RE: Hackers View Visa/MasterCard Accounts

["Richard M. Smith" <rms () computerbytesman com>]

CNN just up'ed the number again to 8 million stolen credit card numbers.
American Express has also joined the parade.

http://money.cnn.com/2003/02/18/technology/creditcards/index.htm

Richard

-----Original Message-----
From: Kevin Spett [mailto:kspett () spidynamics com] 
Sent: Tuesday, February 18, 2003 4:02 PM
To: jasonc () science org; Richard M. Smith;
full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Hackers View Visa/MasterCard Accounts


Even with the checksum digits, the keyspace for all possible credit card
numbers is huge and largely unused.  Also, if you get declined, you
don't
know whether it's a problem with the card number or the expiration date.
There's no way to brute force issued card numbers independent of
expiration
dates, which would speed up the process greatly.  So let's say that
you're
assuming that the expiration date is within three years.  If you've got
an
unissued card number, you have to make all 36 attempts with it.

Also, CNN has revised their story.  The new number is 5.6 million credit
card numbers.


Kevin.

----- Original Message -----
From: "Jason Coombs" <jasonc () science org>
To: "Richard M. Smith" <rms () computerbytesman com>;
<full-disclosure () lists netsys com>
Sent: Tuesday, February 18, 2003 1:00 PM
Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts


> AVS gives the merchant a clue as to whether or not there is high risk
posed
> by a particular alleged-customer.
>
> Merchants are free to ignore AVS, and many don't even bother to use
it.
> Anyway, it doesn't impact the "declined" or "authorized" result given
to a
> shopper at an e-commerce site that implements real-time processing.
>
> Jason Coombs
> jasonc () science org
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Richard M.
> Smith
> Sent: Tuesday, February 18, 2003 5:30 AM
> To: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts
>
>
> Wouldn't the AVS system used by the credit card companies catch this
> kind of hack?  The AVS system does a rudimentary check to make sure
that
> the billing address given on a order is correct one for the credit
card.
> Richard
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################

#################################################################
#################################################################
#################################################################
#####
#####
#####
#################################################################
#################################################################
#################################################################
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html