whom aren't even in the US, faceless on the Internet? And also with failed actors barely pretending to be waiters while I'm too drunk to remember anything?

Why doesn't my card give onetime passwords to them, attached to the transaction amount, and also reported directly to my bank for a single, auditable transaction in that amount?

And why do I use an easily guessable short numeric-only PIN at every ATM over and over? Including the ones at convenience stores run by recent immigrants who will soon flee back to faraway countries, often with little cybercops of their own, and not infrequently wracked by civil wars and even allied against the US in sponsoring terrorism, with all its attendant need for funds and lack of rule by law?

I know the insurance companies insure credit card transactions over $50. But those smaller ones add up, and the insurance costs a lot of money. To say nothing of the costs of ID theft/fraud.

Most people who have credit cards have mobile phones. Those phones should be wallets, securing these transactions with onetime passwords reported to the bank/credit corp to secure the exact transaction amount. And sync to my personal DB of transactions that I can replay. With cryptosigned receipts (and encrypted over-the-air comms).

It would save everyone a lot of money, except the thieves. And make new money for the telcos. While making my life safer and easier. Why is this taking so long?

Why should cc companies care? (1)

ookabooka (731013) | more than 7 years ago | (#19252075)

No seriously, it has been established a long time ago that the security of cc #'s rests with the merchant. Ever issue a charge back on your credit card? Guess who gets screwed, no its not the cc company. Merchants can get hurt a lot more by leaks of credit card information. Personally I think it makes sense, what better way to get merchants to act responsibly than to have it cost them when they aren't. What you should do is notify the cc company of the merchant where you found numbers. That merchant will be drawn and quartered and posted around Visa headquarters. I can understand thinking the responsibility of the cc company to watch over its merchants that it "allows" to use their cards, but currently thats not how things work.

Re:Why should cc companies care? (1)

vidarh (309115) | more than 7 years ago | (#19252721)

The problem with that is that it ISN'T just the irresponsible merchants that get hurt. It's all merchant, AND their customers. Speaking as someone who handled card payments of $15 million a year at one point in a previous job, I can tell you that once we'd blocked the obvious problems (card transactions from Vietnam using US numbers for a service in Europe - yeah right), the vast majority of chargebacks were caused by seemingly authentic transactions (they had the card number, customers address, expiry date, security code, came from an IP in the right country and the card had not been blocked) that later turned out to have been carried out with stolen card details.

The chargeback fees added about 20% or so to our processing costs because of the high chargeback fees levied (chargebacks are mostly manually handled) from the less than 1% chargebacks we got.

One of my pet peeves, though, is that many card processing companies are setting their customers up for identity theft. When we received chargebacks, the documentation often included full copies of statements, sent daily in envelopes clearly labeled with the logo of one of the largest payment providers in the world. While the card numbers on those statements wouldn't be worth much, they did include full contact details, and often a cover letter from the customer with a signature and phone number as well as other details of their accounts, and the statements would often include things like account numbers for various services they'd paid for... More than enough to social engineer your way past some customer service people. And 99% of it was information we had no need for at all.

We restricted access to the chargeback documents to only staff who really needed it (i.e. the accountants), and destroyed them as soon as we could, but with a daily stream of envelopes it would only take a single bad apple somewhere (mailroom, postman, post office employee, random employee who happened to find out...) before a large number of people suddenly had a lot of personal information fall into the wrong hands.

For the company I worked at at the time that payment processor was a "legacy" one, and most of our business was via a provider that restricted access to the chargeback data to what pertained to us only, and only provided it electronically. It was still bad...

Tilting at Windmills (1)

SkiifGeek (702936) | more than 7 years ago | (#19252077)

Sorry to burst the bubble, but you're tilting at windmills with this approach.

The prime security weakness lies with the web service providers, who are failing to adequately secure their backend systems, not the credit card companies. It is the same problem as eating at a restaurant where they are skimming cards in the back room - you just can't be sure that your card has remained safe after every transaction. The logistics of ensuring a brand new card number for each and every transaction for each and every card holder (and ensuring card systems understand it) are immense, costly, and practically impossible (even if they are theoretically acheivable).

Because your financial providers and credit card companies have ensured that they do not shoulder liability in the event of a credit card breach, and that account holders are generally protected against all but a nominal amount, it is the merchants who lose out every time there is a breach or a fraudulent transaction. There is no financial incentive for VISA, AMEX, MasterCard, etc to do anything about fixing the underlying problem. The resources that they will need to apply to fixing the issue will not generate any appreciable ROI, so there is not much that can be done to force them to do anything. VISA will point to their PCI initiative, which is designed to ensure that VISA approved merchants have sufficient security mechanisms in place to limit the risk of fraudulent transactions / card data theft.

Search engines aren't the only way to find compromised lists of credit card numbers. Some hacking groups are also notorious for failing to ensure their systems are adequately protected against leaking information to anyone who comes looking.

Even if merchants are applying 'industry best practices', it doesn't take much to lead to a loss of data, and once it has happened nothing can unleak it. The same risks apply to your bank account numbers and online banking authentication data, which the average user is more likely to have compromised.

becauseee (1)

Ep0xi (1093943) | more than 7 years ago | (#19252151)

there is no security involved in having a CC. they can mess with your paybills then they shut down your CC, and if they don't they publish it on the internet, because there are GIS on the CC leadership

CC companies don't care (1)

sholden (12227) | more than 7 years ago | (#19252169)

Fraudalent activity is very inconveniant for the customer - who has to get a new card and update the 47 places they have set up automatic billing to their card with. Costly if they don't notice it soon enough as well.

Fraudalent activity is costly for the business taking the transaction - the CC company does a chargeback and they are not only out the money but also out a fee.

Fraudalent activity is irrelevant to the CC company - it does generate some revenue via chargeback fees I guess so there is some incentive to not do anything about it. I can't think of any incentive for the CC company to care - it doesn't cost them anything.

Not their problem (1)

jackhererUK (992339) | more than 7 years ago | (#19252233)

The reason credit card companies don't make any effort to stop this sort of thing is becuase at a financial level it is just not their problem. If you want to commit fraud using someones credit card details but not their actual card it means that you have to do what's called a cardholder not present transaction, i.e. mail order, over the phone or internet. Credit card companies offer businesses who accept credit cards no protection whatever from fraudulant card holder not present transactions. If someone buys somehting from you using a credit card over the internet or the phone and it turns out to be fraud the credit card companies issue a what's called a chargeback and take the money back. There is very little you can do to fight a chargeback, if the cardholder reports a transaction as fraud then the credit card companies just issue a chargeback and take the money back. Until some government outlaws this practice and makes credit card comapnies liable for fraud committed using their cards they will never take any serious steps to prevent cardholder not present fraud because they simply have no financial incentive to do so. Meanwhile the bill is footed by businesses who do business over the internet and phone and is then subsequently passed on to consumers as higher prices.

Credit Card companies do not care about security (4, Insightful)

zerofoo (262795) | more than 7 years ago | (#19252247)

I've said it before; I've worked in the banking industry, and it is widely known that requiring a PIN number for every transaction would reduce credit card fraud to almost zero. The infrastructure to require a PIN number is already in place, but credit card companies don't want to deal with the hassle, since they do not feel the pinch of the fraudulent charges.

Why do banks require PIN numbers on ATM and Debit transactions? I'll tell you why - they are directly liable for any funds that leave the bank fraudulently. This is not the case for credit card companies since they can charge-back the vendor and recover their funds.

-ted

A couple problems (1)

Red Flayer (890720) | more than 7 years ago | (#19252279)

If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago.
First off, this seems very idealistic.

Second, automatic deactivation of card numbers is not necessarily a good thing. What if someone creates a list of thousands of potential credit card numbers on a website -- does Mastercard then terminate all cards on the list? This would be pretty easy to abuse for kicks.

And how does Mastercard (and Visa, etc) deal with the the additional problems of people trying to use their cards that have been automatically canceled, before they get the replacement and notification of the cancelation? What about the costs of replacing those cards, the cost of the CSRs necessary to deal with people calling in to complain?

In the long run, it may be more cost-effective all around (for the consumer, for the merchants, for the credit card companies) to just deal with fraud cases as they arise from this method.

100% security would be nice -- but not when it costs more for everyone than the alternative.

Inherently insecure code (1)

athloi (1075845) | more than 7 years ago | (#19252415)

Knowing the quality of most software, especially on the cheap side of web development, I have always favored a token exchange system where the actual CC processing resides on the issuing company's internet presence -- like the way paypal works, although it can be implemented in a better manner. Most people do not do the research, testing, or debugging and auditing necessary to implement a secure credit-card processing web app. The cost is too high.

The average small business wants to spend a couple thousand on their web site every seven years, and when you pay that kind of money, you get hacked up custom code by inexperienced programmers, and old versions of osCommerce hacked poorly to fit into discount web presence providers.

I am grateful for the disposable AmEx cards that I can use online and then pitch out (or rather, recycle) because they limit my liability and time, which is a greater commodity most days than money.

Who cares? (1)

jojoba_oil (1071932) | more than 7 years ago | (#19252519)

Seriously. Why does every rant of Bennett Haselton's get posted here? "Crusade Against Spam", "How To Steal Websites", "How To Steal Credit Cards", and probably many more I'm forgetting to mention. Stop it already!

It seems to me that he equates any of these to:
1) Do something "clever".
2) ????
3) Profit!

Obviously the system isn't going to change for him, so attempting to exploit them as a way for making money is the only alternative motive I can imagine. That and he's a 28-yr old computer programmer who is realizing he will amount to nothing in the big scheme of things. Guess what, buddy: That's life.

Re:Who cares? (1)

stonecypher (118140) | more than 7 years ago | (#19253113)

Uh, Slashdot has a history of finding authors that one editor enjoys and posting most of their stories.

Obviously the system isn't going to change for you, so attempting to complain about them as a way for making karma is the only alternative motive I can imagine. That and you're a million plus uid user who is realizing his opinion amounts to nothing in the greater scheme of things.

Guess what, buddy? That's life.

Why should the CC companies care? (1)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19252579)

Fraud is a money-maker for CC companies. They refuse to pay, then charge the store for accepting a fradulent charge. I don't know if they also charge the user. But it's the retail outlets, the same class (and possibly same ones) that leaked the numbers in the first place that end up getting hit.

Not just credit card numbers (1)

Verteiron (224042) | more than 7 years ago | (#19252639)

I didn't find jack by searching for common numbers on Google. But, by search Altavista for the first 8 digits of my expired Sears Mastercard, I found links to PDFs of filed bankruptcy claims with loads of personal information.

Trying a few of the other CC numbers listed in such a PDF found me an absolute treasure trove of numbers, complete with all the info I'd need to make purchases with those cards, including the little "security codes" (which I thought were not even supposed to be recorded).

Oops.

Summary is Misleading (1)

mpapet (761907) | more than 7 years ago | (#19252901)

For those of you (like the submitter) that aren't aware:

1. The banks do not "pay" for fraud. Merchants who have the fraudulent transactions pay for fraud. Therefore, the cost of fraud is assumed by all consumers in the form of higher prices. In fact, the banks profit from fraudulent transactions by charging the merchant penalties.

2. There is a well implemented and secure banking standard that is in many places in the world. Except no bank in the U.S. wants to implement it because of the costs the bank has to assume in order to implement it. It's called EMV.

It's been this way for at least twenty years. If you have read this far, the situation has gotten more perilous because the supreme court just eliminated State over site of corporations running banks in multiple states. Who's minding the store eh?

similar to the terminal services exploit long ago (2)

alen (225700) | more than 7 years ago | (#19252927)

back around 7 years ago someone started googling for .htm to find any internet exposed terminal server websites and to see which ones weren't protected. easy way to root a box.

this is basically the same thing

mailto (0)

Anonymous Coward | more than 7 years ago | (#19252939)

And thanks to kdawson, who gives the full-disclosure treatment to the widely known and surprisingly simple technique for using a web spider to harvest un-obfuscated email addresses :)

No wonder no response, he reported it incorrectly (1)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19253143)

, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their number

The problem is the company that deals with fraudulent use for Visa, Mastercard, etc. (but not AmEx), is the issuing bank. Capital One or Bank of America is who you would report fraud to, not Visa or Mastercard. They are also the ones who would phone you about suspicious charges.

Although, while we are complaining, I called Ford and explained that their locally-owned dealerships commonly let me take a test drive without even leaving my license. I waited several months before taking this public, to give Ford the opportunity to fix the problem. It should be a simple matter for Ford to have an employee call every dealership once a month and remind them not to do this. I found out later that they don't even plan on checking the security of the dealerships, so I'm not going to publish this outrage. I was still able to do this at several dealerships when I checked yesterday! I bumped into the manager on my way out, distracted by thinking about the firm letter I would send to Ford.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...