Full Disclosure mailing list archives
RE: Hackers View Visa/MasterCard Accounts
From: "Jason Coombs" <jasonc () science org>
Date: Wed, 19 Feb 2003 08:49:58 -1000
Calling it a DoS might be a misnomer. It would look a lot more like a replay attack. The damage one could do with the millions of card numbers and expiration dates one could deduce from the seed list of 8 to 10 million would be the greatest when e-commerce shopping is replayed -- at any and every POS that accepts "card not present" transactions and ignores AVS. Use people.yahoo.com to assemble a list of shoppers and wham-o, thousands of merchants are busy shipping product, tens of thousands start to have difficulty picking legitimate orders out of the noise. DoS would only occur in the case of merchants who are incompetent at risk management to begin with and just stop filling orders or choose to ignore orders where AVS doesn't report a full match. Jason Coombs jasonc () science org -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of David Barnett Sent: Wednesday, February 19, 2003 5:43 AM To: full-disclosure () lists netsys com Cc: cta () hcsin net Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts Mime-Version: 1.0 Content-Type: multipart/signed; boundary="-=-===-====-=-=---===---========--==-==--===-==="; protocol="application/pgp-signature"; micalg=pgp-sha1 ---=-===-====-=-=---===---========--==-==--===-=== Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable While the threat of a Credit Card DoS seems to quite a novel threat and I am, at this point in time, in no place to credit or discredit the idea, I can't help but to believe there is a less nefarious motivation behind this attack. One can't help but refer back to one of the last theft of such a large amount of credit card numbers. The case involving Russian hacker(s) holding a company (can't remember the name?) ransom for a large sum of money not to release the credit card numbers onto the Internet. If one takes the number of accounts affected, at last count some 8 million, assume at least 10 million affected and the costs to replace these accounts (the published figure I have seen was $25 per card), one most wonder atwhat cost would these institutions not pay up? $5 million? Consumer confidence of purchasing on-line has been growing over the past year. Yes, this is not a case of a e-commerce site being broken into, but the public perception is there. Why has the victim clearing house not been exposed publicly? If one now takes the possibility of a credit card DoS seriously, I would say this would be even more reason for the attacker(s) to try and call for some sort of ransom money. Yes, the last time, we know of at least, no money was paid out, and so was the credit cards all over the net. I can only wonder what is taking place in the back channels, and if we will ever know what threats were made and what money may have been paid out. Perhaps these are the reasons for the victims anonymity?? David Barnett Sr. Security Architect Paranet Solutions _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Hackers View Visa/MasterCard Accounts futureshoks (Feb 18)
- <Possible follow-ups>
- Re: Hackers View Visa/MasterCard Accounts remember-handsworth (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts John . Airey (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts David Barnett (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 19)
- Re: Hackers View Visa/MasterCard Accounts Georgi Guninski (Feb 19)
- Diskless Bastions & NFS; How secure is NFS (on Linux) rated? Steve Wray (Feb 20)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 19)