• filter:
  • Page :
  • 1
  • Text Only
  • Search this Topic »
Voting History
rated:

Member Summary
Most Recent Posts
Ah so this makes the distributed brute force idea more plausible.

The idea would be that a 16-digit credit card number ha... (more)

Al3xK (Dec. 07, 2016 @ 3:23p) |

That again is incorrect. The article is also incorrect. Visa does not shut down anyone. The issuing bank can shutdown th... (more)

EvilCapitalist (Dec. 07, 2016 @ 3:58p) |

Reading up on this I don't see how they know it was how Tesco was hacked.
Tesco isn't saying anything, Visa isn't saying ... (more)

forbin4040 (Dec. 07, 2016 @ 4:29p) |

Staff Summary
Thanks for visiting FatWallet.com. Join for free to remove this ad.

rated:
I suspect that it's not guessing so much , but connecting the dots brought data in emails.

For example, one online receipt shows the last 4 digits, another set of emails shows you have a checking account with X bank, and other emails show that a new card is being issued.

From that data, you know the first 6 and the last 4 digits, also, the last digit is a checksum, so that limits the middle 6 digits to certain combinations that would be required to validate the checksum. If you had some valid card numbers, you might even be able to limit some of those middle 6 since you know thaey haven't gotten that high yet.

From there, you can probably get to within a few months for the expiration date ffrom emails about new cards being issued, and get the exact expiration year knowing the bank's practices for issuing new cards.

From there, now you're on to the CVV -- which in a perfect world is a random 1:1000 shot, but I have the feeling that it's not so random.

Also, you can probably beat AVS verification by simply having your billing address in one email.

rated:
This is what i dont understand

Hacker generates credit card number but dont know the real cardholders name and address

How does the online shopping websites allow a transaction when the name address and catd number expiration date do not match?

rated:
fleetwoodmac said:   This is what i dont understand

Hacker generates credit card number but dont know the real cardholders name and address

How does the online shopping websites allow a transaction when the name address and catd number expiration date do not match?

  Depending on the merchant, an incorrect CVV does not necessarily result in a failed transaction, It is flagged as incorrect in the backend, but if the merchant has allowed incorrect CVVs the transaction will still process. I believe the same could also happen with AVS matching.

Source: Purchased item from Best Buy a while back, entered incorrect CVV, transaction went through anyway.

rated:
Incorrect CCV results in a higher interest rate as well as an easier path for Chargeback.
It puts an extra burden on the merchant when you accept an invalid CCV.

rated:
stanolshefski said:   
From there, now you're on to the CVV -- which in a perfect world is a random 1:1000 shot, but I have the feeling that it's not so random.

 

  this is true, I bought two prepaid visas in the same batch and they had same CVV

rated:
AVS sometimes cost extra so some merchants don't use it.

rated:
What seems odd to me is the rather flippant position from VISA about it. Aren't they on the hook for fraudulent charges or is it actually the merchants taking the loss in case of fraudulent transactions that went through via the method? I can imagine that if this type of fraud was more common, they'd be interested in plugging that vulnerability to match the performance of Mastercard network in detecting the guessing attempts quickly. After all, customers and merchants may turn to mastercard network cards if they know they're less at risk, in which case VISA is likely to lose market shares.

rated:
The merchant has a choice, accept it, or not. Some force it. Others need to do 'recurring charges' and those are not allowed to store CCV, hence a CCV less charge.

rated:
Merchant typically gets the short end of the stick and the chargeback and to top it off there are typically fees to the merchant for the chargeback as well.
 

rated:
forbin4040 said:   The merchant has a choice, accept it, or not. Some force it. Others need to do 'recurring charges' and those are not allowed to store CCV, hence a CCV less charge.Since you seem to be mistyping it on purpose, the possible correct values are: CVV, CVC, CVD, CID, and CSC.

rated:
rufflesinc said:   
stanolshefski said:   
From there, now you're on to the CVV -- which in a perfect world is a random 1:1000 shot, but I have the feeling that it's not so random.

 

  this is true, I bought two prepaid visas in the same batch and they had same CVV

  
If they are truly random, that will happen on occasion.

rated:
scripta said:   
forbin4040 said:   The merchant has a choice, accept it, or not. Some force it. Others need to do 'recurring charges' and those are not allowed to store CCV, hence a CCV less charge.
Since you seem to be mistyping it on purpose, the possible correct values are: CVV, CVC, CVD, CID, and CSC.

  CCV is also an acceptable form.  
https://accounts.comodo.com/help/cvv_code

I learned the term a long time ago.

rated:
I wonder if this could possibly explain a situation I was in a few weeks ago. Checked emails early on a Friday morning and had several BofA alerts for CC use. None were mine but added up to $700ish. Called BofA they cancelled card and issued new one. Saturday morning I checked emails, you can guess it, had several declined charge attempts on NEW number (also few hundred $$ worth). A number I did not yet know because it was being sent overnight via UPS. I did know last 4 digits as my online account info showed this. I called back, cancelled, issued new card, etc. That seemed to stop the charges. Now I use the temp numbers I generate from my account online to use for each online purchase. I was all happy thinking I had figured out a way around the issue........foolish me I guess.

PS - I did have one random $1 test charge for Lyft.com but it was declined fortunately.

rated:
taxmantoo said:   
rufflesinc said:    this is true, I bought two prepaid visas in the same batch and they had same CVV
 

  
If they are truly random, that will happen on occasion.
 

A certain well-known prepaid company uses CVVs which are not random by any stretch of the imagination.  Or at least that's how it was with them ~8 years ago.  Just for kicks, "a friend of mine" did some poking around logging into the prepaid's www site with random (usually depleted) card numbers to test the hypothesis.  It worked, and we were absolutely shocked.  Interestingly, the #1 type of charge that showed up in the account history was poker rooms and other gaming sites.

rated:
From reading the article, it sounds like they're basically brute forcing the numbers but distributing the brute force across multiple websites that use Visa.

So if I try to buy something w/your name and a generated card # on Amazon.com, I get to try it say 10 times, then I use HomeDepot.com and try it 10 times, then WalMart.com 10 times, etc.

I would guess that Visa's clearing house or something has an API that lets you pass the transaction source and that's how they did it? Not sure.

rated:
All 4 major card fraud departments actually fire off when you try something like this especially online.

rated:
Never mind, I'm blind.

rated:
Scripta, I don't want to be an ass, but did you even VISIT the page?

rated:
I'm sorry. I did visit, but I must've had a mini-stroke, because I saw what I wanted to see, not what's actually there.

rated:
Let me correct the biggest misconception that exists:

* Only AMEX clearing network has ability to pass, does pass, and verifies the name on the account.

This means that "Joseph Stalin" and "Adolph Hitler" periodically go shopping, sometimes using the same credit card.

rated:
EvilCapitalist said:   Let me correct the biggest misconception that exists:
* Only AMEX clearing network has ability to pass, does pass, and verifies the name on the account.
This means that "Joseph Stalin" and "Adolph Hitler" periodically go shopping, sometimes using the same credit card.

  You said the 'biggest misconception'.
Credit cards have 4 ways of validation. (Online)
Credit Card Number
Expiration Date
CCV / CVV
AVS (Address Verification)
Under no circumstances is there something called 'Name Verification'.

And you quoted that American Express Verifies name, this can't be correct as I've used many 'names' with the same Amex card and it goes through. (Maybe AMEX does have a name verification, but it doesn't seem to stop my transactions)

The biggest Misconception about Credit Cards is that the money is free.
The second biggest is 'I get the same protection from my Visa Debit card as my Visa Credit Card'... (ouch)
 

rated:
forbin4040 said:   
EvilCapitalist said:   Let me correct the biggest misconception that exists:
* Only AMEX clearing network has ability to pass, does pass, and verifies the name on the account.
This means that "Joseph Stalin" and "Adolph Hitler" periodically go shopping, sometimes using the same credit card.

  You said the 'biggest misconception'.
Credit cards have 4 ways of validation. (Online)
Credit Card Number
Expiration Date
CCV / CVV
AVS (Address Verification)
Under no circumstances is there something called 'Name Verification'.


 

This is just plainly incorrect. The rest is validated via payment gateways or companies that started to function like payment gateway. For example, Stripe, Square or Braintree. Both provide much higher level of security than the vast majority of old gateway companies because they have a real-time dataset that allows them to score disk of any given transaction across the mass number of merchants. it is a lot more likely that Stripe has been a  reasonably aged card used across its network of merchants than say an Keybank's processor that installed a terminal at in an ice cream store in Maine.

Credit card networks only validate number and expiration date. That's it. Nothing else.
CCV/CVV *can* be validated but are not required.
AVS *can* be validated but a failure of this validation from the network perspective only results in a warning.

Moreover,  for AVS validation "350 Spruce St" is exactly equal to "Unit 350". 

Credit card authorization can result in 3 states:

1. Authorized
2. Authorized with warnings ( CCV/CVV failure, AVS failure )
3. Not authorized

Authorized only means that CCN and expiration date matched. that's it. 

Gateways may or may not implement handling of authorized with warnings but if the gateway even passed the transaction to the network and if the network replied with Authorized with Warnings then any real-time system would display a pending transaction against the card in a form of pending transaction/hold.

Most of old gateway software simply relays status back to the customer.  That is different from say Stripe, which would capture and store the card information. So while the gateway software would not be able to flag the AVS change across two different transactions, Stripe would detect it, score it and most likely fail it *before* it would be submitted to the clearing network (I do not work for stripe).  https://stripe.com/docs/radar/risk-evaluation

And you quoted that American Express Verifies name, this can't be correct as I've used many 'names' with the same Amex card and it goes through. (Maybe AMEX does have a name verification, but it doesn't seem to stop my transactions)

That means that the card was not ran against AMEX network but was ran against another settlement network.
The second biggest is 'I get the same protection from my Visa Debit card as my Visa Credit Card'... (ouch)
If your agreement with a bank says you do, then you do.  I have not seen a single Visa Debit card issued by a bank against a DDA account that has worse protections than the credit card.
  

rated:
I did say online EvilCaptialist. Online as in you enter your card in. Most of these you present are consider 'swipe' and card present authorizations, those have a whole raft of other ways to confirm the card is legit.
This is in context of the OP post.
If a hacker finds out your first 4 (from location shopped) and last 4 (Such as from your receipts) the act of brute forcing the Expiration Date and CCV trigger most fraud warning systems.

This article claims that Visa does not shut down authorizations after 10 (and says Mastercard does). I might call BS on this part. Most gateways shut down after 3 (as another FW post here about using his prepaid card more than 3 times) but for Visa to not shut down after seeing up to as many as 10 rejects? I doubt it.

rated:
EvilCapitalist said:   Let me correct the biggest misconception that exists:

* Only AMEX clearing network has ability to pass, does pass, and verifies the name on the account.

This means that "Joseph Stalin" and "Adolph Hitler" periodically go shopping, sometimes using the same credit card.


Ah so this makes the distributed brute force idea more plausible.

The idea would be that a 16-digit credit card number has X different possibilities, but in reality you can reduce the entropy because Visa always starts with 4 (and follows a pattern).

Same as Zip-code verification. Zip codes are 5 digits, but you can reduce the entropy because you know which zip codes have the highest population.

Samy Kamkar (famous for Samy Worm on MySpace) talks about this at DefCon: https://www.youtube.com/watch?v=fWk_rMQiDGc




I have no clue if this is what they really did, but it sounds like it.

rated:
forbin4040 said:   I did say online EvilCaptialist. Online as in you enter your card in. Most of these you present are consider 'swipe' and card present authorizations, those have a whole raft of other ways to confirm the card is legit.
This is in context of the OP post.
If a hacker finds out your first 4 (from location shopped) and last 4 (Such as from your receipts) the act of brute forcing the Expiration Date and CCV trigger most fraud warning systems.

This article claims that Visa does not shut down authorizations after 10 (and says Mastercard does). I might call BS on this part. Most gateways shut down after 3 (as another FW post here about using his prepaid card more than 3 times) but for Visa to not shut down after seeing up to as many as 10 rejects? I doubt it.

That again is incorrect. The article is also incorrect. Visa does not shut down anyone. The issuing bank can shutdown the card. That's about it.
Gateways do not shutdown on bad cards. If they did, most of fraud would not exist. Pounding a card with different expiration dates won't trigger anything because every gateway gets hit just once. 

The reality is that for Visa and MC carders only need to walk a key space of 7 digits for card number and since the expiration date of the card cannot be random a very limited key space exists for the expiration date. CCV number is irrelevant for most of the gateways. Failure to provide CCV number does not fail the transaction. CCV number cannot be stored by the system and gateways will service a rebill ( in which the same information is provided less the CCV number ). 

The reason for this freak out is attack that was mounted against cards issued by Tesco. This means that the carders knew the class of card and a bin number. They also knew the approximate number of cards issued. This significantly reduced the key space. Tesco did not use those who live and breath this kind of problems to design their systems and did it themselves. They did a fairly good job - the system caught the failure attempts against the same cards by the same gateway ( attack vector: carder registers a merchant account and runs through it ). What they did not track was the multiple merchants are failing the same card. The reason for that is that unsuccessful authorization attempts are rarely tracked - card is unique based on card number *and* expiration date, not just based on the card number. 

It must be also noted that by running a card through one does not get the money until the transaction settles. So if this attack was ran against non-pre-paid cards, it is extremely unlikely that the money could have been drained from them. The issuing bank would have been pounded by the screaming masses that got authorization holds put against the accounts, did not settle them and reversed the transactions ( not to mention identify the merchants used to drain the cards ). 

Don't freak out - unless you are using a ghetto bank or a ghetto credit card servicing company, this issue is unlikely to cause more than a slight inconvenience.

Pre-paid debit cards are entirely different story.

rated:
Reading up on this I don't see how they know it was how Tesco was hacked.
Tesco isn't saying anything, Visa isn't saying anything, no one is saying anything except for a school who 'theorized' how it happened. (They tried some visa cards to see how long before they were shut down, I had to dig a few pages down on Google to find that)

I would stick with the easy answer, inside job.

  • Quick Reply:  Have something quick to contribute? Just reply below and you're done! hide Quick Reply
     
    Click here for full-featured reply.


Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2017