Full Disclosure mailing list archives
RE: Hackers View Visa/MasterCard Accounts
From: "Bernie, CTA" <cta () hcsin net>
Date: Tue, 18 Feb 2003 14:02:57 -0500
<color><param>0100,0100,0100</param><FontFamily><param>Times New Roman</param>AVS (Address Verification Service) is intended for use on all "card not present" or "cardholder not present" transactions, such as e- commerce and mail-order purchases. It was designed to be more of an alarm to potential fraudulent use, and not an actual safeguard. First, consider that AVS authenticates only the card-holders street address and zip code, maintained in the processors database, with that presented by the purchaser / merchant. The AVS code is comprised of three numbers. The first corresponds to the numbers in the street address. The second corresponds to the zip code. And the third is an overall verification of both. There are ten different letters used for AVS response codes: A = Address matches, zip code does not match E = Error Response For Merchant Service Category Code N = No match on street address or zip code R = Retry, System Unavailable Or Timed Out S = Service not supported by the issuer U = Address Information Not Available (call cardholder's issuing bank) W or Z Zip code matches, address does not match or was not requested (W indicates a nine digit zip code; Z indicates a five digit zip code X or Y Exact match on address and postal code (X indicates a nine digit zip code; Y indicates a five digit zip code) When the address information sent to the processor fails to match the data on file, an "AVS mis-match" occurs. An authorization request will not be automatically declined based on AVS response. Therefore you can get an approval with an AVS mis-match. In addition, since only the address and zip codes are checked, the AVS mechanism can be easily breached. Furthermore, AVS has not been implemented in most internationally based processing centers. Notwithstanding, if the entire database of card-holder accounts (including AVS information) was stolen, then the thief has all the information needed to invoke fraudulent transactions. Given that the issuing banks, VISA and Master Card moved quickly to block transactions, I would not be surprised if a few unauthorized transactions slipped through. Nevertheless, I would be more worried about the use of the stolen credit card numbers and account information for other less obvious fraudulent purposes. With that being said, one wonders why no one has yet to put any real thought into vulnerability assessment and the development and implementation of strong security methods to protect credit card information as it is stored and electronically transferred. <FontFamily><param>Arial</param>On 18 Feb 2003, at 10:29, Richard M. Smith wrote: <color><param>7F00,0000,0000</param>> Wouldn't the AVS system used by the credit card companies catch
this kind of hack? The AVS system does a rudimentary check to
make sure that the billing address given on a order is correct
one for the credit card.
Richard
-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
Jason Coombs Sent: Tuesday, February 18, 2003 4:29 AM To:
full-disclosure () lists netsys com Subject: [Full-disclosure]
Hackers View Visa/MasterCard Accounts
So, anyone know whether this was a simple "real-time credit card
processing oracle" attack where a tool throws fake orders at
sites that provide real-time credit card authorizations until a
valid card number and expiration date are found?
Any third-grader with a copy of Microsoft .NET or Java 2 class
libraries could whip up the code needed to bang away at the
typical e-commerce site logging rejected orders due to invalid
credit card payment and revealing card numbers and expiration
dates that can be used for fraud in a variety of ways.
There must be such credit card "hacking" tools circulating for
the benefit of script kiddies -- anyone looked into this before?
If so, will you share some references?
Jason Coombs
jasonc () science org
--
Hackers View Visa/MasterCard Accounts
Mon February 17, 2003 11:17 PM ET
NEW YORK (Reuters) - More than five million Visa and MasterCard
accounts throughout the nation were accessed after the computer
system at a third party processor was hacked into, according to
representatives for the card associations.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
<nofill> - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> ******************************************************* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Hackers View Visa/MasterCard Accounts, (continued)
- RE: Hackers View Visa/MasterCard Accounts Richard M. Smith (Feb 18)
- Re: Hackers View Visa/MasterCard Accounts KF (Feb 18)
- Re: Hackers View Visa/MasterCard Accounts Kevin Spett (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
- Re: Hackers View Visa/MasterCard Accounts Kevin Spett (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts Richard M. Smith (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Richard M. Smith (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 18)