RE: Hackers View Visa/MasterCard Accounts

["Bernie, CTA" <cta () hcsin net>]

<color><param>0100,0100,0100</param><FontFamily><param>Times New Roman</param>AVS (Address Verification Service) is 
intended for use on all "card 
not present" or "cardholder not present" transactions, such as e-
commerce and mail-order purchases.  It was designed to be more of 
an alarm to potential fraudulent use, and not an actual safeguard. 


First, consider that AVS authenticates only the card-holder’s street 
address and zip code, maintained in the processor’s database, with 
that presented by the purchaser / merchant. The AVS code is 
comprised of three numbers. The first corresponds to the numbers 
in the street address. The second corresponds to the zip code. And 
the third is an overall verification of both. 


There are ten different letters used for AVS response codes:


A = Address matches, zip code does not match

E = Error Response For Merchant Service Category Code

N = No match on street address or zip code

R = Retry, System Unavailable Or Timed Out

S = Service not supported by the issuer

U = Address Information Not Available (call cardholder's issuing 
bank)

W or Z Zip code matches, address does not match or was not 
requested (W indicates a nine digit zip code; Z indicates a five digit 
zip code

X or Y Exact match on address and postal code (X indicates a nine 
digit zip code; Y indicates a five digit zip code)


When the address information sent to the processor fails to match 
the data on file, an "AVS mis-match" occurs. An authorization 
request will not be automatically declined based on AVS response. 
Therefore you can get an approval with an AVS mis-match. In 
addition, since only the address and zip codes are checked, the AVS 
mechanism can be easily breached. Furthermore, AVS has not been 
implemented in most internationally based processing centers.


Notwithstanding, if the entire database of card-holder accounts 
(including AVS information) was stolen, then the thief has all the 
information needed to invoke fraudulent transactions. Given that the 
issuing banks, VISA and Master Card moved quickly to block 
transactions, I would not be surprised if a few unauthorized 
transactions slipped through. Nevertheless, I would be more 
worried about the use of the stolen credit card numbers and account 
information for other less obvious fraudulent purposes. 


With that being said, one wonders why no one has yet to put any real 
thought into vulnerability assessment and the development and 
implementation of “strong” security methods to protect credit card 
information as it is stored and electronically transferred.



<FontFamily><param>Arial</param>On 18 Feb 2003, at 10:29, Richard M. Smith wrote:


<color><param>7F00,0000,0000</param>> Wouldn't the AVS system used by the credit card companies catch

> this kind of hack?  The AVS system does a rudimentary check to

> make sure that the billing address given on a order is correct

> one for the credit card.

>

> Richard

>

> -----Original Message-----

> From: full-disclosure-admin () lists netsys com

> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of

> Jason Coombs Sent: Tuesday, February 18, 2003 4:29 AM To:

> full-disclosure () lists netsys com Subject: [Full-disclosure]

> Hackers View Visa/MasterCard Accounts

>

>

> So, anyone know whether this was a simple "real-time credit card

> processing oracle" attack where a tool throws fake orders at

> sites that provide real-time credit card authorizations until a

> valid card number and expiration date are found?

>

> Any third-grader with a copy of Microsoft .NET or Java 2 class

> libraries could whip up the code needed to bang away at the

> typical e-commerce site logging rejected orders due to invalid

> credit card payment and revealing card numbers and expiration

> dates that can be used for fraud in a variety of ways.

>

> There must be such credit card "hacking" tools circulating for

> the benefit of script kiddies -- anyone looked into this before?

> If so, will you share some references?

>

> Jason Coombs

> jasonc () science org

>

> --

>

> Hackers View Visa/MasterCard Accounts

>

> Mon February 17, 2003 11:17 PM ET

>

> NEW YORK (Reuters) - More than five million Visa and MasterCard

> accounts throughout the nation were accessed after the computer

> system at a third party processor was hacked into, according to

> representatives for the card associations.

>

> _______________________________________________

> Full-Disclosure - We believe in it.

> Charter: http://lists.netsys.com/full-disclosure-charter.html

>

> _______________________________________________

> Full-Disclosure - We believe in it.

> Charter: http://lists.netsys.com/full-disclosure-charter.html

>



<nofill>
-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html