From: cta at hcsin.net (Bernie, CTA)
Subject: Hackers View Visa/MasterCard Accounts

While I would agree that the extortion path may be a potential means to
an bizarre mutually beneficial end, I would still put more emphasis on
the DoS theory. Keep in mind that a typical DoS attack has two primary
threat effects:
a. limiting access to something or somewhere
b. creating noise or buffer overflow

Think about what could happen if one were to setup a drone loaded with
these credit card numbers, Exp Dates and AVS info, which was programmed
to autonomously inject bogus orders at tens of thousands of e-commerce
web sites. I would believe that these sites would choke on the declines.
Even more alarming would be the small mom and pops that verify (LHUN
check) the cards, but use off-line credit card terminals to process. 

Furthermore, most processors and e-commerce payment gateways charge a
transaction fee even if the card was declined. VISA, Master Card, and
American Express get paid their fees regardless of the success of a
transaction. Moreover, a successful Transactional DoS or possibly DDoS
attack could result in significant indirect financial impact which may
not be adsorbed by VISA, Master Card or the Processors. 

Quantifying the probable success of all plausible threat outcomes that
may germinate from the theft juxtaposed to the potential economic and
consumer trust impact, I would say that there is an immediate obligation
and responsibility for the government regulators to mandate proactive
action to develop and implement safeguards. Such action should start at
the offices of VISA, Master Card, and American Express and transcend
through the processors and merchants. But will they do something
preventive now, or wait until they feel the financial pinch? 


On 19 Feb 2003, at 9:43, David Barnett wrote:
> 
> While the threat of a Credit Card DoS seems to quite a novel
> threat and I am, at this point in time, in no place to credit or
> discredit the idea, I can't help but to believe there is a less
> nefarious motivation behind this attack. One can't help but refer
> back to one of the last theft of such a large amount of credit
> card numbers. The case involving Russian hacker(s) holding a
> company (can't remember the name?) ransom for a large sum of
> money not to release the credit card numbers onto the Internet.
> 
> If one takes the number of accounts affected, at last count some
> 8 million, assume at least 10 million affected and the costs to
> replace these accounts (the published figure I have seen was $25
> per card), one most wonder atwhat cost would these institutions
> not pay up? $5 million?
> 
> Consumer confidence of purchasing on-line has been growing over
> the past year. Yes, this is not a case of a e-commerce site being
> broken into, but the public perception is there. Why has the
> victim clearing house not been exposed publicly?
> 
> If one now takes the possibility of a credit card DoS seriously,
> I would say this would be even more reason for the attacker(s) to
> try and call for some sort of ransom money. Yes, the last time,
> we know of at least, no money was paid out, and so was the credit
> cards all over the net.
> 
> I can only wonder what is taking place in the back channels, and
> if we will ever know what threats were made and what money may
> have been paid out. Perhaps these are the reasons for the victims
> anonymity??
> 
> David Barnett
> Sr. Security Architect
> Paranet Solutions
> 
-


-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta@...in.net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************

Powered by blists - more mailing lists