RE: Hackers View Visa/MasterCard Accounts

["Jason Coombs" <jasonc () science org>]

Calling it a DoS might be a misnomer. It would look a lot more like a replay
attack. The damage one could do with the millions of card numbers and
expiration dates one could deduce from the seed list of 8 to 10 million
would be the greatest when e-commerce shopping is replayed -- at any and
every POS that accepts "card not present" transactions and ignores AVS.

Use people.yahoo.com to assemble a list of shoppers and wham-o, thousands of
merchants are busy shipping product, tens of thousands start to have
difficulty picking legitimate orders out of the noise. DoS would only occur
in the case of merchants who are incompetent at risk management to begin
with and just stop filling orders or choose to ignore orders where AVS
doesn't report a full match.

Jason Coombs
jasonc () science org

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of David
Barnett
Sent: Wednesday, February 19, 2003 5:43 AM
To: full-disclosure () lists netsys com
Cc: cta () hcsin net
Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts


Mime-Version: 1.0
Content-Type: multipart/signed;
 boundary="-=-===-====-=-=---===---========--==-==--===-===";
 protocol="application/pgp-signature"; micalg=pgp-sha1

---=-===-====-=-=---===---========--==-==--===-===
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable

While the threat of a Credit Card DoS seems to quite a novel threat and I
am, at this point in time, in no place to credit or discredit the idea, I
can't help but to believe there is a less nefarious motivation behind this
attack. One can't help but refer back to one of the last theft of such a
large amount of credit card numbers. The case involving Russian hacker(s)
holding a company (can't remember the name?) ransom for a large sum of money
not to release the credit card numbers onto the Internet.

If one takes the number of accounts affected, at last count some 8 million,
assume at least 10 million affected and the costs to replace these accounts
(the published figure I have seen was $25 per card), one most wonder atwhat
cost would these institutions not pay up? $5 million?

Consumer confidence of purchasing on-line has been growing over the past
year. Yes, this is not a case of a e-commerce site being broken into, but
the public perception is there. Why has the victim clearing house not been
exposed publicly?

If one now takes the possibility of a credit card DoS seriously, I would say
this would be even more reason for the attacker(s) to try and call for some
sort of ransom money. Yes, the last time, we know of at least, no money was
paid out, and so was the credit cards all over the net.

I can only wonder what is taking place in the back channels, and if we will
ever know what threats were made and what money may have been paid out.
Perhaps these are the reasons for the victims anonymity??

David Barnett
Sr. Security Architect
Paranet Solutions

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html