ID Thieves Target Smaller Businesses 97
wiredog writes, "The Washington Post writes about real-time credit-card theft from small merchants (registration required). An accompanying Security Fix blog commentary from Brian Krebs describes '...10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.' Lesson: Don't buy online from the cheapest retailers. Guess where they are cutting costs to be the cheapest?" The article and blog commentary also cast doubt on the efficacy of online "hacker testing" services.
First Proust (Score:2, Funny)
And up go the prices! (Score:2, Insightful)
(registration or bugmenot required)? (Score:3, Insightful)
What I would say on this issue though, and what we should have learnt from AOL is that it's not just the small companies who either get compromised or make huge mistakes, it seems rather harsh to focus just on the small companies as if they are always bad. The best advice that I think that I could give anyone for buying anything online (regardless of who from) would be to use a credit card - then your contract is with the credit card company so it's their issue if your data gets stolen or you don't get your goods... and they have deep pockets ; )
Re:(registration or bugmenot required)? (Score:4, Interesting)
Re: (Score:1)
My personal favorite is to use a virtual credit card number provided by my bank (but which still bills to my existing account). I can set a dollar and/or time limit on the validity of the number, and the number can only ever be used by a single merchant account. If the number is ever compromised, the thief could only ever use it at the same merchant, and only if I set the maximum value significantly higher than my purchase price.
Virtual credit card... (Score:3, Informative)
Better yet, some credit cards offer the ability to create virtual cards for specific amounts and defined time periods. The "cards" validate just like the real thing and are linked to your real card, but are only valid for a defined period, amount, or number of transactions.
Re: (Score:2)
Re: (Score:1)
Re:(registration or bugmenot required)? (Score:5, Insightful)
This is the most inaccurate idea thrown around about credit card companies. That they have plenty of money and that's how they just forgive various charges on your card when you complain or are defrauded. This is only half true, and that part is that they have plenty of money. Sure, they forgive charges to your cards all the time. But who pays for it? Does anyone really know? Well, any merchant knows that it is the merchant that pays for fraudulent and otherwise disputed charges. That, plus a $30-35 charge just like a returned check fee.
Sure the credit card companies have a clause if you only ship the goods to the billing address, have AVS verification, make sure the CSC matches, AND have a signature required for the delivery, they claim that they will eat the cost and not pass it on to the merchant. Aside from the fact that shipping only to the billing address will cause one to lose business, in actual experience, I have observed multiple instances of credit card companies claiming the signature was forged for one reason or another. The merchant has no recourse. There is no appeal process. The only recourse is to discontinue accepting transactions from a card vendor, or to accept fraud expenses as part of the cost of doing business, and adjust consumer prices accordingly.
And to think the article attempts to paint some shade of altruism on these crooks by saying they make a "donation" to charitable causes to verify the card is useable. These crooks are costing these organizations money for the returned charge fees.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
To lump all merchants together oversimplifies the situation. Retailers who wish to accept credit cards must open a merchant account with a bank, and it is the terms of that merchant account which dictate what happens in cases of fraud and chargebacks. These terms can and do vary from merchant to merchant, which is why some places (Starbucks, Chipotle, etc) can accept credit charges under a given value wi
Nothing wrong with their efficacy... (Score:4, Informative)
Okay, that's a bit of a cheap stab, but it's important to remember that white-hats and black-hats are only separated by the particular direction their careers took them (consider that "security consultant" guy in NZ who narrowly escaped a conviction).
There's no such thing as a completely secure system. A security cracking service for testing your systems is paid to identify weaknesses, but there's no way they could make sure you were completely secure - their motivation is to do a decent job and get paid, which means identifying obvious flaws and telling you how to fix them. They're not going to spend their waking lives figuring out how to breach it.
If a black-hat of a similar caliber really wants to, they'll find a way into your system. It just might take time. Mostly though, they want into the easiest systems they can penetrate, so getting a white-hat in to make their job harder is worthwhile - it's just not a guarantee.
The services suck... I was recruited by scanalert. (Score:2, Interesting)
http://swoolley.org/blog.cgi/scanalert [swoolley.org]
They can't even keep their own site secure.
Hmmm. (Score:5, Interesting)
Say I happen to like this online retailer, and they happen to have good prices. Say they might cut corners on security so they can pass the savings on to me, the consumer. Then also say that in my account with them I offer no social security number and pay with a check card. Furthermore, let's assume that in using my check card I transfer only the money I need to use to the checking account from the savings account (this is done easily online with my bank), thus after using said money anybody who did happen to get my card details won't be finding any money in the account anyway.
So, how exactly am I at risk? I have a bank account that stays at basically zero balance except during the exact moments I intend to use the money. Call it a safety net... I mean this as a serious question. How am I at risk? Looks like I'm the one saving money here.
Re: (Score:3, Interesting)
Re: (Score:2)
And I would think that malicious identitiy thieves are more hit-and-run, not hang-out-and-wait types. They wouldn't likely continue
Re: (Score:1)
Re: (Score:2)
Luckily my bank is rarely unavailable.
But as one person replied, using a credit card with fraud protection is probably the best method. My problem is I just avoid using credit cards altogether except for emergencies. And even though you have fraud protection on a credit card you are unlikely to get the protection without having to spend a certain amount of time actually communicating with the credit company, something which I find is akin to torture.
Re:Hmmm. (Score:5, Insightful)
Re: (Score:2)
Would definitely defeat the purpose of the safety net idea.
TLF
Re: (Score:2)
How often do you do this? And, are you in the US?
Just recently, after many years of putting it off (I'm 22 now), I ended up switching the custodial savings account I had over to my name. During that process, one of the things they mentioned very specifically is that if you transfer money from savings to checking more than six (I think) times in a month, the account get closed. This warning is repeated, although somewhat differently, on the online banking funds transfer page: "Federal Regulation D limit
Re: (Score:1)
Personally, I have one credit card that I only use for online transactions. Because it is a credit card, your exposure is limited and you have fraud protections. With a debit card, all of the money you have in your bank is exposed.
Re: (Score:2)
...unless, of course, you do business with one of the better banks. Mine offers excellent, zero-liability fraud protections on my debit card, which leads me to believe that many of the horror stories I've heard could have rather easily been avoided by devoting a relatively negligible amount of time to researching bank policies on things like fraudulent c
Re: (Score:1)
Re: (Score:2)
...which takes about ten minutes, at least with my bank. They put the funds from disputed charges back into the account immediately, and ask questions later.
If, by that, you mean one's entire pile of money, then doing so it roughly equivalent to putting all of your money into your checking account. That would just be silly, and would negate the purpose of a savings account. I like th
e-card (Score:5, Interesting)
Living in Sweden, I am using an "e-card" system offered (for free, as in beer) by my bank for all my online purchases requiring credit card information. I bet this system is available for you yanks as well as in most other industrial countries, but for those of you who are unfamiliar with the concept, here's a description:
* On any online shop, when you've finished stuffing your shopping basket and head for the counter, you chose "credit card" just like you normally would.
* Instead of using your ordinary credit card, you generate a time limited, amount limited virtual credit card. For all intents and purpose, this "electronic Visa" is no different from a regular Visa card.
The advantage is that - even if a man-in-the-middle-attack - intercepts your order, the amount limit would hinder the culprit from stealing any money. And you don't have to worry about the shop losing the database containing your CC number; it's only valid for a month - and doesn't contain any money anyway.
I've used this solution for a few months now, ordering from companies in Sweden and USA, by online order form and phone order. It works like a charm each time - no fuzz.
Re: (Score:2)
Re: (Score:2)
Theft of card details may cause you a temporary inconvenience while it is sorted out, but there is no way on earth that you will ever be liable for the losses if someone uses your card to make a fradulent mail-order/ecommerce transaction - which is all someone can do with the details you gave when making such a transaction.
The victim of mail-order/ecommerce fraud is the merchant (the card companies also
Re: (Score:1)
Re: (Score:3, Insightful)
Now I would love to be able to have ecards they would be perfect if they accepted anything as the billing address (something it took
Re: (Score:1)
Let me guess.......since we talk about the security part,so the answer must be the one and only,they are cutting on the security cost... Yes!10marks for me!
This is the most interesting topic for me to talk about,since i'm now taking data security and e-business subject...So I know a little bit about e-business and security.
Since that I'm still a student and a student cant have a credit card.
Re: (Score:1)
Re: (Score:1)
This is really basic, but: Keep an eye on your card. You might be rushed, or distracted by your kids, or involved in an interesting little chat with the clerk;). Whatever. Keep an eye on your card and make sure it goes back in your wallet. My dad typically leave his wallet on the counter or restaurant table, with his hand on top
cc fraud (Score:5, Interesting)
Re: (Score:1)
Re: (Score:1)
Are you ironic as well?
Re: (Score:2)
Oh, well my CC company would deny that payment quickly because they know that I'd never give to any non-profit. Some times it actually pays for the CC to know everything about you. On the other hand if
Re: (Score:1)
Ouch (Score:1)
Disturbing, but it makes complete sense.
Re: (Score:1)
So if I make a purchase for $9 from an online merchant, I put $10 on a temporary card # and if a hacker gets in he/she would have a max of about $1 on that. That puts me in a great position because I don't have to run aroun
Moo (Score:1)
I imagine bricks and mortars once had similar problems. But, they've been around for enough time that security has been improved and common tricks will not usually work on them.
The Internet is still young, and many people are using it who simply do not know what it is about. If attacks like this keep happening, and keep being reported, people will take have a better general knowledge, and real-world protection (burglar alarms, security monitoring, etc) will become more common, and slowly bu
Re: (Score:3, Interesting)
Recently I got an IRC(internet relay call for deaf people)about a couple of random items plus 800 smokes. I gave the guy my email address, and thinking it was legit but suspiscous we passed one email back and forth and he forked over three credit card numbers just like that. Asked me to spilt the down paymet up between the three. I told him I couldn't do i
Re: (Score:1)
I think the difference is deeper than that (Score:3, Interesting)
Sitting in your parent's basement hacking databases there are layers of obscurity between you and the "scene" of the crime. For a careful hacker, there can be enough layers of indirection that getting caught borders o
Re: (Score:1)
But, i must disagree.
the retailer has to figure out they've been hacked
The brick and mortar retailer also has to figure out they were broken into.
Breaking in to an office, copying sensitive data (even off a local computer) is not always easily detectable.
Don't compare stealing information with stealing objects.
you have to make a mistake that leaves tracks for the authorities to trace
This item is slightly misleading. You mean that the cracker has attempted t
user responsibilities (Score:1)
Re: (Score:1)
Re:Liability (Score:4, Informative)
I had a computer store for 8 years, I learned a lot about credit card companies the hard way. People who just don't want to pay for services can just call and complain to the CC company and voila! - No more charge and I'm out a hundred bucks. I even had a group of scammers calling one fall with stolen CC #'s and purchasing laptops to ship out of state (we are near a military base and the stories they used made sense at the time). I got hit with over $20,000 worth of fraudulent purchases over a couple of months before we got the first inquiry from the CC companies about them and figured out what was going on.
At that point, I quit taking phone orders. Required ID for every purchase from someone I didn't know. Imprinted every card, every time, even though we were doing electronic approvals.
The credit card companies get you coming & going. As a merchant, I had to pay 4% off the top when I did paper filing only. When I went electronic, the rate went to 2.1%. Add that to the interest & fees the consumer pays on any balances they carry. Add the merchant taking the risk for fraudulent purchases.
Where exactly do the CC companies take losses?
Re: (Score:1)
The two reasons listed above are why you should worry about it.
Duh! (Score:2)
Of course they're going after the small fry; small business owners often have only a rudimentary IT capacity, if any at all, more often relying on an outside firm to handle these things. A Fortune 500 company has all sorts of resources to prevent this kind of thing (which begs the question why so many of them still have problems with it), while a small business owner doesn't and by the they find out it's a problem, it so pervasive that it gets expensive to fix.
Re: (Score:1)
Not only Buying places.. (Score:2)
Add :" Dont Donate just about anywhere & everywhere" also.
Why is The Washington Post surprised at this? (Score:3, Insightful)
So if I want to steal information, I'm going to go where it is easy to get. It's amazing that it took a study and investigative reporting to "uncover" this whole "conspiracy". Then again, it can apply to brick and mortar stores too where small business can make a dirty habit of tossing credit card signature slips in the trash where an unscrupulous person can make use of them. that's not to say a big chain store wouldn't do that but they might be less likely to so. Maybe The Washington Post should investigate that one too?
Nonsense (Score:1)
The word "cheap" may mean small startup businesses, however, and if you are supplying your credit card info directly to Uncle Joe's Hardware and Pottery, then you deserve to get phished.
Re: (Score:1)
Re: (Score:1)
The world doesn't have time for this kind of stupidity. You're wasting our resources, man. Think of the children.
That is why you use virtual credit card numbers (Score:2, Interesting)
Re: (Score:2)
In fact, the only rule even more important than this one (in my book, anyway) is to never use a debit card.
Re: (Score:2)
secure? must be joking.. (Score:1)
One Time Credit Card Numbers :-) (Score:2)
Mechants who store CC data are playing with fire. (Score:2, Informative)
console, and they can deal with all of their transactions.
Need to reprocess the card due to a glitch? Pick up the phone, your customers
will appreciate the personal touch.
Storing card numbers is like stockpiling nukes. A bad accident waiting to happen.
No thanks.
I have enough worries having to maintain a password file for customers who want to have "accoun
Re:Mechants who store CC data are playing with fir (Score:1)
Re: (Score:2)
So the merchant calls you to tell you that something went squirrely,
and even though they know you purchased a pallet of adult diapers,
an "I'm with stupid ^" t-shirt and three year subscription to
"Soldier of Fortune" magazine, and know the exact time you did your
transaction, and ask you whether you want them to run the tx for you,
or if you want to redo your order, you're going to decide it's phishing?
It's called customer service. You're just not used to
Thieves everywhere...!!! (Score:1)
pay more, get more.. (Score:1)
oh dear pharmers! (Score:1)
"Most of these merchants that get hacked do not have updated versions of the software that runs their business, they're just trying to sell widgets," said Dan Clements, co-founder of CardCops.com.
Graham Paul and Co, for chartered accounts has announced that businesses should forward any enquiries to their appointed tax agent.
Businesses should be made aware that they have no obligation to enter into discussion or correspondence with the Revenue as this is not a formal tax investigation. The Revenue ha
"Security" cuts?!! (Score:1)
Small firms cut corners on security to save money!
It is human nature to take "calculated risks" to save moeny, which often turn out to be big mistakes, at least in terms of "cutting" back on security. I am personally much more concerned with human nature's tendency not to look further than it's own proverbial nose and thus have an overconfidence of their existing security or of the honesty of their potential client base.
Meaning that most of
sniffing.. (Score:1)
Trying to shift the responsibility (Score:2)
MOD PARENT UP (Score:2)
Of course, we have to persuade the Federal legislators they pwn to see it this way and write this into law.
hey.. (Score:1)
IT Arrogance (Score:2)
Here is a reporter contacting you with evidence that data from your website is being trafficked on forums associated with identify theft/credit card trading and your first instinct it to say its impossible. With that attitude no wonder that website didn't have good controls in place.
However, a subsequent manual review by ScanAlert determined that hac
Small business, less security.. (Score:1)
Re: (Score:1)
Re: (Score:1)
Security (btw, someone should really define the term "secure" here, since I don't think any company can offer full security to their clients) in online businesses aren't always measured by the size of the corporation. Big or small, the 'security experts' in said companies must be smart enough to ensure that their system behaves predictably in accordance to their defined purpose (and do nothing else, of course) under any condition at all times. Any company successfull
lesson 2 (Score:1)
ID thieves are going corporate (Score:1)
SAFEty first.. (Score:1)
Knowledge in IT (Score:1)
Personal experience! (Score:1)
The way it is? (Score:1)
Phishing! (Score:1)
Practice good data hygiene. (Score:1)
what can we do! (Score:1)
My story! (Score:1)
What are the impacts of identity theft and fraud? (Score:1)
identity fraud (Score:1)