Full Disclosure mailing list archives
RE: Hackers View Visa/MasterCard Accounts
From: David Barnett <dbarn064 () earthlink net>
Date: Wed, 19 Feb 2003 09:43:12 -0600 (GMT)
Mime-Version: 1.0 Content-Type: multipart/signed; boundary="-=-===-====-=-=---===---========--==-==--===-==="; protocol="application/pgp-signature"; micalg=pgp-sha1 ---=-===-====-=-=---===---========--==-==--===-=== Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable While the threat of a Credit Card DoS seems to quite a novel threat and I am, at this point in time, in no place to credit or discredit the idea, I can't help but to believe there is a less nefarious motivation behind this attack. One can't help but refer back to one of the last theft of such a large amount of credit card numbers. The case involving Russian hacker(s) holding a company (can't remember the name?) ransom for a large sum of money not to release the credit card numbers onto the Internet. If one takes the number of accounts affected, at last count some 8 million, assume at least 10 million affected and the costs to replace these accounts (the published figure I have seen was $25 per card), one most wonder atwhat cost would these institutions not pay up? $5 million? Consumer confidence of purchasing on-line has been growing over the past year. Yes, this is not a case of a e-commerce site being broken into, but the public perception is there. Why has the victim clearing house not been exposed publicly? If one now takes the possibility of a credit card DoS seriously, I would say this would be even more reason for the attacker(s) to try and call for some sort of ransom money. Yes, the last time, we know of at least, no money was paid out, and so was the credit cards all over the net. I can only wonder what is taking place in the back channels, and if we will ever know what threats were made and what money may have been paid out. Perhaps these are the reasons for the victims anonymity?? David Barnett Sr. Security Architect Paranet Solutions At 11:05 AM 2/19/2003 -0500, full-disclosure-request () lists netsys com wrote:
From: "Bernie, CTA" <cta () hcsin net> Organization: HCSIN To: <full-disclosure () lists netsys com> Date: Wed, 19 Feb 2003 11:01:45 -0500 Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts Reply-to: cta () hcsin net My point exactly. Again, I believe the real payload and threat could be that of DoS. If one identifies all plausible threat types, and assesses the risks associated with any interrelated exploit, the probability of a denial of service scores the highest. In fact, given that 8 million plus consumers were "denied service", I would say that the Credit Card DoS attack had successfully occurred. Now consider that the thief / attacker could *anonymously* submit these credit card numbers as well as another 10 million or so newly cloned numbers, to tens of thousands of web sites, causing a potentially effective DoS attack resulting in an e- commerce catastrophe. I would call attention to the possibility that a Credit Card DoS attack could significantly impact terrestrial commerce. Think about how intertwined credit cards are in the global day to day commerce. Furthermore, it would be very difficult to track and identify the attacker since such a DoS attack could be launched autonomously, and on an unpredictable further date. Another issue to consider is containment of the stolen information. What steps are, or could be taken to prepare for the possibility that the stolen credit card information may be disseminated, and that exploitation may not appear until some unknown future date? So now a few parting points=85 First, its time that businesses, banks, Visa, Master Card American Express, and alike implement effective safeguards to protect the personal identifiers and confidential financial data elements stored in databases or otherwise electronically transmitted. SET was a good first step that was killed off due to IMO, complacency and greed. Today, there are many ways I, and I'm sure others, could think of which are easier and less costly to implement then SET. But will it be done? Secondly, why has Visa, Master Card, not put any real thought and effort to effectively mitigate the many vulnerabilities and threats associated with their credit card processing mechanism? Because in the past, VISA / Master Card generated such significant and continuous transactional revenue that they could absorb 40% to 60% losses due to fraud over the transaction period. However, if Transaction flow were to be significantly impeded, by a DoS attack as I have outlined, well one would believe that there are not enough buckets in the world to carry away the unabsorbed red ink. Lastly, I would say that if the perpetrator were in any way involved with any of the "terrorist" groups, then this incident requires top level and immediate attention by the authorities, Credit Card issuers, and businesses to identify, develop and implement safeguards to mitigate the threats. Then again, if the perpetrator were to be a disgruntled employee, script kiddy, phacker etc, should we consider the risks to be at a much lower level? That is, just find who did it slap his wrist, then go back to business as usual. I for one would say not. On 18 Feb 2003, at 17:07, Jason Coombs wrote: From: "Jason Coombs" <jasonc () science org> Date sent: Tue, 18 Feb 2003 17:07:09 -1000And if you were an economic terrorist wouldn't you be keen to compromise all ~580 million credit card accounts in the U.S. that have been issued according to these silly, insecure methods? The "payload" in this attack may be simply to damage the financial markets by destroying the existing (extremely vulnerable) credit card issuer/acquirer/processor infrastructure. Jason Coombs jasonc () science org -----Original Message----- From: Bernie, CTA [mailto:cta () hcsin net] Sent: Tuesday, February 18, 2003 12:32 PM To: full-disclosure () lists netsys com; Jason Coombs Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts On 18 Feb 2003, at 11:08, Jason Coombs wrote:lucky for cc fraudsters, issuers opt to create cards in batches where all of the neighboring card numbers share the same expiration date (month/year).<<< Taking into account that the batches are done sequentially, LUHN checksums could be easily discovered through a bit of simple Mod 10 arithmetic, and that there is better than a 50% probability of predicting the expiration date, I would say that the thief could be more successful at exploiting newly generated credit card numbers, and just use those stolen as seeds. Now assuming that a thief has successfully generated such numbers, what would be the best method of attack? How about a few coins ($0.50) here and there, times 5 million plus cards per month? How many credit card customers or issuing banks will pay any attention to such inconsequential charges? Especially if the statement notes such a charge something like "account maintenance fee"? I fear that the real payload has yet to be calculated.- - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> ******************************************************* --__--__--
---=-===-====-=-=---===---========--==-==--===-=== Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPlPAWcyu1wlr8uiFEQLq4wCgq7dxaGexkXXFzoBVWY+YwD8KCgcAn3/+ 4EQWJBmkt8Q48DyibBzTtI2M =BfH3 -----END PGP MESSAGE----- ---=-===-====-=-=---===---========--==-==--===-===-- David Barnett CISSP, CCSE, CCNA Sprint E|Solutions Sr. Security Specialist O. 847-318-3000 PCS. 708-288-6791 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Hackers View Visa/MasterCard Accounts futureshoks (Feb 18)
- <Possible follow-ups>
- Re: Hackers View Visa/MasterCard Accounts remember-handsworth (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts John . Airey (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts David Barnett (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 19)
- Re: Hackers View Visa/MasterCard Accounts Georgi Guninski (Feb 19)
- Diskless Bastions & NFS; How secure is NFS (on Linux) rated? Steve Wray (Feb 20)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 19)