RE: Hackers View Visa/MasterCard Accounts

["Richard M. Smith" <rms () computerbytesman com>]

Wouldn't the AVS system used by the credit card companies catch this
kind of hack?  The AVS system does a rudimentary check to make sure that
the billing address given on a order is correct one for the credit card.

Richard

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Jason
Coombs
Sent: Tuesday, February 18, 2003 4:29 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Hackers View Visa/MasterCard Accounts


So, anyone know whether this was a simple "real-time credit card
processing
oracle" attack where a tool throws fake orders at sites that provide
real-time credit card authorizations until a valid card number and
expiration date are found?

Any third-grader with a copy of Microsoft .NET or Java 2 class libraries
could whip up the code needed to bang away at the typical e-commerce
site
logging rejected orders due to invalid credit card payment and revealing
card numbers and expiration dates that can be used for fraud in a
variety of
ways.

There must be such credit card "hacking" tools circulating for the
benefit
of script kiddies -- anyone looked into this before? If so, will you
share
some references?

Jason Coombs
jasonc () science org

--

Hackers View Visa/MasterCard Accounts

Mon February 17, 2003 11:17 PM ET

NEW YORK (Reuters) - More than five million Visa and MasterCard accounts
throughout the nation were accessed after the computer system at a third
party processor was hacked into, according to representatives for the
card
associations.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html