RE: Hackers View Visa/MasterCard Accounts

["Jason Coombs" <jasonc () science org>]

And if you were an economic terrorist wouldn't you be keen to compromise all
~580 million credit card accounts in the U.S. that have been issued
according to these silly, insecure methods?

The "payload" in this attack may be simply to damage the financial markets
by destroying the existing (extremely vulnerable) credit card
issuer/acquirer/processor infrastructure.

Jason Coombs
jasonc () science org

-----Original Message-----
From: Bernie, CTA [mailto:cta () hcsin net]
Sent: Tuesday, February 18, 2003 12:32 PM
To: full-disclosure () lists netsys com; Jason Coombs
Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts



On 18 Feb 2003, at 11:08, Jason Coombs wrote:

> lucky for cc fraudsters, issuers opt to create cards in batches
> where all of the neighboring card numbers share the same
> expiration date (month/year).
<<<
Taking into account that the batches are done sequentially,
LUHN checksums could be easily discovered through a bit of
simple Mod 10 arithmetic, and that there is better than a 50%
probability of predicting the expiration date, I would say that the
thief could be more successful at exploiting newly generated
credit card numbers, and just use those stolen as seeds.

Now assuming that a thief has successfully generated such
numbers, what would be the best method of attack? How about
a few coins ($0.50) here and there, times 5 million plus cards
per month?  How many credit card customers or issuing banks
will pay any attention to such inconsequential charges?
Especially if the statement notes such a charge something like
"account maintenance fee"?

I fear that the real payload has yet to be calculated.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html