| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Apr 2007 15:05:37 -0500 From: "Jason Miller" <jammer128@...il.com> To: Troy <tcregger@...nedyinfo.com>, full-disclosure@...ts.grok.org.uk Subject: Re: OT? - TDBanknorth + merchant's CC auth old, nothing new. On 4/20/07, Troy <tcregger@...nedyinfo.com> wrote: > Last month I had an interesting experience with sears and tdbanknorth. > Here's the story: > > I purchased appliances at sears... the experience was a nightmare in and > of itself as they screwed up the shipping date several times. Sears > ended up having to throw in almost USD 200 in accessories and credits > just so I wouldn't walk away from the sale, OK... nothing odd so far and > I got some free stuff, all good right? > > Well, somehow, sears mistakenly refunded me ~ USD 120. I later confirmed > that this did happen and was a mistake, but I hadn't noticed the credit > to my account at the time since there was heavy activity on the account > that month. > > A full 5 weeks later, I'm checking my balance and paying some bills when > I notice that there's this charge for USD 120 (and change) from sears! > > What the fuck? I asked myself... I then decided to ask TD and sears the > same question. So, I'm on the phone to TD and sears, trying to figure > this out. > > After a bunch of calls and basically getting snubbed by TD I learn that > even though I was not present to authorize the transaction, didn't sign > anything, and never entered a PIN, sears was still able to charge my > account. > > That didn't sit well with me so I sent a message to TD explaining that > the transaction was not authorized and that I wanted the funds returned. > > Here's what TD said... > > > > > "If you were credited with funds in error then Sears has the right to debit the account to make a correction." > > > And "if you dispute the charge, talk to sears" e.g. "the hand" > apparently... > > So... basically as I understand this, if you're a merchant, or otherwise > have access to transaction records CC#'s, names, etc., then there's > literally nothing stopping you from charging someones card for whatever > and whenever you want? > > Or am I reading this situation incorrectly? > > If that's true, then what's the deterrent? repercussions from the bank? > honor? how much do you trust the guy behind the counter? > > Apparently if you're banking with TD nobody there is going to lift a > finger and it's between you and the merchant... > > ...or evil anonymous hacker who happened to score access to a CC > authorization account and some card numbers. > > I closed my TD account, but I find this rather disturbing all the same. > I also don't expect much better from other banks or CC companies, and as > always the burden of security lies mostly with the individual. In this > case it was an honest error, sears did credit my account in error, and I > would have been happy to return the funds, but being a security minded > person I would have hoped that I'd have to authorize the transaction > regardless... but no, I didn't even have to be notified. > > I learned something, so it's a good day... > > ~.:always use cash:.~ > > -- > ''' > 0-0- > ~ > ` > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists