| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jasonc at science.org (Jason Coombs) Subject: Hackers View Visa/MasterCard Accounts Calling it a DoS might be a misnomer. It would look a lot more like a replay attack. The damage one could do with the millions of card numbers and expiration dates one could deduce from the seed list of 8 to 10 million would be the greatest when e-commerce shopping is replayed -- at any and every POS that accepts "card not present" transactions and ignores AVS. Use people.yahoo.com to assemble a list of shoppers and wham-o, thousands of merchants are busy shipping product, tens of thousands start to have difficulty picking legitimate orders out of the noise. DoS would only occur in the case of merchants who are incompetent at risk management to begin with and just stop filling orders or choose to ignore orders where AVS doesn't report a full match. Jason Coombs jasonc@...ence.org -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of David Barnett Sent: Wednesday, February 19, 2003 5:43 AM To: full-disclosure@...ts.netsys.com Cc: cta@...in.net Subject: RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts Mime-Version: 1.0 Content-Type: multipart/signed; boundary="-=-===-====-=-=---===---========--==-==--===-==="; protocol="application/pgp-signature"; micalg=pgp-sha1 ---=-===-====-=-=---===---========--==-==--===-=== Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable While the threat of a Credit Card DoS seems to quite a novel threat and I am, at this point in time, in no place to credit or discredit the idea, I can't help but to believe there is a less nefarious motivation behind this attack. One can't help but refer back to one of the last theft of such a large amount of credit card numbers. The case involving Russian hacker(s) holding a company (can't remember the name?) ransom for a large sum of money not to release the credit card numbers onto the Internet. If one takes the number of accounts affected, at last count some 8 million, assume at least 10 million affected and the costs to replace these accounts (the published figure I have seen was $25 per card), one most wonder atwhat cost would these institutions not pay up? $5 million? Consumer confidence of purchasing on-line has been growing over the past year. Yes, this is not a case of a e-commerce site being broken into, but the public perception is there. Why has the victim clearing house not been exposed publicly? If one now takes the possibility of a credit card DoS seriously, I would say this would be even more reason for the attacker(s) to try and call for some sort of ransom money. Yes, the last time, we know of at least, no money was paid out, and so was the credit cards all over the net. I can only wonder what is taking place in the back channels, and if we will ever know what threats were made and what money may have been paid out. Perhaps these are the reasons for the victims anonymity?? David Barnett Sr. Security Architect Paranet Solutions
Powered by blists - more mailing lists