Security Incidents mailing list archives
RE: Stolen Card Purchases
From: "Jason Coombs" <jasonc () science org>
Date: Wed, 10 Jul 2002 11:11:06 -1000
- The person or persons using these stolen cards had all the correct information (such as address and even phone number, which is how we were able to contact each cardholder).
Just because the credit card thief can pass Address Verification Service with the right house number and zip code that doesn't mean you should trust them enough to ship your goods to a different address than the one that matched AVS. You should also ask your customers for the card identification number that appears next to the embossed card number. Even when this matches with the records of the card issuer, you must use common sense and only ship to the validated billing address as confirmed by AVS unless you have good reason to trust the customer. Repeat customers, for example, could earn the right to purchase gifts from your business for shipment to a third-party. Few others should be allowed to do so. The reason law enforcement just doesn't care and won't get involved is that credit card theft is a risk of doing business that every merchant accepts. Either you know how to manage that risk, and you survive, or you don't, and you go out of business. Law enforcement will see your appeal for help as a bit silly, since you're the one who asked for the credit card information in the first place... Unless you've uncovered some new threat vector for credit card fraud that law enforcement should do something to stop, you're complaining about being asked to take risk. If you don't want the risk, stop taking that form of payment. Sincerely, Jason Coombs jasonc () science org -----Original Message----- From: Jonathan A. Zdziarski [mailto:jonathan () networkdweebs com] Sent: Wednesday, July 10, 2002 3:24 AM To: incidents () securityfocus com Subject: Re: Stolen Card Purchases Hi, Thanks for all the emails I received. Just to make a few points of clarification in regards to our specific situation... - The credit cards being used were not stolen on the Internet, as not all of the cardholders involved in these related incidents had made purchases on the Internet. - The person or persons using these stolen cards had all the correct information (such as address and even phone number, which is how we were able to contact each cardholder). - We traced at least one of these incidents back through some proxies to a residential DSL line in the US, and I'm sure the Internet provider could furnish whomever [under subpoena] with name and address. I'm going to contact a few of the people who emailed me, but it sounds like from the other half of the emails I received, very few law enforcement agencies are interested in making arrests these days. If this is the case, I'm wondering what reporting this to the media would do. A story about how the government lets theifs run free sounds like it'd be enough to get some government organizations to shape up. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Stolen Card Purchases Jonathan A. Zdziarski (Jul 09)
- RE: Stolen Card Purchases Greg Reber (Jul 10)
- Re: Stolen Card Purchases Jonathan Bloomquist (Jul 10)
- Message not available
- RE: Stolen Card Purchases Ray Pompon (Jul 10)
- <Possible follow-ups>
- Re: Stolen Card Purchases Jonathan A. Zdziarski (Jul 10)
- Re: Stolen Card Purchases Bill Barrett (Jul 10)
- RE: Stolen Card Purchases Jason Coombs (Jul 10)
- RE: Stolen Card Purchases Curley Mr Eric P (Jul 10)
- RE: Stolen Card Purchases Green, Art (Jul 10)