Full Disclosure mailing list archives
RE: Hackers View Visa/MasterCard Accounts
From: "Bernie, CTA" <cta () hcsin net>
Date: Wed, 19 Feb 2003 18:05:15 -0500
While I would agree that the extortion path may be a potential means to an bizarre mutually beneficial end, I would still put more emphasis on the DoS theory. Keep in mind that a typical DoS attack has two primary threat effects: a. limiting access to something or somewhere b. creating noise or buffer overflow Think about what could happen if one were to setup a drone loaded with these credit card numbers, Exp Dates and AVS info, which was programmed to autonomously inject bogus orders at tens of thousands of e-commerce web sites. I would believe that these sites would choke on the declines. Even more alarming would be the small mom and pops that verify (LHUN check) the cards, but use off-line credit card terminals to process. Furthermore, most processors and e-commerce payment gateways charge a transaction fee even if the card was declined. VISA, Master Card, and American Express get paid their fees regardless of the success of a transaction. Moreover, a successful Transactional DoS or possibly DDoS attack could result in significant indirect financial impact which may not be adsorbed by VISA, Master Card or the Processors. Quantifying the probable success of all plausible threat outcomes that may germinate from the theft juxtaposed to the potential economic and consumer trust impact, I would say that there is an immediate obligation and responsibility for the government regulators to mandate proactive action to develop and implement safeguards. Such action should start at the offices of VISA, Master Card, and American Express and transcend through the processors and merchants. But will they do something preventive now, or wait until they feel the financial pinch? On 19 Feb 2003, at 9:43, David Barnett wrote:
While the threat of a Credit Card DoS seems to quite a novel threat and I am, at this point in time, in no place to credit or discredit the idea, I can't help but to believe there is a less nefarious motivation behind this attack. One can't help but refer back to one of the last theft of such a large amount of credit card numbers. The case involving Russian hacker(s) holding a company (can't remember the name?) ransom for a large sum of money not to release the credit card numbers onto the Internet. If one takes the number of accounts affected, at last count some 8 million, assume at least 10 million affected and the costs to replace these accounts (the published figure I have seen was $25 per card), one most wonder atwhat cost would these institutions not pay up? $5 million? Consumer confidence of purchasing on-line has been growing over the past year. Yes, this is not a case of a e-commerce site being broken into, but the public perception is there. Why has the victim clearing house not been exposed publicly? If one now takes the possibility of a credit card DoS seriously, I would say this would be even more reason for the attacker(s) to try and call for some sort of ransom money. Yes, the last time, we know of at least, no money was paid out, and so was the credit cards all over the net. I can only wonder what is taking place in the back channels, and if we will ever know what threats were made and what money may have been paid out. Perhaps these are the reasons for the victims anonymity?? David Barnett Sr. Security Architect Paranet Solutions
- - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> ******************************************************* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Hackers View Visa/MasterCard Accounts futureshoks (Feb 18)
- <Possible follow-ups>
- Re: Hackers View Visa/MasterCard Accounts remember-handsworth (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts John . Airey (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts David Barnett (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 19)
- Re: Hackers View Visa/MasterCard Accounts Georgi Guninski (Feb 19)
- Diskless Bastions & NFS; How secure is NFS (on Linux) rated? Steve Wray (Feb 20)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 19)