RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts

From: Bernie, CTA (cta@hcsin.net)
Date: 02/20/03

  • Next message: Knud Erik Højgaard: "Re: [Full-Disclosure] [SCSA-005] Proxomitron Naoko Long Path Buffer Overflow/DoS" 
    From: "Bernie, CTA" <cta@hcsin.net>
To: full-disclosure@lists.netsys.com
Date: Wed, 19 Feb 2003 18:05:15 -0500

    While I would agree that the extortion path may be a potential means to
    an bizarre mutually beneficial end, I would still put more emphasis on
    the DoS theory. Keep in mind that a typical DoS attack has two primary
    threat effects:
    a. limiting access to something or somewhere
    b. creating noise or buffer overflow

    Think about what could happen if one were to setup a drone loaded with
    these credit card numbers, Exp Dates and AVS info, which was programmed
    to autonomously inject bogus orders at tens of thousands of e-commerce
    web sites. I would believe that these sites would choke on the declines.
    Even more alarming would be the small mom and pops that verify (LHUN
    check) the cards, but use off-line credit card terminals to process.

    Furthermore, most processors and e-commerce payment gateways charge a
    transaction fee even if the card was declined. VISA, Master Card, and
    American Express get paid their fees regardless of the success of a
    transaction. Moreover, a successful Transactional DoS or possibly DDoS
    attack could result in significant indirect financial impact which may
    not be adsorbed by VISA, Master Card or the Processors.

    Quantifying the probable success of all plausible threat outcomes that
    may germinate from the theft juxtaposed to the potential economic and
    consumer trust impact, I would say that there is an immediate obligation
    and responsibility for the government regulators to mandate proactive
    action to develop and implement safeguards. Such action should start at
    the offices of VISA, Master Card, and American Express and transcend
    through the processors and merchants. But will they do something
    preventive now, or wait until they feel the financial pinch?

    On 19 Feb 2003, at 9:43, David Barnett wrote:
    >
    > While the threat of a Credit Card DoS seems to quite a novel
    > threat and I am, at this point in time, in no place to credit or
    > discredit the idea, I can't help but to believe there is a less
    > nefarious motivation behind this attack. One can't help but refer
    > back to one of the last theft of such a large amount of credit
    > card numbers. The case involving Russian hacker(s) holding a
    > company (can't remember the name?) ransom for a large sum of
    > money not to release the credit card numbers onto the Internet.
    >
    > If one takes the number of accounts affected, at last count some
    > 8 million, assume at least 10 million affected and the costs to
    > replace these accounts (the published figure I have seen was $25
    > per card), one most wonder atwhat cost would these institutions
    > not pay up? $5 million?
    >
    > Consumer confidence of purchasing on-line has been growing over
    > the past year. Yes, this is not a case of a e-commerce site being
    > broken into, but the public perception is there. Why has the
    > victim clearing house not been exposed publicly?
    >
    > If one now takes the possibility of a credit card DoS seriously,
    > I would say this would be even more reason for the attacker(s) to
    > try and call for some sort of ransom money. Yes, the last time,
    > we know of at least, no money was paid out, and so was the credit
    > cards all over the net.
    >
    > I can only wonder what is taking place in the back channels, and
    > if we will ever know what threats were made and what money may
    > have been paid out. Perhaps these are the reasons for the victims
    > anonymity??
    >
    > David Barnett
    > Sr. Security Architect
    > Paranet Solutions
    >
    -

    -
    ****************************************************
    Bernie
    Chief Technology Architect
    Chief Security Officer
    cta@hcsin.net
    Euclidean Systems, Inc.
    *******************************************************
    // "There is no expedient to which a man will not go
    // to avoid the pure labor of honest thinking."
    // Honest thought, the real business capital.
    // Observe> Think> Plan> Think> Do> Think>
    *******************************************************

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    Relevant Pages

    • Re: Microsoft $35.00 Paid Support Experience
      ... First tech support said that installing the card would automatically ... that the credit card company would not find in HP's favor. ... So I went through he same story again and he suggested a REPAIR. ... material that is already on the Microsoft web site. ...
      (microsoft.public.windowsxp.general)
    • Re: Thunderbird just selfdestructed
      ... My wife and I have only one credit card and she reviews alternatives ... I could get $25 cash, but that was bait-and-switch, I ... for Costco, does send a check annually that can be ...
      (soc.retirement)
    • Re: The Federal Reserve should take over checking services from private banks
      ... matter) faces and that is fractional banking and credit card fees. ... Presently whenever you purchase something online or use your debit card ... a check to person B who Banks with Bank2 for 10K. ...
      (sci.econ)
    • Good credit card users to get ultrareamed
      ... Credit card agreements are written on average at a 12th grade reading ... Card issuers have long found their bread and butter in penalty fees ...
      (rec.sport.pro-wrestling)
    • Tis (Almost) the Season to be Jolly
      ... For several years in the 1960's and 1970's I was employed by the Amoco ... Oil Company in its central credit card operation in downtown Chicago. ... Diners had always been located in New York City, ...
      (comp.dcom.telecom)