Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.sys.mac.system > #23636 > unrolled thread

Has your credit card number been compromised?

Started byMichelle Steiner <michelle@michelle.org>
First post2012-04-11 08:28 -0700
Last post2012-04-15 17:24 +0000
Articles 20 on this page of 119 — 29 participants

Back to article view | Back to comp.sys.mac.system


Contents

  Has your credit card number been compromised? Michelle Steiner <michelle@michelle.org> - 2012-04-11 08:28 -0700
    Re: Has your credit card number been compromised? Fred Moore <fmoore@gcfn.org> - 2012-04-11 14:34 -0400
    Re: Has your credit card number been compromised? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2012-04-11 17:08 -0400
      Re: Has your credit card number been compromised? Michelle Steiner <michelle@michelle.org> - 2012-04-11 15:20 -0700
        Re: Has your credit card number been compromised? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2012-04-11 20:04 -0400
          Re: Has your credit card number been compromised? Michelle Steiner <michelle@michelle.org> - 2012-04-11 17:26 -0700
        Re: Has your credit card number been compromised? "Geoffrey S. Mendelson" <gsm@mendelson.com> - 2012-04-12 07:14 +0000
      Re: Has your credit card number been compromised? John McWilliams <jpmcw@comcast.net> - 2012-04-11 15:24 -0700
    Re: Has your credit card number been compromised? Davoud <star@sky.net> - 2012-04-11 20:53 -0400
      Re: Has your credit card number been compromised? "Thomas R. Kettler" <tkettler@blownfuse.net> - 2012-04-11 22:43 -0400
        Re: Has your credit card number been compromised? Davoud <star@sky.net> - 2012-04-11 23:17 -0400
          Re: Has your credit card number been compromised? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2012-04-11 23:24 -0400
            Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-12 14:22 -0400
              Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-12 17:28 -0400
                Re: Has your credit card number been compromised? dorayme <dorayme@optusnet.com.au> - 2012-04-13 07:43 +1000
                  Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-12 19:27 -0400
                    Re: Has your credit card number been compromised? dorayme <dorayme@optusnet.com.au> - 2012-04-13 10:20 +1000
                Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-12 19:23 -0400
                  Re: Has your credit card number been compromised? Davoud <star@sky.net> - 2012-04-12 21:25 -0400
                    Re: Has your credit card number been compromised? Kurt Ullman <kurtullman@yahoo.com> - 2012-04-13 04:30 -0400
                    Re: Has your credit card number been compromised? "John Varela" <newlamps@verizon.net> - 2012-04-14 00:05 +0000
                      Re: Has your credit card number been compromised? News <News@Group.Posts> - 2012-04-14 10:08 -0400
                        Re: Has your credit card number been compromised? "John Varela" <newlamps@verizon.net> - 2012-04-15 19:43 +0000
              Re: Has your credit card number been compromised? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2012-04-12 17:30 -0400
                Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-12 19:24 -0400
                Re: Has your credit card number been compromised? Wayne Marsh <waynegmarsh@mac.com> - 2012-04-22 13:17 -0500
                  Re: Has your credit card number been compromised? Chris Blunt <mail@nospam.com> - 2012-04-23 10:16 +0800
                    Re: Has your credit card number been compromised? *Hemidactylus* <ecphoric@hotmail.com> - 2012-04-22 22:52 -0400
                      Re: Has your credit card number been compromised? George Kerby <ghost_topper@hotmail.com> - 2012-04-23 08:25 -0500
                        Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-23 07:29 -0700
                    Re: Has your credit card number been compromised? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2012-04-23 00:19 -0400
                      Re: Has your credit card number been compromised? Davoud <star@sky.net> - 2012-04-23 09:08 -0400
                        Re: Has your credit card number been compromised? George Kerby <ghost_topper@hotmail.com> - 2012-04-23 08:30 -0500
                      Re: Has your credit card number been compromised? George Kerby <ghost_topper@hotmail.com> - 2012-04-23 08:28 -0500
                    Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-23 18:36 +1200
                      Re: Has your credit card number been compromised? Warren Oates <warren.oates@gmail.com> - 2012-04-23 07:57 -0400
                        Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 09:13 +1200
                          Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-23 14:33 -0700
                        Re: Has your credit card number been compromised? Chris Blunt <mail@nospam.com> - 2012-04-24 10:26 +0800
                          Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-23 20:03 -0700
                            Re: Has your credit card number been compromised? DevilsPGD <boogabooga@crazyhat.net> - 2012-04-23 21:25 -0600
                              Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 16:21 +1200
                                Re: Has your credit card number been compromised? DevilsPGD <boogabooga@crazyhat.net> - 2012-04-23 22:50 -0600
                                  Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 18:19 +1200
                            Re: Has your credit card number been compromised? Warren Oates <warren.oates@gmail.com> - 2012-04-24 07:25 -0400
                              Re: Has your credit card number been compromised? Paul Sture <paul@sture.ch> - 2012-04-24 14:07 +0200
                                Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-26 19:02 -0400
                                  Re: Has your credit card number been compromised? "Geoffrey S. Mendelson" <gsm@mendelson.com> - 2012-04-27 06:44 +0000
                                    Re: Has your credit card number been compromised? Paul Sture <paul@sture.ch> - 2012-04-27 14:15 +0200
                                      Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-27 21:55 -0400
                                        Re: Has your credit card number been compromised? Paul Sture <paul@sture.ch> - 2012-04-28 12:44 +0200
                                    Re: Has your credit card number been compromised? Warren Oates <warren.oates@gmail.com> - 2012-04-27 08:56 -0400
                                      Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-27 21:58 -0400
                                        Re: Has your credit card number been compromised? russotto@grace.speakeasy.net (Matthew Russotto) - 2012-05-08 03:27 +0000
                                    Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-27 16:44 -0400
                                    Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-27 21:52 -0400
                                      Re: Has your credit card number been compromised? Paul Sture <paul@sture.ch> - 2012-04-28 12:51 +0200
                                        Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-29 10:02 +1200
                                          Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-28 18:24 -0400
                                      Re: Has your credit card number been compromised? Warren Oates <warren.oates@gmail.com> - 2012-04-28 07:35 -0400
                                        Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-28 10:55 -0400
                                        Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-28 13:28 -0400
                                      Re: Has your credit card number been compromised? "Geoffrey S. Mendelson" <gsm@mendelson.com> - 2012-04-28 17:49 +0000
                                        Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-28 14:22 -0400
                                          Re: Has your credit card number been compromised? "Geoffrey S. Mendelson" <gsm@mendelson.com> - 2012-04-28 18:29 +0000
                                            Re: Has your credit card number been compromised? "Geoffrey S. Mendelson" <gsm@mendelson.com> - 2012-04-28 18:44 +0000
                                              Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-28 14:46 -0400
                                          Re: Has your credit card number been compromised? Paul Sture <paul@sture.ch> - 2012-04-28 22:37 +0200
                                            Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-29 10:04 +1200
                                            Re: Has your credit card number been compromised? Michelle Steiner <michelle@michelle.org> - 2012-04-28 15:35 -0700
                          Re: Has your credit card number been compromised? TaliesinSoft <taliesinsoft@me.com> - 2012-04-23 22:12 -0500
                          Re: Has your credit card number been compromised? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2012-04-23 23:42 -0400
                            Re: Has your credit card number been compromised? Warren Oates <warren.oates@gmail.com> - 2012-04-24 07:29 -0400
                              Re: Has your credit card number been compromised? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2012-04-24 18:30 -0400
                            Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-25 17:33 -0400
                      Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-23 07:28 -0700
                        Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 09:17 +1200
                          Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-23 14:37 -0700
                            Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 13:33 +1200
                              Re: Has your credit card number been compromised? JF Mezei <jfmezei.spamnot@vaxination.ca> - 2012-04-23 23:28 -0400
                                Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-23 20:37 -0700
                                Re: Has your credit card number been compromised? DevilsPGD <boogabooga@crazyhat.net> - 2012-04-23 22:50 -0600
                                  Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 18:21 +1200
                                    Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-24 00:07 -0700
                                Re: Has your credit card number been compromised? Paul Sture <paul@sture.ch> - 2012-04-24 10:53 +0200
                      Re: Has your credit card number been compromised? Patty Winter <patty1@wintertime.com> - 2012-04-23 16:30 +0000
                        Re: Has your credit card number been compromised? Warren Oates <warren.oates@gmail.com> - 2012-04-23 13:09 -0400
                          Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-23 11:03 -0700
                          Re: Has your credit card number been compromised? Patty Winter <patty1@wintertime.com> - 2012-04-23 21:06 +0000
                      Re: Has your credit card number been compromised? DevilsPGD <boogabooga@crazyhat.net> - 2012-04-23 20:28 -0600
                        Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 16:16 +1200
                          Re: Has your credit card number been compromised? DevilsPGD <boogabooga@crazyhat.net> - 2012-04-23 22:50 -0600
                            Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 18:27 +1200
                              Re: Has your credit card number been compromised? Barry Margolin <barmar@alum.mit.edu> - 2012-04-24 02:35 -0400
                                Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-24 19:21 +1200
                      Re: Has your credit card number been compromised? Paul Sture <paul@sture.ch> - 2012-04-24 10:37 +0200
          Re: Has your credit card number been compromised? Kurt Ullman <kurtullman@yahoo.com> - 2012-04-12 08:30 -0400
            Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-12 14:33 -0400
              Re: Has your credit card number been compromised? Zaidy036 <Zaidy036@isp.spam> - 2012-04-12 23:02 -0400
                Re: Has your credit card number been compromised? HelpfulHarry@BusyWorking.com (Helpful Harry) - 2012-04-13 18:19 +1200
                Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-13 15:41 -0400
            Re: Has your credit card number been compromised? Tim McNamara <timmcn@bitstream.net> - 2012-04-12 14:17 -0500
              Re: Has your credit card number been compromised? Kurt Ullman <kurtullman@yahoo.com> - 2012-04-12 15:59 -0400
                Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-12 19:25 -0400
                Re: Has your credit card number been compromised? Tim McNamara <timmcn@bitstream.net> - 2012-04-14 01:18 -0500
            Re: Has your credit card number been compromised? me@home.spamsucks.ca (Király) - 2012-04-14 00:14 +0000
              Re: Has your credit card number been compromised? Chris Blunt <mail@nospam.com> - 2012-04-14 11:38 +0800
                Re: Has your credit card number been compromised? me@home.spamsucks.ca (Király) - 2012-04-14 16:13 +0000
                  Re: Has your credit card number been compromised? Chris Blunt <mail@nospam.com> - 2012-04-16 15:32 +0800
          Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-13 19:00 -0400
            Re: Has your credit card number been compromised? News <News@Group.Posts> - 2012-04-14 10:09 -0400
        Re: Has your credit card number been compromised? Wes Groleau <Groleau+news@FreeShell.org> - 2012-04-12 00:13 -0400
        Re: Has your credit card number been compromised? Alan Browne <alan.browne@FreelunchVideotron.ca> - 2012-04-12 14:20 -0400
      Re: Has your credit card number been compromised? "Geoffrey S. Mendelson" <gsm@mendelson.com> - 2012-04-12 07:19 +0000
        Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-12 06:12 -0400
          Re: Has your credit card number been compromised? "Geoffrey S. Mendelson" <gsm@mendelson.com> - 2012-04-12 11:04 +0000
            Re: Has your credit card number been compromised? nospam <nospam@nospam.invalid> - 2012-04-12 09:19 -0400
            Re: Has your credit card number been compromised? Paul Sture <paul@sture.ch> - 2012-04-15 18:31 +0200
              Re: Has your credit card number been compromised? "Geoffrey S. Mendelson" <gsm@mendelson.com> - 2012-04-15 17:24 +0000

Page 5 of 6 — ← Prev page 1 2 3 4 [5] 6  Next page →


#24299

Fromnospam <nospam@nospam.invalid>
Date2012-04-23 20:37 -0700
Message-ID<230420122037160708%nospam@nospam.invalid>
In reply to#24297
In article <4f961dd5$0$1257$c3e8da3$f017e9df@news.astraweb.com>, JF
Mezei <jfmezei.spamnot@vaxination.ca> wrote:

> NFC has greater odds of success for public transit (instead of current
> RFID cards).

coming soon:
<http://www.theverge.com/2012/4/23/2968565/mbta-masabi-mobile-rail-ticke
ting-system>

[toc] | [prev] | [next] | [standalone]


#24306

FromDevilsPGD <boogabooga@crazyhat.net>
Date2012-04-23 22:50 -0600
Message-ID<7bbcp7l1ijhrhmad0mpbe3gcj2u2tt1maf@4ax.com>
In reply to#24297
In the last episode of
<4f961dd5$0$1257$c3e8da3$f017e9df@news.astraweb.com>, JF Mezei
<jfmezei.spamnot@vaxination.ca> said:

>With more and more purchases (and fraud) happening on the internet,
>changing physical card technology may not do much.  The NFC trials are
>neat concepts but I doubt they will really take hold. Imagine the
>hassles of switching phones.

What hassle? You already have to do a reasonable amount of configuration
on any modern smartphone to transfer your data, activating NFC is just
one more thing.

A bigger question is why existing technologies like Bluetooth aren't
being used. The pairing process can be simplified with an application
(or OS support) that allows a capable device and POS system to identify
each other.

The POS system would display a QR Code and/or a transaction ID (6 digit
number would be sufficient) to kick off the process, the user would
confirm the transaction on their phone based on software-configurable
rules, using BT to complete the connection.

By using both the phone's camera and Bluetooth you can ensure that the
user is aware (so drive-by attacks aren't possible, nor could
compromised software on the phone approve transactions without any user
action at all). Similarly, by using Bluetooth to allow two-way data
flow, a challenge/response interchange can avoid allowing replay attacks
(so even if an attacker observes the entire session or controls the POS
system, you still don't collect enough information to fake a
transaction), nor do you need the device to have real-time internet
access.

-- 
This signature was randomly selected

[toc] | [prev] | [next] | [standalone]


#24309

FromHelpfulHarry@BusyWorking.com (Helpful Harry)
Date2012-04-24 18:21 +1200
Message-ID<HelpfulHarry-2404121821370001@203-118-187-98.dsl.dyn.ihug.co.nz>
In reply to#24306
In article <7bbcp7l1ijhrhmad0mpbe3gcj2u2tt1maf@4ax.com>, DevilsPGD
<boogabooga@crazyhat.net> wrote:
> In the last episode of
> <4f961dd5$0$1257$c3e8da3$f017e9df@news.astraweb.com>, JF Mezei
> <jfmezei.spamnot@vaxination.ca> said:
> > 
> >With more and more purchases (and fraud) happening on the internet,
> >changing physical card technology may not do much.  The NFC trials are
> >neat concepts but I doubt they will really take hold. Imagine the
> >hassles of switching phones.
> 
> What hassle? You already have to do a reasonable amount of configuration
> on any modern smartphone to transfer your data, activating NFC is just
> one more thing.
> 
> A bigger question is why existing technologies like Bluetooth aren't
> being used. The pairing process can be simplified with an application
> (or OS support) that allows a capable device and POS system to identify
> each other.
> 
> The POS system would display a QR Code and/or a transaction ID (6 digit
> number would be sufficient) to kick off the process, the user would
> confirm the transaction on their phone based on software-configurable
> rules, using BT to complete the connection.
> 
> By using both the phone's camera and Bluetooth you can ensure that the
> user is aware (so drive-by attacks aren't possible, nor could
> compromised software on the phone approve transactions without any user
> action at all). Similarly, by using Bluetooth to allow two-way data
> flow, a challenge/response interchange can avoid allowing replay attacks
> (so even if an attacker observes the entire session or controls the POS
> system, you still don't collect enough information to fake a
> transaction), nor do you need the device to have real-time internet
> access.

I haven't looked into how it works, but there was a TV advert earlier
today where people could "bump" their phones to transfer money and I think
one was using an iPhone.

Helpful Harry  :o)

[toc] | [prev] | [next] | [standalone]


#24314

Fromnospam <nospam@nospam.invalid>
Date2012-04-24 00:07 -0700
Message-ID<240420120007126698%nospam@nospam.invalid>
In reply to#24309
In article
<HelpfulHarry-2404121821370001@203-118-187-98.dsl.dyn.ihug.co.nz>,
Helpful Harry <HelpfulHarry@BusyWorking.com> wrote:

> I haven't looked into how it works, but there was a TV advert earlier
> today where people could "bump" their phones to transfer money and I think
> one was using an iPhone.

<http://news.cnet.com/8301-13772_3-57406137-52/with-bump-pay-sending-mon
ey-is-easier-than-ever/>

[toc] | [prev] | [next] | [standalone]


#24388

FromPaul Sture <paul@sture.ch>
Date2012-04-24 10:53 +0200
Message-ID<n86i69-ldk.ln1@news.sture.ch>
In reply to#24297
On Mon, 23 Apr 2012 23:28:20 -0400, JF Mezei wrote:

> When you look at EFTPOS systems, they are very national in nature with
> ATM cards usable for purchases only in the country of origin. So a
> canadian can't use his ATM card to make purchases at an australian store
> despite each country having its own national EFTPOS system where all
> national banks participate.

Europe has the Maestro network which is convenient for those of us who 
can regularly nip across a border to do some shopping.

-- 
Paul Sture

[toc] | [prev] | [next] | [standalone]


#24260

FromPatty Winter <patty1@wintertime.com>
Date2012-04-23 16:30 +0000
Message-ID<4f9583b4$0$16164$742ec2ed@news.sonic.net>
In reply to#24241
In article <HelpfulHarry-2304121836160001@203-118-187-222.dsl.dyn.ihug.co.nz>,
Helpful Harry <HelpfulHarry@BusyWorking.com> wrote:
>
>> On Sun, 22 Apr 2012 13:17:37 -0500, Wayne Marsh <waynegmarsh@mac.com>
>> wrote:
>> 
>> >Now I scratch out the 3-digit "validation code" on the back of my cards. 
>> >I suppose the thieves can still get all the info they need if they have 
>> >a scanner, but it'll stop anyone who just writes down the numbers off 
>> >the card and tries to make an Internet purchase. 
>
>That's good if someone steals the card or maybe for places like a
>restaurant that takes the card away to process, but you sometimes have to
>tell the "security code" to people when ordering stuff via phone or
>Internet form ... so that person can simply write down your "security
>code" and details anyway.

The security code isn't designed to protect your account in that
situation. It's for stopping people who get hold of your account 
number but not the actual card. The latter used to be easier when
receipts included full CC numbers; now they just have the last few
digits. Monthly statements still have the full numbers and could
potentially be stolen, but I suspect that most CC# theft these days
is done electronically rather than physically. And once a few years
ago when a spurious purchased turned up on one of my CC accounts,
the CSR told me that it didn't mean that anyone had actually gotten
the number somewhere; they could just be trying random numbers to
see which ones worked. They would have "ordered" something from a
front operation that wouldn't require the security code to process
the purchase.


Patty

[toc] | [prev] | [next] | [standalone]


#24262

FromWarren Oates <warren.oates@gmail.com>
Date2012-04-23 13:09 -0400
Message-ID<4f958ccf$0$1754$c3e8da3$92d0a893@news.astraweb.com>
In reply to#24260
In article <4f9583b4$0$16164$742ec2ed@news.sonic.net>,
 Patty Winter <patty1@wintertime.com> wrote:

> they could just be trying random numbers to
> see which ones worked. 

Generating "valid" credit card numbers is fairly trivial (ones where the 
numbers generate the right checksum for the specific company, or however 
it's done now. I recall that it was one of the examples in an old 
assembly language book I had). 

I can see how The Bad Guys could generate a whole bunch of them and just 
try them out. They also have to guess at an expiry date, though.
-- 

... do not cover a warm kettle or your stock may sour. -- Julia Child

[toc] | [prev] | [next] | [standalone]


#24265

Fromnospam <nospam@nospam.invalid>
Date2012-04-23 11:03 -0700
Message-ID<230420121103536560%nospam@nospam.invalid>
In reply to#24262
In article <4f958ccf$0$1754$c3e8da3$92d0a893@news.astraweb.com>, Warren
Oates <warren.oates@gmail.com> wrote:

> Generating "valid" credit card numbers is fairly trivial (ones where the 
> numbers generate the right checksum for the specific company, or however 
> it's done now. I recall that it was one of the examples in an old 
> assembly language book I had). 

it's shockingly simple.

> I can see how The Bad Guys could generate a whole bunch of them and just 
> try them out. They also have to guess at an expiry date, though.

not just bad guys. you can too:
<http://www.gliderspen.net/cgi-bin/ccard.cgi>
<http://www.darkcoding.net/credit-card-numbers/>

[toc] | [prev] | [next] | [standalone]


#24275

FromPatty Winter <patty1@wintertime.com>
Date2012-04-23 21:06 +0000
Message-ID<4f95c46d$0$16133$742ec2ed@news.sonic.net>
In reply to#24262
In article <4f958ccf$0$1754$c3e8da3$92d0a893@news.astraweb.com>,
Warren Oates  <warren.oates@gmail.com> wrote:
>
>Generating "valid" credit card numbers is fairly trivial (ones where the 
>numbers generate the right checksum for the specific company, or however 
>it's done now. I recall that it was one of the examples in an old 
>assembly language book I had). 
>
>I can see how The Bad Guys could generate a whole bunch of them and just 
>try them out. They also have to guess at an expiry date, though.

Don't most credit cards have about a two-year renewal? So they'd probably
only have to try about 24 expiry dates per CC number.


Patty

[toc] | [prev] | [next] | [standalone]


#24292

FromDevilsPGD <boogabooga@crazyhat.net>
Date2012-04-23 20:28 -0600
Message-ID<j53cp7hv3jnq1jhg6sm0fsbte9uo0j27uc@4ax.com>
In reply to#24241
In the last episode of
<HelpfulHarry-2304121836160001@203-118-187-222.dsl.dyn.ihug.co.nz>,
HelpfulHarry@BusyWorking.com (Helpful Harry) said:

>The whole idea of it being a "security code", and yet printed on the back
>and has to be given out to people always sruck me as incredibly stupid and
>virtually useless as any form of "security".

You're missing the point. The key is that this number can't be captured
by swiping the card, so hacked readers or compromised POS equipment
can't capture this code.

It's also prohibited to retain the CVV2 code, although it certainly does
happen.

The magnetic stripe has some extra checksum digits/codes too that aren't
printed on the card for the same reason (namely, that an electronic
transaction no longer provides enough information to reproduce the card)

Is it perfect? No, of course not. But it's better than not
having/verifying it at all.

-- 
This signature was randomly selected

[toc] | [prev] | [next] | [standalone]


#24301

FromHelpfulHarry@BusyWorking.com (Helpful Harry)
Date2012-04-24 16:16 +1200
Message-ID<HelpfulHarry-2404121616430001@203-118-187-202.dsl.dyn.ihug.co.nz>
In reply to#24292
In article <j53cp7hv3jnq1jhg6sm0fsbte9uo0j27uc@4ax.com>, DevilsPGD
<boogabooga@crazyhat.net> wrote:
> In the last episode of
> <HelpfulHarry-2304121836160001@203-118-187-222.dsl.dyn.ihug.co.nz>,
> HelpfulHarry@BusyWorking.com (Helpful Harry) said:
> 
> >The whole idea of it being a "security code", and yet printed on the back
> >and has to be given out to people always sruck me as incredibly stupid and
> >virtually useless as any form of "security".
> 
> You're missing the point. The key is that this number can't be captured
> by swiping the card, so hacked readers or compromised POS equipment
> can't capture this code.
> 
> It's also prohibited to retain the CVV2 code, although it certainly does
> happen.
> 
> The magnetic stripe has some extra checksum digits/codes too that aren't
> printed on the card for the same reason (namely, that an electronic
> transaction no longer provides enough information to reproduce the card)
> 
> Is it perfect? No, of course not. But it's better than not
> having/verifying it at all.

But for phone or Internet orders you're not using the magnetic strip. When
you make such an order you are sometimes asked for the "security code", so
all it takes is for the person on the other end to write it down along
with the other details, and then it can be used by someone else for phone
/ Internet orders ... meaning it's worthless as any form of "security"
measure. The fact that retaining the code may be illgeal isn't going to
make the slightest difference to a criminal.

Of course, even if they don't ask for that code, simply having the card
number, name and expiry date is enough for a criminal to start making
phone / Internet orders at many places.

Helpful Harry  :o)

[toc] | [prev] | [next] | [standalone]


#24307

FromDevilsPGD <boogabooga@crazyhat.net>
Date2012-04-23 22:50 -0600
Message-ID<3sbcp7h3scfag6r2mped14fd8fui3b8i5a@4ax.com>
In reply to#24301
In the last episode of
<HelpfulHarry-2404121616430001@203-118-187-202.dsl.dyn.ihug.co.nz>,
HelpfulHarry@BusyWorking.com (Helpful Harry) said:

>But for phone or Internet orders you're not using the magnetic strip. When
>you make such an order you are sometimes asked for the "security code", so
>all it takes is for the person on the other end to write it down along
>with the other details, and then it can be used by someone else for phone
>/ Internet orders ... meaning it's worthless as any form of "security"
>measure. The fact that retaining the code may be illgeal isn't going to
>make the slightest difference to a criminal.

Right -- It doesn't solve *that* problem. It's not supposed to. Just
because a specific security feature doesn't solve every security problem
doesn't make it useless. There's little you can do to prevent a
malicious merchant from gaining enough information to complete other
online orders.

The CVV2 code prevents a compromised magnetic stripe card reader from
providing enough information to complete online orders. It does that.

By requiring merchants not store it, you can help ensure that in the
event a merchant's database is compromised, the attacker still doesn't
have enough information to complete transactions.

That's it. It's not designed or intended to prevent a malicious merchant
(or anyone with physical access to the card) from being able to use the
card. It's a layer of security, and a moderately effective one when it
comes to that specific threats it's design to prevent.

Short of adding replay-attack prevention (something possible on the chip
based cards that most of the modern world are using), you simply can't
block a malicious merchant. That's okay though, because pattern
recognition systems employed by the payment processors can help to
identify a trend of compromised cards being used at specific merchants.

-- 
This signature was randomly selected

[toc] | [prev] | [next] | [standalone]


#24310

FromHelpfulHarry@BusyWorking.com (Helpful Harry)
Date2012-04-24 18:27 +1200
Message-ID<HelpfulHarry-2404121827040001@203-118-187-98.dsl.dyn.ihug.co.nz>
In reply to#24307
In article <3sbcp7h3scfag6r2mped14fd8fui3b8i5a@4ax.com>, DevilsPGD
<boogabooga@crazyhat.net> wrote:
> In the last episode of
> <HelpfulHarry-2404121616430001@203-118-187-202.dsl.dyn.ihug.co.nz>,
> HelpfulHarry@BusyWorking.com (Helpful Harry) said:
> >
> >But for phone or Internet orders you're not using the magnetic strip. When
> >you make such an order you are sometimes asked for the "security code", so
> >all it takes is for the person on the other end to write it down along
> >with the other details, and then it can be used by someone else for phone
> >/ Internet orders ... meaning it's worthless as any form of "security"
> >measure. The fact that retaining the code may be illgeal isn't going to
> >make the slightest difference to a criminal.
> 
> Right -- It doesn't solve *that* problem. It's not supposed to. Just
> because a specific security feature doesn't solve every security problem
> doesn't make it useless. There's little you can do to prevent a
> malicious merchant from gaining enough information to complete other
> online orders.
> 
> The CVV2 code prevents a compromised magnetic stripe card reader from
> providing enough information to complete online orders. It does that.

Not really - many Internet / phone purchases don't even ask for the extra
code anyway. Personally I haven't run across that many which actually do
ask for it. There was a legitimate, long established Internet mail-order
company in Australia that only a couple of years ago asked for the front
and back of the credit card be faxed to them to confirm online orders (it
was stated as so in their terms and conditions).

Helpful Harry  :o)

[toc] | [prev] | [next] | [standalone]


#24311

FromBarry Margolin <barmar@alum.mit.edu>
Date2012-04-24 02:35 -0400
Message-ID<barmar-EB4E86.02350124042012@news.eternal-september.org>
In reply to#24310
In article 
<HelpfulHarry-2404121827040001@203-118-187-98.dsl.dyn.ihug.co.nz>,
 HelpfulHarry@BusyWorking.com (Helpful Harry) wrote:

> In article <3sbcp7h3scfag6r2mped14fd8fui3b8i5a@4ax.com>, DevilsPGD
> <boogabooga@crazyhat.net> wrote:
> > The CVV2 code prevents a compromised magnetic stripe card reader from
> > providing enough information to complete online orders. It does that.
> 
> Not really - many Internet / phone purchases don't even ask for the extra
> code anyway. Personally I haven't run across that many which actually do
> ask for it.

I think 50-75% of the Internet retailers I've used ask for it.

-- 
Barry Margolin
Arlington, MA

[toc] | [prev] | [next] | [standalone]


#24315

FromHelpfulHarry@BusyWorking.com (Helpful Harry)
Date2012-04-24 19:21 +1200
Message-ID<HelpfulHarry-2404121921440001@203-118-187-98.dsl.dyn.ihug.co.nz>
In reply to#24311
In article <barmar-EB4E86.02350124042012@news.eternal-september.org>,
Barry Margolin <barmar@alum.mit.edu> wrote:
> In article 
> <HelpfulHarry-2404121827040001@203-118-187-98.dsl.dyn.ihug.co.nz>,
>  HelpfulHarry@BusyWorking.com (Helpful Harry) wrote:
> > 
> > In article <3sbcp7h3scfag6r2mped14fd8fui3b8i5a@4ax.com>, DevilsPGD
> > <boogabooga@crazyhat.net> wrote:
> > > The CVV2 code prevents a compromised magnetic stripe card reader from
> > > providing enough information to complete online orders. It does that.
> > 
> > Not really - many Internet / phone purchases don't even ask for the extra
> > code anyway. Personally I haven't run across that many which actually do
> > ask for it.
> 
> I think 50-75% of the Internet retailers I've used ask for it.

For me it would be more like 5% that DO ask for it.

One of my jobs recently has been to help process credit card donations for
one client which come through via post. Their forms do not ask for the
security code and the credit card processing website doesn't ask for it
either (it's been a while since I did some, but there may be an optional
box on the website for it).

Helpful Harry  :o)

[toc] | [prev] | [next] | [standalone]


#24387

FromPaul Sture <paul@sture.ch>
Date2012-04-24 10:37 +0200
Message-ID<hb5i69-ldk.ln1@news.sture.ch>
In reply to#24241
On Mon, 23 Apr 2012 18:36:16 +1200, Helpful Harry wrote:

> t's always been equally silly that banks send out material (whether it's
> a new card, new cheque book, bank statements, etc.) in an envelope
> emblazoned with their logo - that makes it very easy for a criminal
> postman or someone looking in mailboxes to steal it.

In the UK they learned that lesson the hard way when credit cards were 
first introduced.  In old large houses which have been converted into 
several apartments the mail for the whole house typically sits on a table 
in the entrance hall, and many helped themselves to those attractive 
looking envelopes.

I don't think I've ever had a card arrive in anything except a plain 
envelope.  However, even those envelopes are easy to recognise once 
you've seen them.

-- 
Paul Sture

[toc] | [prev] | [next] | [standalone]


#23716

FromKurt Ullman <kurtullman@yahoo.com>
Date2012-04-12 08:30 -0400
Message-ID<N9OdnTcc2b5WVxvSnZ2dnUVZ_gadnZ2d@earthlink.com>
In reply to#23677
In article <110420122317226888%star@sky.net>, Davoud <star@sky.net> 
wrote:

> Davo
> usually measured in minutes or hours--especially now, when there is no
> way that my bank is going to authorize a transaction in Eastern Europe
> out of the blue without contacting me first. I know this because I get
> e-mails and phone calls from my bank from time to time questioning
> out-of-pattern purchases that I have made.

And it seems to be getting stricter and stricter. If I don't tell my CC 
company I am going to FL they have put a stop on the card. Despite the 
fact I have been going there every year for the past 25 and drive down 
using the card for gas, food and hotels along the way.

-- 
People thought cybersex was a safe alternative, 
until patients started presenting with sexually
acquired carpal tunnel syndrome.-Howard Berkowitz 

[toc] | [prev] | [next] | [standalone]


#23732

FromAlan Browne <alan.browne@FreelunchVideotron.ca>
Date2012-04-12 14:33 -0400
Message-ID<_PudncNAL_GMvRrSnZ2dnUVZ_qidnZ2d@giganews.com>
In reply to#23716
On 2012-04-12 08:30 , Kurt Ullman wrote:
> In article<110420122317226888%star@sky.net>, Davoud<star@sky.net>
> wrote:
>
>> Davo
>> usually measured in minutes or hours--especially now, when there is no
>> way that my bank is going to authorize a transaction in Eastern Europe
>> out of the blue without contacting me first. I know this because I get
>> e-mails and phone calls from my bank from time to time questioning
>> out-of-pattern purchases that I have made.
>
> And it seems to be getting stricter and stricter. If I don't tell my CC
> company I am going to FL they have put a stop on the card. Despite the
> fact I have been going there every year for the past 25 and drive down
> using the card for gas, food and hotels along the way.

This seems to be more an issue with US issued cards (I had one some 
years ago and had to tell them if I was off to Europe or Asia) than the 
Canadian cards I have.

One difference may be the chipped cards (require PIN) v. the old mag 
striped only cards that are prevalent in the US.

-- 
"I was gratified to be able to answer promptly, and I did.
  I said I didn't know."
                           -Samuel Clemens.

[toc] | [prev] | [next] | [standalone]


#23755

FromZaidy036 <Zaidy036@isp.spam>
Date2012-04-12 23:02 -0400
Message-ID<jm84vn$174$1@dont-email.me>
In reply to#23732
On 4/12/2012 2:33 PM, Alan Browne wrote:
> On 2012-04-12 08:30 , Kurt Ullman wrote:
>> In article<110420122317226888%star@sky.net>, Davoud<star@sky.net>
>> wrote:
>>
>>> Davo
>>> usually measured in minutes or hours--especially now, when there is no
>>> way that my bank is going to authorize a transaction in Eastern Europe
>>> out of the blue without contacting me first. I know this because I get
>>> e-mails and phone calls from my bank from time to time questioning
>>> out-of-pattern purchases that I have made.
>>
>> And it seems to be getting stricter and stricter. If I don't tell my CC
>> company I am going to FL they have put a stop on the card. Despite the
>> fact I have been going there every year for the past 25 and drive down
>> using the card for gas, food and hotels along the way.
>
> This seems to be more an issue with US issued cards (I had one some
> years ago and had to tell them if I was off to Europe or Asia) than the
> Canadian cards I have.
>
> One difference may be the chipped cards (require PIN) v. the old mag
> striped only cards that are prevalent in the US.
>

Citi (American Air) now offers "chipped" cards if you call them up. 
Unfortunately then there is no space for your picture but it is a good 
idea if traveling to Europe.


-- 
Zaidy036

[toc] | [prev] | [next] | [standalone]


#23758

FromHelpfulHarry@BusyWorking.com (Helpful Harry)
Date2012-04-13 18:19 +1200
Message-ID<HelpfulHarry-1304121819210001@203-118-187-39.dsl.dyn.ihug.co.nz>
In reply to#23755

I wouldn't worry about. Cards are "old tech" and are in the process of
being replaced by using your mobile phones as a wallet instead. (Not very
useful for placing orders by phone though.)


There has actually been a couple of news stories this month with people
stealing card information here in New Zealand. Some via skimmers on
automatic teller machines / ATMs / money machines and some where they
actually swapped an in-store device for their own (by distracting staff).

Helpful Harry  :o)

[toc] | [prev] | [next] | [standalone]


Page 5 of 6 — ← Prev page 1 2 3 4 [5] 6  Next page →

Back to top | Article view | comp.sys.mac.system


csiph-web