lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3E536419.4164.5BDA6E2@localhost>
From: cta at hcsin.net (Bernie, CTA)
Subject: Hackers View Visa/MasterCard Accounts

My point exactly. Again, I believe the real payload and threat 
could be that of DoS. If one identifies all plausible threat types, 
and assesses the risks associated with any interrelated exploit, 
the probability of a denial of service scores the highest. In fact, 
given that 8 million plus consumers were "denied service", I 
would say that the Credit Card DoS attack had successfully 
occurred. 

Now consider that the thief / attacker could *anonymously* 
submit these credit card numbers as well as another 10 million 
or so newly cloned numbers, to tens of thousands of web sites, 
causing a potentially effective DoS attack resulting in an e-
commerce catastrophe. 

I would call attention to the possibility that a Credit Card DoS 
attack could significantly impact terrestrial commerce. Think 
about how intertwined credit cards are in the global day to day 
commerce.  Furthermore, it would be very difficult to track and 
identify the attacker since such a DoS attack could be 
launched autonomously, and on an unpredictable further date.

Another issue to consider is containment of the stolen 
information. What steps are, or could be taken to prepare for 
the possibility that the stolen credit card information may be 
disseminated, and that exploitation may not appear until some 
unknown future date?

So now a few parting points…

First, its time that businesses, banks, Visa, Master Card 
American Express, and alike implement effective safeguards to 
protect the personal identifiers and confidential financial data 
elements stored in databases or otherwise electronically 
transmitted. SET was a good first step that was killed off due to 
IMO, complacency and greed. Today, there are many ways I, 
and I'm sure others, could think of which are easier and less 
costly to implement then SET. But will it be done?

Secondly, why has Visa, Master Card, not put any real thought 
and effort to effectively mitigate the many vulnerabilities and 
threats associated with their credit card processing 
mechanism? Because in the past, VISA / Master Card 
generated such significant and continuous transactional 
revenue that they could absorb 40% to 60% losses due to fraud 
over the transaction period. However, if Transaction flow were 
to be significantly impeded, by a DoS attack as I have outlined, 
well one would believe that there are not enough buckets in the 
world to carry away the unabsorbed red ink.

Lastly, I would say that if the perpetrator were in any way 
involved with any of the "terrorist" groups, then this incident 
requires top level and immediate attention by the authorities, 
Credit Card issuers, and businesses to identify, develop and 
implement safeguards to mitigate the threats. Then again, if the 
perpetrator were to be a disgruntled employee, script kiddy, 
phacker etc, should we consider the risks to be at a much 
lower level? That is, just find who did it slap his wrist, then go 
back to business as usual. I for one would say not. 
 

On 18 Feb 2003, at 17:07, Jason Coombs wrote:
From:           	"Jason Coombs" <jasonc@...ence.org>
Date sent:      	Tue, 18 Feb 2003 17:07:09 -1000

> And if you were an economic terrorist wouldn't you be keen to
> compromise all ~580 million credit card accounts in the U.S. that
> have been issued according to these silly, insecure methods?
> 
> The "payload" in this attack may be simply to damage the
> financial markets by destroying the existing (extremely
> vulnerable) credit card issuer/acquirer/processor infrastructure.
> 
> Jason Coombs
> jasonc@...ence.org
> 
> -----Original Message-----
> From: Bernie, CTA [mailto:cta@...in.net]
> Sent: Tuesday, February 18, 2003 12:32 PM
> To: full-disclosure@...ts.netsys.com; Jason Coombs
> Subject: RE: [Full-Disclosure] Hackers View Visa/MasterCard
> Accounts
> 
> 
> 
> On 18 Feb 2003, at 11:08, Jason Coombs wrote:
> 
> > lucky for cc fraudsters, issuers opt to create cards in batches
> > where all of the neighboring card numbers share the same
> > expiration date (month/year).
> <<<
> Taking into account that the batches are done sequentially,
> LUHN checksums could be easily discovered through a bit of
> simple Mod 10 arithmetic, and that there is better than a 50%
> probability of predicting the expiration date, I would say that
> the thief could be more successful at exploiting newly generated
> credit card numbers, and just use those stolen as seeds.
> 
> Now assuming that a thief has successfully generated such
> numbers, what would be the best method of attack? How about
> a few coins ($0.50) here and there, times 5 million plus cards
> per month?  How many credit card customers or issuing banks will
> pay any attention to such inconsequential charges? Especially if
> the statement notes such a charge something like "account
> maintenance fee"?
> 
> I fear that the real payload has yet to be calculated.
> 
> 
> 
-


-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta@...in.net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ