Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Pointless - takes too long (Score 1) 140 140

Actually the economics here are not favorable to the scammer. For the class of goods being discussed here, most of the affiliate programs are fairly long lived (necessary precisely because they rely on independent contractors paid on commission to advertise their wares) and, as they advertise broadly, their storefronts are well known. Its simply not difficult to keep up with the top programs in any niche. It does indeed seem to take 2-4 weeks between the generation of a complaint and the merchant account shutdown, but the loss on the account is significant. First, accounts in some niches (notably pharma) have become extremely hard to come by. If you don't have a history of high turnover, you won't get boarded in this sectors and you'll need to go for third-party processing (at discount rates that can go up to 25%). Second, due to high risk, merchants can expect 10% holdback on 180 days revenue as collateral against future liabilities. Anecdotally, scammers report that this money goes out the window when they lose their account. Finally, empirically we see account replacement take a month or more and there's lost opportunity cost on missed sales. When you compare this against the cost of the test purchase... this is a huge asymmetry that does not favor the scammer.

Finally, in the course of our studies we've placed over 800 purchases on distinct credit cards (from pharma, software, replica goods and fakeav) and we have only a small handful of fraudulent charges (almost all associated with a data breach of a large online pharmacy) so our experience does not support the theory that all of these cards are being defrauded post facto.

Comment: Re:Bad. Wrong. Evil. (Score 2) 140 140

In fact, even the company spokesperson admitted it's an extra-judicial process: "âoeIt doesnâ(TM)t require a judge, a law-enforcement officer or even much in the way of sophisticated security capabilities. If you can purchase a product, then thereâ(TM)s a record of it and that record points back to the merchant account getting the money,' Savage said."

So... you might want to read more closely. As the aforementioned Savage, I can assure you that I am not a company spokesperson, but rather an academic :-) Brian's article is based on a study we completed looking at how this particular intervention is taking place.

You are correct that none of this is being done through law enforcement. The relevant mechanism is that the card association contracts with acquiring banks stipulate that their boarded merchants may not sell goods that are illegal in their country or that into which they are being sold. The complaints from brand holders represent assertions that such a contract violation is taking place. The card networks investigate with the acquiring bank and, if indeed a violation of their contract terms has taken place, then they can levy the penalties in their contracts. There is nothing extra-legal here in the sense that this is straight up contract enforcement. In principal the card associations could refuse to investigate or enforce a contract violation without the brand holders suing them, but that position seems extreme no? This kind of action happens in countless contexts, from manufacturing to real estate, without any judicial involvement unless one side contests the facts (and even then this would typically be a civil issue and not a criminal one) .

+ - Visa/MC Take fight to Scammers->

An anonymous reader writes: In his latest story, Brian Krebs reports on a collaboration between brand holders and credit card companies to shut down payment processing for rogue online pharmacies, pirate software sellers and fake anti-virus scams. By conducting test purchases, they map out which banks are being used to accept payments for which scams. Writes Krebs, "Following the money trail showed that a majority of the purchases were processed by just 12 banks in a handful of countries, including Azerbaijan, China, Georgia, Latvia, and Mauritius." These results are then fed to Visa and Mastercard who typically shut down the merchant accounts "within one month after a complaint was lodged." If you can't accept payments, you can't make money and without money you can't pay the spammers who advertise your product. This effort is apparently quite effective and has led to much concern by those running such sites. Summing up this position is one rogue pharmacy affiliate who writes on a Russian-speaking underground forum, "IMHO, there is a general sad picture, fucking Visa is burning us with napalm.”
Link to Original Source

Comment: Hmmm... sounds familiar (Score 5, Informative) 216 216

Seems like this was demonstrated four years ago, no?

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
D. Halperin, T.S. Heydt-Benjamin, B. Ransford, S.S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W.H. Maisel.
IEEE Symposium on Security and Privacy, May 18-21, 2008.

See: http://www.secure-medicine.org/icd-study/icd-study.pdf

Comment: Why is this needed? (Score 5, Insightful) 199 199

I truly don't get this. If an organization requires a law to tell it that it shouldn't do this - YOU DON'T WANT TO WORK THERE.

Consider yourself lucky that they demonstrated that right up front in the interview before you spent weeks/months/years there.

Comment: Re:why is the CD player on the same network? (Score 1) 272 272


there is zero possibility to send out a "lock up the breaks" command from the car stereo into the CANBUS unless you rewrite the stereo's firmware first. and that is not gonna happen,

I'd admit it is surprising, but you're wrong on this one. This is in fact one of the things we are able to do.

- Stefan

Comment: Re:Questions answered in this thread... (Score 1) 173 173

What is the connection to Denmark? I cannot find any mention of Denmark or any Danish bank in the study?

I suspect the connection is via DnBNord... the bank in our study was the Latvian branch, but I believe the headquarters are in Copenhagen (although as I recall the whole lot may be owned by DnB NOR in Norway.

Comment: Re:Questions answered in this thread... (Score 2) 173 173

Reprising a previous comment:

While the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. If you got these three banks out of the game, there would be others to replace them. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.

Comment: Re:Because going to another provider wouldn't occu (Score 1) 173 173

Like they wouldn't go to another provider... much like they do now if they get shut down.

Of course they would. However, th key issue is the cost structure on each side. For us to discover the identify of the new bank being used takes a few minutes (seconds if we had direct access to VisaNet) and negligible cost (I just need to authorize a purchase from the site). There is no technical reason I'm aware of that you couldn't implement an issuer blacklist at similar time scales if you wanted to (I can think of lots of reasons it might not be a good idea to automate this, but the main point is that the time scale is short). Compare that to how much time and cost you think it takes to find a new bank willing to accept high-risk merchants. Its certainly doable, there area number of such banks, but its orders of magnitude more time.

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen