lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 20 Apr 2007 18:59:42 -0400
From: Troy Cregger <troy.cregger@...il.com>
To: micheal.espinola@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OT? - TDBanknorth + merchant's CC auth

Indeed, but something I was not aware of until this happened.

It didn't case me any problems or anything, it was just one of those
"They can do that?"

Old news yes, but new to me.

Micheal Espinola Jr wrote:
> Its a part of the original transaction that you authorized, so TD has to
> let Sear do whatever they want.
> 
> It sounds fucked up, but once you authorize a company to make a
> credit-based transaction, they can in-turn do whatever the hell they
> want without interference from your bank or credit provider.  You have
> to deal with them directly if there is a dispute, unless you claim
> fraudulent activity in which case your bank or credit provider may
> choose to interfere with the transaction on your behalf.
> 
> 
> 
> On 4/20/07, *Troy* <tcregger@...nedyinfo.com
> <mailto:tcregger@...nedyinfo.com>> wrote:
> 
>     Last month I had an interesting experience with sears and tdbanknorth.
>     Here's the story:
> 
>     I purchased appliances at sears... the experience was a nightmare in and
>     of itself as they screwed up the shipping date several times. Sears
>     ended up having to throw in almost USD 200 in accessories and credits
>     just so I wouldn't walk away from the sale, OK... nothing odd so far and
>     I got some free stuff, all good right?
> 
>     Well, somehow, sears mistakenly refunded me ~ USD 120. I later
>     confirmed
>     that this did happen and was a mistake, but I hadn't noticed the credit
>     to my account at the time since there was heavy activity on the account
>     that month.
> 
>     A full 5 weeks later, I'm checking my balance and paying some bills
>     when
>     I notice that there's this charge for USD 120 (and change) from sears!
> 
>     What the fuck? I asked myself... I then decided to ask TD and sears the
>     same question. So, I'm on the phone to TD and sears, trying to figure
>     this out.
> 
>     After a bunch of calls and basically getting snubbed by TD I learn that
>     even though I was not present to authorize the transaction, didn't sign
>     anything, and never entered a PIN, sears was still able to charge my
>     account.
> 
>     That didn't sit well with me so I sent a message to TD explaining that
>     the transaction was not authorized and that I wanted the funds returned.
> 
>     Here's what TD said...
> 
>     >
>     > "If you were credited with funds in error then Sears has the right
>     to debit the account to make a correction."
> 
> 
>     And "if you dispute the charge, talk to sears" e.g. "the hand"
>     apparently...
> 
>     So... basically as I understand this, if you're a merchant, or otherwise
>     have access to transaction records CC#'s, names, etc., then there's
>     literally nothing stopping you from charging someones card for whatever
>     and whenever you want?
> 
>     Or am I reading this situation incorrectly?
> 
>     If that's true, then what's the deterrent? repercussions from the bank?
>     honor? how much do you trust the guy behind the counter?
> 
>     Apparently if you're banking with TD nobody there is going to lift a
>     finger and it's between you and the merchant...
> 
>     ...or evil anonymous hacker who happened to score access to a CC
>     authorization account and some card numbers.
> 
>     I closed my TD account, but I find this rather disturbing all the same.
>     I also don't expect much better from other banks or CC companies, and as
>     always the burden of security lies mostly with the individual. In this
>     case it was an honest error, sears did credit my account in error, and I
>     would have been happy to return the funds, but being a security minded
>     person I would have hoped that I'd have to authorize the transaction
>     regardless... but no, I didn't even have to be notified.
> 
>     I learned something, so it's a good day...
> 
>     ~.:always use cash:.~
> 
>     --
>     '''
>     0-0-
>     ~
>     `
> 
>     _______________________________________________
>     Full-Disclosure - We believe in it.
>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>     Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> 
> -- 
> ME2
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ