lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jasonc at science.org (Jason Coombs)
Subject: Hackers View Visa/MasterCard Accounts

And if you were an economic terrorist wouldn't you be keen to compromise all
~580 million credit card accounts in the U.S. that have been issued
according to these silly, insecure methods?

The "payload" in this attack may be simply to damage the financial markets
by destroying the existing (extremely vulnerable) credit card
issuer/acquirer/processor infrastructure.

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: Bernie, CTA [mailto:cta@...in.net]
Sent: Tuesday, February 18, 2003 12:32 PM
To: full-disclosure@...ts.netsys.com; Jason Coombs
Subject: RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts



On 18 Feb 2003, at 11:08, Jason Coombs wrote:

> lucky for cc fraudsters, issuers opt to create cards in batches
> where all of the neighboring card numbers share the same
> expiration date (month/year).
<<<
Taking into account that the batches are done sequentially,
LUHN checksums could be easily discovered through a bit of
simple Mod 10 arithmetic, and that there is better than a 50%
probability of predicting the expiration date, I would say that the
thief could be more successful at exploiting newly generated
credit card numbers, and just use those stolen as seeds.

Now assuming that a thief has successfully generated such
numbers, what would be the best method of attack? How about
a few coins ($0.50) here and there, times 5 million plus cards
per month?  How many credit card customers or issuing banks
will pay any attention to such inconsequential charges?
Especially if the statement notes such a charge something like
"account maintenance fee"?

I fear that the real payload has yet to be calculated.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ