nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: bloomberg on supermicro: sky is falling

From: David Hubbard <dhubbard () dino hostasaurus com>
Date: Wed, 10 Oct 2018 14:58:08 +0000
They actually profit from fraud; and my theory is that that's why issuers have mostly ceased allowing consumers to 
generate one time use card numbers via portal or app, even though they claim it's simply because "you're not 
responsible for fraud."  When a stolen credit card is used, the consumer disputes the resulting fraudulent charges.  
The dispute makes it to the merchant account issuer, who then takes back the money their merchant had collected, and 
generally adds insult to injury by charging the merchant a chargeback fee for having to deal with the issue (Amex is 
notable for not doing this).  The fee is often as high as $20, so the merchant loses whatever merchandise or service 
they sold, loses the money, and pays the merchant account bank a fee on top of that.

Regarding CVV; PCI permits it being stored 'temporarily', but with specific conditions on how that are far more 
restrictive than the card number.  Suffice it to say, it should not be possible for an intrusion to obtain it, and we 
know how that goes....

These days javascript being inserted on the payment page of a compromised site, to steal the card in real time, is 
becoming a more common occurrence than actually breaching an application or database.  Websites have so much third 
party garbage loaded into them now, analytics, social media, PPC ads, etc. that it's nearly impossible to know what 
should or shouldn't be present, or if a given block of JS is sending the submitted card in parallel to some other 
entity.  There's technologies like subresource integrity to ensure the correct code is served by a given page, but that 
doesn't stop someone from replacing the page, etc.



On 10/10/18, 10:41 AM, "NANOG on behalf of Naslund, Steve" <nanog-bounces () nanog org on behalf of SNaslund () 
medline com> wrote:

    Yet this data gets compromised again and again, and I know for a fact that the CVV was compromised in at least four 
cases I personally am aware of.  As long as the processors are getting the money, do you really think they are going to 
kick out someone like Macy's or Home Depot?  After all, it is really only an inconvenience to you and neither of them 
care much about that.
    
    Steve
    
    
    
    >It's been a while since I've had to professionally worry about this,
    >but as I recall, compliance with PCI [Payment Card Industry] Data
    >Security Standards prohibit EVER storing the CVV.  Companies which
    >do may find themselves banned from being able to process card
    >payments if they're found out (which is unlikely).
    >   - Brian
Previous By Date Next
Previous By Thread Next

Current thread: