Forgot your password?
typodupeerror
Security The Almighty Buck

Why Are CC Numbers Still So Easy To Find? 317

Posted by kdawson
from the years'-old-hole dept.
Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.

Some "script kiddie" tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app. If the numbers were displayed along with people's names and phone numbers, sometimes I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised.

Now, before this gets a lot of people mad, let me say that at first I was planning on holding off writing about this for months if necessary, to give the credit card companies time to do something about it. In other words, I actually had the presumptuousness to think that I had been the first one to discover it, but only because the credit card numbers that I found were still active. (If the trick had been widely known, I reasoned, surely the credit card companies would have found any credit card numbers listed in Google before I did, and gotten them cancelled.) Then I found that the trick had been publicized about three years earlier in a C-Net article by Robert Lemos and was probably widely known even before that. (The article stops just short of describing the actual technique, but one reader posted the full details in a follow-up comment.) Another article from that year in CRM Daily describes an even more efficient trick: Googling for number ranges like 4060000000000000..4060999999999999 to find Visa card numbers beginning with "4060". Google has now blocked that trick, so that trying that as a Google search leads to an error page. But the basic technique of Googling for working credit card numbers, apparently still works. In other words, credit card companies have apparently known about this technique for at least three years, probably longer, and presumably have hoped it would continue being swept under the rug.

At this point, I think the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible. It may result in a short-term spike in people using this technique, but if it results in the problem being fixed, then the total number of fraud incidents will probably be less in the long run.

It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format "3xxx xxxxxx xxxxx", and Googling for the first 10 digits as "3xxx xxxxxx" didn't yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up "treasure troves" of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren't listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found. Simple, but time-consuming with so many different 8-digit prefixes -- but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don't they do this?

It's considered good etiquette among security researchers, when finding a new security hole, to give the affected companies a chance to fix the issue before publicizing it. When I first contacted the credit card companies and described exactly how the exploit worked and how to block it, after getting a polite "We can't comment" from each one, I figured I'd give them a few months to get a system in place that could find leaked cards on a daily basis and de-activate them before they could be used. But then I found the C-Net article from 2004, and figured that if the card companies hadn't taken action in three years, it was fair game to publicize the trick in order to increase the pressure on them to plug the gap. Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it.

I did try the "Good Samaritan" approach, calling the credit card companies when I found one of their customers' card numbers on the Web. For each of the four major card companies, I called their security departments and reported two of the cards that I had found compromised, and then a week later, called the cardholders themselves to see if the card companies had notified them. Surprisingly, of the four companies, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their numbers. But even if all four credit card companies were more proactive about acting on reports of leaked numbers, the problems with scaling this approach are that (a) I usually had to wait on hold for a few minutes with each company and then spell out each card number that I'd found, which doesn't scale for a large number of stolen card numbers, and (b) if lots of people started doing this, then the credit card companies would be inundated with duplicate reports about the "low-hanging fruit", card numbers with common prefixes that appear near the top of some Google search result. Both problems could be avoided if the card companies simply ran their own script that queried Google and brought up a list of any indexed card numbers, whereupon an employee could copy and paste the numbers into an interface that would flag the cards instantly.

Google does have a feature where you can request the removal of pages that contain credit card numbers and other personal data such as Social Security Numbers. Any pages that I found containing credit card data, I submitted for removal, and Google did handle each removal request within two days. But this doesn't guard against the possibility that someone might have found the credit card information before it was removed, and of course it doesn't mean that other search engines like Alta Vista (remember Alta Vista?) might not have indexed the same pages. Running a sample of 8-digit prefix searches on Alta Vista, I found about as many credit cards as I found through Google, including some pages that were not in the Google index (maybe Google never indexed them, or maybe they had removed them already). So removing a page from any engine's search results is more like covering up a symptom of a problem than fixing the problem itself, which is the fact that the card number was leaked to the Web in the first place.

If nothing else, this is another reminder of how terrible the security model is for credit card numbers as a token of payment -- one universal piece of information shared with every merchant, that can be used for unlimited unauthorized charges if it gets compromised, until someone notices. About the only desirable property of credit card numbers from a security point of view is that they can be changed, and most of your existing recurring billing relationships will carry over, but even that is a hassle. Several credit card companies do provide the ability to generate single-use credit card numbers, each one authorized only for a limited purchase amount. The problem with that is that as any security analyst will tell you, if it takes even one extra step, most people won't bother -- as long as all-purpose credit card numbers are the default, that's what most people will use. Perhaps incidents like this will push people towards more 21st-century-aware styles of payment (like PayPal, but without all the horror stories), where you can pay a bill through a system that debits your card or your bank account, without sharing all your information with the merchant.

But in the short term, as long as credit card numbers are still with us, the card companies should make more proactive efforts to find and deactivate the ones that have been leaked on the Internet. If the card numbers are found to be leaked by a clumsy Web interface on one company's site, then that company should be chastised by the card companies that issued them a merchant account. If the numbers are found together in a list posted on some third-party forum, then the companies can cross-reference the charge history against each card in the list, to narrow down which merchant may have been responsible for the leak. I'm sure the card companies do something like this already when they find a list of leaked cards; what they don't seem to be doing is acting aggressively enough to find the leaked numbers in the first place.

Maybe the real moral is not the insecurity of credit card numbers, but the value of transparency and online community relations. If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago. In fact many tech companies, if you report a security problem to them, will thank you and fix it immediately, and some of them will even offer you cash if you find any more, like Netscape used to do with their $1,000 Bugs Bounty program. We get so used to big companies having obvious holes in their security practices and answering every question about security with a flat "No comment", that we forget it doesn't have to be that way -- transparency is not just trendy, it works. After years of having bug hunters poke at the Netscape browser, the security may not have been perfect, but it didn't have any security holes that were as simple and obvious as to be analogous to finding credit card numbers on Google.
This discussion has been archived. No new comments can be posted.

Why Are CC Numbers Still So Easy To Find?

Comments Filter:
  • What does it matter?

    How can a normal fraudster use a credit card number to his personal gain?
    Does he get goods delivered to his house?

    Anything purchased with it has an audit trail.
    It's not like you can turn up in a shop and swipe the printout or screenshot, and making up blank cards isn't yet in the hands of the common criminal.

    I will go out on a limb and say most credit card fraud occurs in the real owners home town right about the time of alcohol consumption.

    Regret buying that 'funky' leopard skin jacket?
    • Re: (Score:2, Informative)

      by stackdump (553408)
      I would think the best thing to do would be to learn how to make a bogus credit card. That way you could visit a store out of the way w/ no surveillance and could spend money while signing with some bogus scribble.
      • Re: (Score:2, Informative)

        by Anonymous Coward
        Gas stations are always a good way to skim money off stolen credit cards ... criminals will routinely recruit bored/underpaid gas bar attendants to run a few dozen cards for several hundred dollars each, make up the difference with cash out of the till, and split the proceeds by some agreed-upon percentage.

        Several years ago when one of my credit cards was compromised, I saw a whole bunch of bogus charges made at gas stations all over southern California.
    • Re: (Score:3, Informative)

      by Anonymous Coward
      Something like this would work... http://news.bbc.co.uk/1/hi/uk/6642465.stm [bbc.co.uk]
    • by pytheron (443963) on Thursday May 24, 2007 @09:31AM (#19251859) Homepage

      How can a normal fraudster use a credit card number to his personal gain?
      Rent a flat/bedsit somewhere. Get someone to rent it for you for some cash. There's your address. Getting goods is trivial. The hard part is getting people to accept a card without the corroborating data, like chip-and-pin, signature, D.O.B etc etc.
      • by Kadin2048 (468275) *
        The hard part is getting people to accept a card without the corroborating data, like chip-and-pin, signature, D.O.B etc etc.

        Seriously? I've never been asked for anything when using a credit card, besides its expiration date, and occasionally the billing address (what they're interested in is the billing ZIP code, generally). Signature checks are bogus -- in most stores, you could draw a picture of the goatse.cx guy and the clerk wouldn't ever say anything, and of course there's no signature on the Internet
    • Re: (Score:3, Informative)

      Dateline NBC exposed the workings of these frauds a few months back Part 1 [youtube.com].
       
         
      • Per the instructions in this article, I tried googling the first eight numbers of my credit card, "4640 1820". As soon as the results showed up on the Google page, Firefox immediately came up with this warning message:

        Security Error: Domain Name Mismatch

        You have attempted to establish a connection with "dspace1.it.ohio-state.edu" However, the security certificate presented belongs to "kb.osu.edu". It is possible, though unlikely that someone may be trying to intercept your communication with this web

    • by Gulik (179693) on Thursday May 24, 2007 @09:32AM (#19251875)
      How can a normal fraudster use a credit card number to his personal gain?
      Does he get goods delivered to his house?


      I recall reading that one guy had a bunch of credit card details, and of course came up against that very problem. His solution was to put up a pile of auctions on eBay for various big-ticket items. When those auctions ended and he got the funds, he used the credit cards to order the items and have them shipped to the winners' homes. By the time the people whose cards were used found out, the only information available was for the folks who won the auctions, and the seller was nowhere to be found.
      • by sammy baby (14909)
        That's a pretty interesting story.

        The irony here is that, in theory, if the fraudster had offered to cut his victims in on the deal, it would have been just a regular old business partnership. (But of course, his take would have been much less.)
        • by AndersOSU (873247)
          If the fraudster had cut the original victims in on the deal he wouldn't have been able to sell things for a loss and turned a profit. The scam works because if you sell a brand new $1200 TV for $800 and aren't liable for the original purchase you make $800 instead of losing $400.
    • by WalterSobchak (193686) * on Thursday May 24, 2007 @09:44AM (#19252051) Homepage Journal
      Yes you can use these numbers to shop in a store. Real easy.

      My bank called me to ask if I was in Istanbul, Turkey, over the weekend. When I said "No", they said: "But your Visa Card was", and they did not seem at all surprised that the physical card was still in my possession.

      They gave me a nice list of events: First the thugs bought something small, then tried something big. As the card was declined, they tried something small again, and then a couple of medium purchases (like $100 a piece).
      All in all, they had racked up about $1000 when the call came, but I did not have to cover any of that, luckily.
      Again, all of these were in-store purchases.

      Alex
      • Re: (Score:2, Insightful)

        I do a lot of online shopping and as a result I have remembered my cc number and accociated inforation. I have had stores take my cc as a number alone with out ID. I then asked if that is their standard policy and told them that I could have easily been using a stolen number. They are always surprised at my question but I give them my drivers liscence and another piece of ID where they seem satisfied. It may be because I am in Canada and we have the presumption of honesty and innocence but it is not hard to
      • by jimicus (737525)
        It's even worse in the UK where Chip & PIN is supposed to eliminate card fraud.

        Of course it doesn't. Instead, it passes the risk onto the consumer, viz: "Your card was used in conjunction with your PIN, therefore either you did it or you were careless with your PIN. Either way, it's your problem".

        There was a case recently (google for it) where a major UK bank only issued about 3 or 4 different PINs, so if you didn't change the PIN you'd been issued anyone could guess it correctly in 4 tries.
    • by Anonymous Coward on Thursday May 24, 2007 @09:47AM (#19252079)
      The "audit trails" you are describing do nothing to deter serious criminals. I dated a girl that was charged with CC fraud. She simply ordered by online and had the package delivered to a nice house in a nice neighborhood that was for sale, one where the owner had already moved out. You can find dozens or hundreds of such houses in any city by checking the real estate listings. UPS drops the package off on the porch, and the fraudster drops by in the late afternoon to pick up the loot. The neighbors see people coming and going all day (real estate agents and prospective buyers), so one more visitor with a package tucked under the arm is not noteworthy. It doesn't work 100% of the time, but it works pretty damn frequently.

      So as you can see, the fact that you think an "audit trail" prevents such crimes comes down to a lack of imagination on your part, and a very false sense of security. It is exactly that false sense of security and lack of imagination which explains why identity theft is rampant.
    • by plover (150551) * on Thursday May 24, 2007 @10:00AM (#19252339) Homepage Journal
      I'm not sure if you're trolling or not, but it's not too difficult at all for a thief to turn a credit card number into products or cash. There are various laundering procedures that some people go through (Dateline's "To Catch An I.D. Thief" exposed an elaborate one) but the sad reality is that most one-off fraudulent purchases aren't even followed up on by the banks, not until the dollars pile up. (They will be tabulated, of course, and people who try using a dozen stolen cards and have the merchandise shipped to the same address do get picked up.)

      Card data can also be turned into products in most stores. The stolen info can be burned on to an expired card, and the thief anonymously walks out of a store with an HDTV. More clever thieves will go to a store that's out of their norm, one that doesn't see as much fraud -- perhaps a craft store or a furniture store -- and buy a bunch of merchandise, and resell it on the streets or at flea markets. There are sophisticated organized theft rings that will purchase certain kinds of stolen merchandise and pose as legitimate wholesalers that resell it to small merchants.

      The underground economy revolving around stolen merchandise and credit cards is rapidly approaching a hundred billion dollars annually in America alone (last figure I saw a year or two ago put the estimate over 60 billion, not counting the MAFIAA.) It's obviously pretty easy to do, if you think like a criminal.

    • Re: (Score:2, Informative)

      by Grax (529699)
      Ways to personal gain from a CC number

      1. Long distance calling cards
      2. Online delivery of movies, software products, porn, or anything else with instant gratification.
      3. Print Fake Credit Cards with the numbers on them and go shopping (Yes. This is in the hands of the common criminal)

      My wife's card number was stolen and used to purchase hundreds of dollars of items at a mall over 1000 miles from our home. We did get the charges reversed but it took a number of phone calls (even though their fraud depar
    • Re: (Score:3, Interesting)

      by profplump (309017)
      More commonly I've seen that they obtain access to a merchant account an process ~$10 transactions themselves. THe hope is that they can use the merchant account for a couple of months before people notice -- a $10 transaction doesn't call much attention unless you really do accounting -- and then when they lose access to their merchant account they move on to another.

      This can be done either by obtaining merchant accounts directly (not as difficult or traceable as you might think) or just convincing the cle
    • Amazon Gift Cards / Paypal.

      I had this happen to me. Someone bought some Amazon gift cards I had on eBay for $50 or so. I sent the codes (which is my own fault for being trusting on the internet) about 2 weeks later I got the paypal "This was bought using a stolen credit card, etc etc".

      I guess this has happened in the past and Amazon has refused to give out the account information it was used on. $50 isn't worth their time, after all they didn't 'lose' anything.

      Take this one step further. Re-sell the Amazon
    • by LighterShadeOfBlack (1011407) on Thursday May 24, 2007 @10:32AM (#19253013) Homepage
      Discarding the ways to make a profit from credit card numbers, how about using police ignorance to screw people over. Only a month or so ago details were revealed about the massive flaws in police operations such as Operation Ore in which thousands of people in the UK were arrested in connection with paedophilic-related charges due to their credit card numbers being used to buy access to porn affiliate networks.

      Now, using the above methods may not allow you to target anyone specifically, but let's not kid ourselves into thinking that there aren't plenty of people who would happily take a whole load of these credit card numbers and use them to implicate complete strangers in this way. Just for the hell of it.

      Money lost on stolen credit cards can be reclaimed. Lives destroyed by false charges cannot.
    • Re: (Score:3, Insightful)

      by d3ac0n (715594)
      Don't forget there are always direct funds transfers, and quick-cash. If you can make a good replica of a CC or bank card, and have the correct info, it's often easy to just use it for quick cash at ATMs. Just wear an appropriate disguise and hunch over a bit to cover your height. With enough cards you can clean up quick.

      Also, I have hear of instances where people will use a stolen CC to setup a fake bank account, and then perform many small wire transfers from other CC"s into the fake account until it h
    • by jandrese (485)
      The most common method is to have your goods delivered to a vacant home. It won't work for anything that needs a signature, but that's how people have been abusing credit cards for years. Then you just casually walk by and pick up your package and nobody is the wiser.

      Of course you gotta be quick about it and not use a house too many times or the police might catch on and stake it out--although all they can technically get you on is theft of the one item if you're careful.
    • Re: (Score:3, Interesting)

      by niiler (716140)

      Dateline NBC did a story on this problem this very week and found that with the full cooperation of the credit card companies, it was still quite time consuming to run down the real perps.

      Here's what they did:

      • Got the credit card companies to issue bogus credit cards - with real credit lines of $1000 - for them to sell online.
      • Sold the cards via certain IRC channels and monitored how quickly such funds were spent.
      • Set up a bogus electronics good web site that was advertised via said IRC channels where
    • by ray-auch (454705)

      How can a normal fraudster use a credit card number to his personal gain?
      Does he get goods delivered to his house?


      Buy services. Easier. Buy subscriptions to fake (or real) web sites - small amounts through a billing co., lots of victims won't even notice.

      How does this help the fraudster ?
      Who gets the money ? - Website owner.
      How easy is it to set up a subscription porn website ? Not hard - look at how many there are.
      Fraudster just sets up the website and uses stolen cards to buy subs to it.


      Anything purch
    • by Kijori (897770)
      Have the goods delivered to a house you've previously staked out - one belonging to someone who won't be in when the postman calls. Leave instructions for the goods to be left in a safe places - behind a plant pot or somesuch location. Then go and grab the stuff when the postman's left.
  • by Anonymous Coward on Thursday May 24, 2007 @09:16AM (#19251633)
    +1 for no mailto: links in TFS...
  • Here, I'm going to post some:

    4245 8611 9994 1245
    8847 1210 5566 0625

    Now ... good luck finding the rest of the information you need to use them.
    • Re: (Score:2, Interesting)

      by Sobrique (543255)
      Thing is though, why would those numbers be listed on a web page at all, unless it were for billing? I've seen quite a few examples of poorly protected .htaccess files, which go something like:

      #4455 6677 9933 2233 Mr. A Bravo, 231 Some Road, Some Where, XX4 6YY, CVN 123
      username:3DESPASS

      Clearly it's a result of a disgusting signup form, but ... well, the OP mentions he rang 'em up, so I'd assume the details were a little more complete than just the CCN.

      • by laffer1 (701823)
        Speaking of leaving data in the open, I recall a situation at a former employer. My boss had a CGI script to setup hosting customers at a small ISP. It collected the credit card data, account info, and domain name. The file had 777 permissions and one day a new customer found the file on our linux server. He called up very pissed off. My boss was out which left me to deal with the guy. I agreed that we were idiots and so forth and offered him a refund. I also had my boss change the permissions on the
    • No credit card starts with 88, so that's half as much work right there.
    • by Anne_Nonymous (313852) on Thursday May 24, 2007 @09:54AM (#19252209) Homepage Journal
      >> 4245 8611 9994 1245

      That's amazing. I've got the same combination on my luggage.
    • Re: (Score:3, Informative)

      by antifoidulus (807088)
      Did you read TFA? The author states that often he found other pieces of info besides the card, such as names and telephone numbers(he called some of the owners of cards he found)

      Sheesh, if you are going to be pompous at least be correct
    • The main point is, they're complaining about web wannabe's and such writing custom shopping carts with a Frontpage form saves info to the web.

      I found a nasty case of this a few years ago on an incorporation website that stored SSNs, CCs, Company and Owner Names (along with partner names and SSNs), etc. After I called the guy - he wanted me to fix it for free for him and told me it was my civic duty to fix the problem...
    • by multipartmixed (163409) on Thursday May 24, 2007 @10:39AM (#19253185) Homepage
      First number fails the Luhn checksum.

      Second number isn't a credit card number at all. Maybe a calling card or something (telecom MII).

      Why don't you post your REAL VISA number?
    • by AVee (557523)
      Finding card numbers has always been easy. Just get a yourself a job at a shop, you'll get paid to collect creditcard numbers. People are strange, half the day they are running around showing their creditcard number (including all data needed for a transaction!) to a whole bunch of people, the other half of the day they worry about people discovering their creditcard number.

      Please, get a grip an choose between 'I will not use a creditcard' or 'Creditcards are insecure but I'll use 'm anyway'. This has al
  • by Anonymous Coward
    Your presumption that credit card numbers share the first eight digits is flawed. The first six digits of the card reference the referring bank. The next eight digits are the account number. The final two digits are the identifier of the card. If you and your wife both have cards for the same account, yours may end in an 03 while hers ends in a 19.
  • Oy (Score:3, Interesting)

    by Billosaur (927319) * <wgrother AT optonline DOT net> on Thursday May 24, 2007 @09:25AM (#19251763) Journal

    This whole thing should come as no shock. The Internet was not built with security in mind. I don't think anyone imagined the degree to which it would become a method of commerce. Certainly when the first websites were given the ability to accept and process credit cards, the card companies had been dealing with fraud for years, in terms of lost/stolen/duplicated cards. I remember working in a convenience store in the 80's and getting small booklets in the mail from the credit card companies with lists of fraudulent numbers. Like I was going to look them up!

    Credit cards could be made much more secure. It would be expensive, no doubt, as it would require fundamental changes to the system, but compare that to the price of all the fraud currently committed and I'm pretty sure the ROI is pretty good.

  • Because... (Score:5, Insightful)

    by NightWulf (672561) on Thursday May 24, 2007 @09:26AM (#19251769)
    It's easier for the credit card companies to just write it off as some fraud and not actually go out and do anything. Realistically most of their early warning systems probably limit their losses to under $1,000 to each card (i.e. the amount of money that someone can charge and get away with before the company discovers the card has been compromised). So figure if even ten people a day get their cards stolen by this method, that's 300 a month, or $300,000 in costs. They probably feel keeping the staff and the equipment to do this costs more than what they'll lose. That and they can always write off their fraud charges on their taxes ad bed debts.

    According to a 2002 report Visa's commissions alone were over $455 million. If that entire $300,000/month fee was all on Visa, the 3.6 million a year is a drop in the bucket to them, less than 1% of their commission. Trust me, if it cost them less to setup the system than the money that's lost, it would be done.
    • Re:Because... (Score:5, Insightful)

      by cyphercell (843398) on Thursday May 24, 2007 @09:50AM (#19252125) Homepage Journal
      Maybe the card companies are still turning a profit, but estimated losses are around 49 billion, that's twice M$'s annual revenue. It's worth going after.
      • Re:Because... (Score:5, Interesting)

        by silas_moeckel (234313) <silas AT dsminc-corp DOT com> on Thursday May 24, 2007 @10:58AM (#19253577) Homepage
        You have to keep in mine CC companies loose nothing in CC fraud they actually make money. Here is how the charge back process works.

        Person reports the fraud to CC company
        CC company issue charge back notice to merchant gives them time to dispute etc.
        CC company takes the amount of the charge (not what they gave the merchant after fees) + $35 bucks charge back fee from the merchant
        Refunds all or most of the charges to the CC holder, issues a new card etc.
        If they find the merchant the cards got stolen from they fine them and change them to reissue cards, Fines alone can be 500k, and I have heard of 5 figure fines for a handful of stolen cards. They have some good software that correlates stolen cards and what merchants have ever seen the cards.

        So no visa etc does not loose anything they shifted that liability to the merchant for accepting the fraudulent charges.
    • Really?

      We had someone rack up $24K on my wifes card before SHE CAUGHT IT because the card was denied for suddenly being over limit. Our only saving grace with the card company was the fraudster used it to buy lottsa funiture which had not been delivered yet, just billed.

      Otherwise we would have been on the hook. Funny how they don't call you when buying $24K in furniture half way across the country, but will call you if you use it to book a hotel room two states over.
    • by mike2R (721965)

      That and they can always write off their fraud charges on their taxes ad bed debts.
      More that they'll just pass them onto the merchant's that are unfortunate to accept those cards.

      It's really only an issue if the cvv digits are there as well - without those they're really just a group of numbers.

    • Exactly... And I don't think it's still the case, but for quite a long time, MasterCard was actually listed as a *non profit corporation*! As a non-profit, they practically HAD to find large write-offs, to attempt to prove they weren't generating profit. I'm sure fraud losses were a big component of that whole business model for them.
    • Credit card companies don't want people changing credit cards, period.
    • Trust me, if it cost them less to setup the system than the money that's lost, it would be done.

      This is a textbook example of what economists call negative externality [wikipedia.org] or economic loss experienced by third parties to a transaction through no (reasonable) fault of their own, but a loss all the same. The credit card company doesn't care that your card being compromised potentially causes massive disruptions to your life as your credit is dragged through the mud (i.e. you don't get hired or get a car loan
  • by jjeffers (127519) <jj@NOsPam.aprsworld.net> on Thursday May 24, 2007 @09:30AM (#19251845) Homepage
    I am a merchant that deals with internet and in person sales of my products. I'm also a computer engineer and have cursorary knowledge of security.

    The credit card companies have no security. They don't care either. It's not them that will foot the bill. As a consumer it is great that you can only get stuck for $50 of fradulent charges. But as a merchant you loose your merchandise and the fraudulent payment. You can receive authorization from the credit card company saying the transaction is good, but they can and do still take the money away from you.

    I've had about a dozen cases of obviously fraudulent orders. The first few I would call the credit card company, report the suspicious card, etc. They did nothing. On one I found out the real owner of the card, called them, and they hadn't even been contacted by the credit card company. I had all of the details that the police would have needed to get the scammer and the credit card company wouldn't even take that information.

    Now I just delete any order that looks unusual.
    • by The Lurker King (171562) on Thursday May 24, 2007 @09:40AM (#19251995) Homepage
      The credit card companies don't care because they get their money either way.

      If someone places a fraudulent order and the merchant ships the the product(s) even if they receive authorization from the credit card company, the credit card company will debit the merchant for the entire order, including the transaction fees.

      Not only did the credit card company not lose any money on the bad transaction, they will also charge the merchant a fee for the fraudulent order. So the merchant is out the cost of the goods that were shipped, plus shipping, plus a fee.

      The credit card company makes money on the fraudulent transaction.
      • Same thing happens with counterfeit money. At the end of the day merchant is held liable for processing funds that are invalid. If it was any other way, then a crooked merchant could literally sit there defruading the government/credit card co. If you think about it though, it makes a bit of sense, if anything else is stolen from the merchant, do they get it back, just because it's not fair? This kind of thing is what the insurance industry exists for.
        • If it was any other way, then a crooked merchant could literally sit there defruading the government/credit card co.

          This is only true for unverifiable payment methods, such as cash or credit cards. Note that the CC authorization only covers the issuer's end of things, but does nothing to ensure that the card holder authorizes the transaction.

          A payment system that verified the transaction with both the issuer and the card holder would have to be resistant to merchant tampering.

        • by jrumney (197329) on Thursday May 24, 2007 @12:19PM (#19255059) Homepage
          When the credit card companies have clauses in their contracts expressly forbidding merchants from carrying out their own checks on the identity of the cardholder, is it still fair that fraudulent card use is treated the same as counterfeit money?
    • by LinuxParanoid (64467) on Thursday May 24, 2007 @10:43AM (#19253271) Homepage Journal
      As a merchant, I found myself treading the same path as jjeffers, initially notifying card companies and card owners and now just deleting the orders.

      The card companies have structured the system so that liability rests with the merchants.

      In part, this is smart because merchants will always have the best 'hinkiness' detectors at the point of the transaction. But it also means that the incentives for system-wide changes by the credit card vendors are weak.

      There is certainly is room for improvement. I always thought it'd be cool for merchants to band together to share suspicious credit card #s that have hit their system (ie ones from merchants' "suspicious/deleted" orders which otherwise the ccard companies never see since we don't even attempt to push them through their systems), and, in return, be able to crosscheck cards entered into their system against the suspicious list. A nice web API to do this wouldn't be too hard, although the API shouldn't itself take or reveal the entire card # either, for security reasons. But it could return spam-assassin-like scores and/or hints for other merchants' manual review ("A telecom merchant in NJ found a card matching 12 of those digits and with the same zip code suspicious 4 hours ago").

          --LP
    • by rickwood (450707) on Thursday May 24, 2007 @04:41PM (#19259513)
      I worked with the legal department in charge of chargebacks at a major credit-card payment processor for about two weeks. I walked away from the deal when I figured out how evil they are.

      Pretty much all you need to know about it is that the chargeback department is seen as a profit center, and they were proud of the millions in chargeback money they added to the bottom line. Sure, there were a few "bad apples" among the merchants who were frauds and got what they had coming to them. However, the vast majority were Mom and Pops who through no fault of their own wound up on the wrong end of a chargeback.

      For example, Sally Suburb pays for auto repair via her Visa card, and Hubby decides it was too much and disputes the charge. There was nothing wrong with the repair, and the amount was legitimate, he just didn't thought it was too much. In due course it's charged back and now the mechanic has to come up with the full amount plus fees and expenses.

      Looking over the files, I saw chargebacks had put lots of these folks out of business and into bankruptcy. I suppose I'm too much of a sentimentalist, but I couldn't be a part of that. They kept calling for months but I wouldn't even talk to them. Effin' vampires if you ask me. Nowhere in business will you find a more wretched hive of scum and villainy, not even in insurance or banking.
  • Retailers (Score:4, Informative)

    by cyphercell (843398) on Thursday May 24, 2007 @09:33AM (#19251891) Homepage Journal
    This has very little to do with the credit card companies and a lot to do with the merchants that process credit cards. The current standard is PCI-DSS (Payment Card Industry - Data Security Standards)discussed here http://it.slashdot.org/article.pl?sid=07/03/31/064 5227&from=rss [slashdot.org]. My job is working to upgrade software that is not compliant with these standards, so I know the credit card companies are doing something. The problem rests with merchants that are largely clueless about the necessary security precautions that need to be taken when working with computers. They want to be in business, process credit cards, have a website, a network, and they want to pay their nephew $5/hr to set everything up. The bottom line is, that having data compromised from your business, when you haven't met these standards, will leave you liable for the loss, possibly incuring fees of up to $500,000 and potentially losing your priviledge of processing credit cards permanantly. Bottom line is the vast majority of business owners are not adequately computer literate and they are too cheap to pay an expert to deal with their network properly.
    • Yes, but a lot of the numbers look as though they are the result of key loggers, not slipups by the merchants.
  • by rueger (210566) on Thursday May 24, 2007 @09:38AM (#19251959) Homepage
    I'll save you 11,000 characters:

    1) Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form.

    2) You'll find lots of credit card numbers

    3) Profit

    4) Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net. Thank you.
    • Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net. Thank you.

      Deactivating the cards doesn't eliminate the problem. Those same merchants will be losing credit card numbers again next week, that's why the current deterrent is "if" card numbers are stolen "and" you don't meet these security standards, you may be fined and lose your ability to process credit cards. ie. ruin the dimwit that's posting cc#s on the Internet.

    • Re: (Score:3, Insightful)

      by DerekLyons (302214)

      4) Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net.

      Right - and here I am in a city distant from my home (maybe even overseas), and all the sudden I have no credit card. Or, I'm one of those people who charges everything to their card and pays it all in one lump sum at the end of the month - all of the sudden my charges start bouncing. (And I have to spend many hours refilling out forms to send the charges to my new

  • by wowbagger (69688) on Thursday May 24, 2007 @09:40AM (#19251985) Homepage Journal
    Why are credit card numbers so easy to find? Or put another way, why is credit card fraud so easy?

    Because it does not cost the credit card companies.

    When fraud is reported, the credit card company charges back to the merchants. As such, the credit card company is out relatively little money (it is the merchants who get screwed).

    Adding meaningful security to credit cards would cost the credit card companies money. It would also make people less likely to use their cards, costing the credit card companies more money.

    Also, the credit card companies can use fraud to justify higher interest rates, annual fees, and as a marketing gimmick to sell their card over others.

    So, to recap: fraud costs the card companies little, preventing fraud would cost them much.

    Has this helped identify why credit card fraud is so easy?

    Datum: A friend of mine was involved with a large e-commerce site. He detected an on-going fraud ring trying to buy large amounts of goods from the site with stolen cards. He reported it to the card companies - "Here are the cards. Here's where they are trying to send the goods. Do you want to nail these guys?"

    The response: "Thanks, but no, it's not worth our time. Just don't send them anything."

  • by Slashdot Parent (995749) on Thursday May 24, 2007 @09:42AM (#19252023)
    Credit card companies aren't doing anything because credit card companies don't care about fraud. They don't care, because it doesn't cost them any money.

    When someone uses someone else's credit card fraudulently, it's not like the credit card company eats the loss. They just do a chargeback against the merchant who accepted the fraudulent transaction and they have to eat the cost. In fact, the CC company charges the merchant a hefty fee for the privilege of eating the cost.

    Of course, that cost just gets passed on to you, the customer, in the form of higher prices.

    Ain't credit cards grand?
    • They just do a chargeback against the merchant who accepted the fraudulent transaction and they have to eat the cost. In fact, the CC company charges the merchant a hefty fee for the privilege of eating the cost.

      The merchant is the person closest to the person using the card fraudulent, so the burden to discover the fraud and prevent it should rightly fall on their shoulders. Instead, the merchant chooses to be lazy and doesn't even look to see if the card actually belongs to the person handing it to them.
  • by grandpa-geek (981017) on Thursday May 24, 2007 @09:43AM (#19252027)
    ... to the authorities responsible for combating credit card fraud and identity theft. This includes the Secret Service, the Federal Reserve, the relevant committees of both House and Senate, the Federal Trade Commission, the Justice Department, the Attorneys General of the states and DC, and possibly others.
    • by pegr (46683)
      The power of Slashdot!

      I tried this technique and found a local vendor with an Excel file full of CC's and CCVs! I called the contact, and apparently another Slashdot reader beat me to it. I imagine she'll get a hundred calls today...

      Reminds me of the crypto saying, "Anyone who says the brute force method doesn't always work obviously isn't using enough of it."
  • Why do I reuse the same guessable number, in plaintext, that I carry on a plastic card, and share with any number of fly-by-night vendors? Many of whom aren't even in the US, faceless on the Internet? And also with failed actors barely pretending to be waiters while I'm too drunk to remember anything?

    Why doesn't my card give onetime passwords to them, attached to the transaction amount, and also reported directly to my bank for a single, auditable transaction in that amount?

    And why do I use an easily guessa
  • No seriously, it has been established a long time ago that the security of cc #'s rests with the merchant. Ever issue a charge back on your credit card? Guess who gets screwed, no its not the cc company. Merchants can get hurt a lot more by leaks of credit card information. Personally I think it makes sense, what better way to get merchants to act responsibly than to have it cost them when they aren't. What you should do is notify the cc company of the merchant where you found numbers. That merchant will be
    • by vidarh (309115)
      The problem with that is that it ISN'T just the irresponsible merchants that get hurt. It's all merchant, AND their customers. Speaking as someone who handled card payments of $15 million a year at one point in a previous job, I can tell you that once we'd blocked the obvious problems (card transactions from Vietnam using US numbers for a service in Europe - yeah right), the vast majority of chargebacks were caused by seemingly authentic transactions (they had the card number, customers address, expiry date
  • Sorry to burst the bubble, but you're tilting at windmills with this approach.

    The prime security weakness lies with the web service providers, who are failing to adequately secure their backend systems, not the credit card companies. It is the same problem as eating at a restaurant where they are skimming cards in the back room - you just can't be sure that your card has remained safe after every transaction. The logistics of ensuring a brand new card number for each and every transaction for each and eve
  • Fraudalent activity is very inconveniant for the customer - who has to get a new card and update the 47 places they have set up automatic billing to their card with. Costly if they don't notice it soon enough as well.

    Fraudalent activity is costly for the business taking the transaction - the CC company does a chargeback and they are not only out the money but also out a fee.

    Fraudalent activity is irrelevant to the CC company - it does generate some revenue via chargeback fees I guess so there is some incent
  • by zerofoo (262795) on Thursday May 24, 2007 @09:56AM (#19252247)
    I've said it before; I've worked in the banking industry, and it is widely known that requiring a PIN number for every transaction would reduce credit card fraud to almost zero. The infrastructure to require a PIN number is already in place, but credit card companies don't want to deal with the hassle, since they do not feel the pinch of the fraudulent charges.

    Why do banks require PIN numbers on ATM and Debit transactions? I'll tell you why - they are directly liable for any funds that leave the bank fraudulently. This is not the case for credit card companies since they can charge-back the vendor and recover their funds.

    -ted
  • If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago.

    First off, this seems very idealistic.

    Second, automatic deactivation of card numbers is not necessarily a good thing. What if someone creates a list of thousands of potential credit card numbers on a website -- do

  • I didn't find jack by searching for common numbers on Google. But, by search Altavista for the first 8 digits of my expired Sears Mastercard, I found links to PDFs of filed bankruptcy claims with loads of personal information.

    Trying a few of the other CC numbers listed in such a PDF found me an absolute treasure trove of numbers, complete with all the info I'd need to make purchases with those cards, including the little "security codes" (which I thought were not even supposed to be recorded).

    Oops.
  • For those of you (like the submitter) that aren't aware:

    1. The banks do not "pay" for fraud. Merchants who have the fraudulent transactions pay for fraud. Therefore, the cost of fraud is assumed by all consumers in the form of higher prices. In fact, the banks profit from fraudulent transactions by charging the merchant penalties.

    2. There is a well implemented and secure banking standard that is in many places in the world. Except no bank in the U.S. wants to implement it because of the costs the bank h
  • by alen (225700) on Thursday May 24, 2007 @10:29AM (#19252927)
    back around 7 years ago someone started googling for .htm to find any internet exposed terminal server websites and to see which ones weren't protected. easy way to root a box.

    this is basically the same thing
  • The author is right, the merchants with poor security for their customers are to blame, but it's unfair to say that the credit card companies are the only ones in an easy position to fix the problem. I would think the likes of Google, Yahoo, and the other search engines could easily modify their crawlers to locate this kind of security issue. HECK, if Google refused to list *any* content from sites where their crawler picks up a customer's "private" information, these merchants would get in line real quic
  • My family never uses them.
    They are prone to theft(like described article) and cost more then plain cash purchases.Most people who insist on
    using such a card have a money to watse and need a convinient way to waste it.
    • Or they purchase stuff online.

      Using cash for online transactions is somewhat tricky. And, since you can often get things for less online than you can via bricks-n-mortar, it is often a money saver.

      Unless you're arguing that all the things you can buy online are unnecessary expenditures - but, while I admit "necessary" may be too strong a word in the "need this to survive" sense, I rather enjoy living a life where I have books and a computer.

      I'm also unfamiliar with any modern store that actually charges mor
  • A compromised card which is revoked but not used by an attacker COSTS money! Big money.

    Its only if a compromised card is USED by an attacker that there is a problem. But since cards get stolen as well, they have heavy misuse detection to catch this, and if they let a few slip through, they aren't the ones holding the bill anyway, as it usually ends up being chargebacked to the merchant who accepted the bogus card.
  • 1.Make merchants liable for credit card number theft if it can be shown that the merchant had a hand in it (for example, a merchant who was skimming card numbers on the side would be liable for the theft in both $ terms and loss of merchant account. Same with merchants who don't keep credit card numbers safe and allow them to appear on public website).
    2.Make the BANKS, not the merchants liable for credit card fraud (in the same way as they are liable if someone steals your ATM card and PIN and uses it to wi
  • Every day, you hear stories in the news about how people's "lives were ruined' when someone got hold of their credit card information or SS numbers and bought stuff. Is it really that much of a problem? Why go to all the trouble to protect this information?

    The reason I'm suspicious about this is because there's now a huge market for "identity theft protection" solutions. Aren't they just stirring up foam to get people panicked about losing money?

    Anyone who doesn't pay attention to their credit card statemen
  • Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app.

    The first 6 digits ID the issuer, They are common because you were looking for

Help stamp out Mickey-Mouse computer interfaces -- Menus are for Restaurants!

Working...