| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3E523D11.18093.13D048F@localhost> From: cta at hcsin.net (Bernie, CTA) Subject: Hackers View Visa/MasterCard Accounts <color><param>0100,0100,0100</param><FontFamily><param>Times New Roman</param>AVS (Address Verification Service) is intended for use on all "card not present" or "cardholder not present" transactions, such as e- commerce and mail-order purchases. It was designed to be more of an alarm to potential fraudulent use, and not an actual safeguard. First, consider that AVS authenticates only the card-holder’s street address and zip code, maintained in the processor’s database, with that presented by the purchaser / merchant. The AVS code is comprised of three numbers. The first corresponds to the numbers in the street address. The second corresponds to the zip code. And the third is an overall verification of both. There are ten different letters used for AVS response codes: A = Address matches, zip code does not match E = Error Response For Merchant Service Category Code N = No match on street address or zip code R = Retry, System Unavailable Or Timed Out S = Service not supported by the issuer U = Address Information Not Available (call cardholder's issuing bank) W or Z Zip code matches, address does not match or was not requested (W indicates a nine digit zip code; Z indicates a five digit zip code X or Y Exact match on address and postal code (X indicates a nine digit zip code; Y indicates a five digit zip code) When the address information sent to the processor fails to match the data on file, an "AVS mis-match" occurs. An authorization request will not be automatically declined based on AVS response. Therefore you can get an approval with an AVS mis-match. In addition, since only the address and zip codes are checked, the AVS mechanism can be easily breached. Furthermore, AVS has not been implemented in most internationally based processing centers. Notwithstanding, if the entire database of card-holder accounts (including AVS information) was stolen, then the thief has all the information needed to invoke fraudulent transactions. Given that the issuing banks, VISA and Master Card moved quickly to block transactions, I would not be surprised if a few unauthorized transactions slipped through. Nevertheless, I would be more worried about the use of the stolen credit card numbers and account information for other less obvious fraudulent purposes. With that being said, one wonders why no one has yet to put any real thought into vulnerability assessment and the development and implementation of “strong” security methods to protect credit card information as it is stored and electronically transferred. <FontFamily><param>Arial</param>On 18 Feb 2003, at 10:29, Richard M. Smith wrote: <color><param>7F00,0000,0000</param>> Wouldn't the AVS system used by the credit card companies catch > this kind of hack? The AVS system does a rudimentary check to > make sure that the billing address given on a order is correct > one for the credit card. > > Richard > > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > Jason Coombs Sent: Tuesday, February 18, 2003 4:29 AM To: > full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] > Hackers View Visa/MasterCard Accounts > > > So, anyone know whether this was a simple "real-time credit card > processing oracle" attack where a tool throws fake orders at > sites that provide real-time credit card authorizations until a > valid card number and expiration date are found? > > Any third-grader with a copy of Microsoft .NET or Java 2 class > libraries could whip up the code needed to bang away at the > typical e-commerce site logging rejected orders due to invalid > credit card payment and revealing card numbers and expiration > dates that can be used for fraud in a variety of ways. > > There must be such credit card "hacking" tools circulating for > the benefit of script kiddies -- anyone looked into this before? > If so, will you share some references? > > Jason Coombs > jasonc@...ence.org > > -- > > Hackers View Visa/MasterCard Accounts > > Mon February 17, 2003 11:17 PM ET > > NEW YORK (Reuters) - More than five million Visa and MasterCard > accounts throughout the nation were accessed after the computer > system at a third party processor was hacked into, according to > representatives for the card associations. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > <nofill> - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta@...in.net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Powered by blists - more mailing lists