lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f81ebf110909212229n737c1700l2b13899fdef8e2a8@mail.gmail.com>
Date: Tue, 22 Sep 2009 01:29:01 -0400
From: Andrew Haninger <ahaning@...dspring.com>
To: Steven Anders <anderstev@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Chargebacks and credit card frauds

On Tue, Sep 22, 2009 at 12:26 AM, Steven Anders <anderstev@...il.com> wrote:
> I am now tasked with improving our backend checks to make sure we don't have
> any more fraudulent order, and would appreciate any pointer or insights into
> this matter. Any theories, insights, or information would be very useful.
I have three ideas. Two are quite complicated and the other a little
simpler. None are fraud-proof. Some may be impractical if your work is
being done "after the fact".

1) Have a robot call or text the customer a CAPTCHA-type string to
enter into a website.

Workaround: Register a cell phone or VoIP number in the victim's area
code and take the call. You could possibly require a hard-wire
landline, but those are becoming so uncommon that it would create
trouble for many of your customers. And then there are those darned
dialup users.

Perhaps do this only after a first "offense". Though, I'm guessing
fraudsters only use the accounts once and then avoid them.

2) Have a Flash or Java applet check for common remote desktop servers
running on the ordering PC.

Workaround: Disguise the server software as something harmless, if it
isn't already.

3) Check to see if the order was placed outside normal waking hours or
during normal working hours.

Workaround: Not hard to work around, but might hassle the criminals.

Andy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ