Follow Slashdot stories on Twitter


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:It's even easier than that (Score 1) 110

Credit card numbers that long aren't necessary. Changing how they are constructed is. Logically speaking the problem can be fixed (hashing etc.) The problem is that the infrastructure that supports it would also have to be changed and that would be a monumental undertaking. Which is why they are trying to avoid it at all costs. You also have the issue that the typical consumer is not going to tolerate an even longer number than they already have.

The unique credit card number solution has been offered by some banks already (e.g. Amex). Many payment terminals are configured to use DUKPT which creates a unique key per transaction (this is enough to take a cash register out of scope for PCI if properly configured).

You may find this interesting:

Even 2FA is broken if it is done via SMS

Comment Re:It's even easier than that (Score 1) 110

Credit card transactions are fairly well documented (I'm a big fan of DUKPT myself and that is decently documented). However the process used to generate the account and CVC2 numbers themselves is obscure and proprietary to each bank. Most banks do not have the expertise or will to properly perform this function. They count on malicious actors not looking too hard at how they do things.

Unfortunately for the banks once you figure out how to generate these numbers you have broken the primary security used to prevent the public at large from using any given key (card no's) against a very public lock (merchant website). 2FA goes a long way to prevent this!!!

Processors, banks and merchants all have the ability to mitigate this risk by putting in additional controls (geo-location, address, shopping patterns etc.) These all help reduce the risk of a given transaction. However they must balance out approving most (probably legitimate) transactions against an acceptable level of fraud. They must also balance out the overhead involved in reviewing and approving transactions.

The result is the continued use of a system that is fundamentally broken. You will see this type of fraud increase significantly until the whole system is re-engineered.

Comment Re: It's even easier than that (Score 1) 110

Every company chooses their own method of generation for this code. Some vendors use weak encryption, some might use strong encryption, some don't use encryption at all, and some issue the codes in batches. It really all comes down to the company, their risk policies and their expertise. That's why large card dumps are risky, they provide material that can be used to look for patterns. It's a bit scary how many companies have told me they secure their product with base64.

Comment It's even easier than that (Score 5, Insightful) 110

This is a good opportunity to talk about why security through obscurity is bad:

Your typical credit card number has a theoretical 16 digits that are available. That's a huge number (9,999,999,999,999,999) that makes it look effectively impossible to guess. Let's pare that number down to size.

First, you aren't guessing anywhere near 16 digits. It turns out there's a lot you already know (1st digit is 4 for visa, 5 for mastercard etc.). That reduces the typical address space from 16 to 15 digits. That first number turns out to actually just be part of the bank identification number which is typically 6 digits long. All of the rest of it except for last digit is the actual account number. The last number itself is used for a checksum (Luhn) that is used to verify the number is good.

In other words to get the account number right you've only got an address space of 999,999,999. That's a significant reduction in magnitude to start with. Now let's go back to that Luhn checksum (it isn't a hash). Due to this detail you can easily validate the number to make sure that you haven't mistyped it (Luhn precedes using magnetic tape for credit cards).

The Luhn check uses a Mod 10 algorithm that excludes 90% of the previous address space. You now have 99,999,999 numbers to guess against. Your malicious actor isn't starting work in a quadrillion space number, they're working in the millions. All of that is just from the industry standards themselves. Now remember that each bank is going to have their own formulas for generating credit card numbers and that card thieves have data sets of the tens of millions - old dumps are good for providing data that can show patterns. This is a good example of how data at the aggregate level carries risk that it doesn't at the micro level.

Chances are the account number for the card itself isn't at all random. Chances are really good that the formulas used to generate these numbers for a number of large popular banks have been reverse engineered by any number of parties. You also have policies at many banks such as never reusing a number that also reduce this address space. All the malcious actor has to do is look for patterns. Patterns have a way of reducing the order of magnitude once you learn them.

The expiration dates themselves are typically within 2 years giving a range of only 24 to pick from for the typical transaction. Guess a valid account number, try it at 24 websites and chances are really good one of them will work. That leaves the CVC2 number itself, which of course isn't random either.

The system is broken, it's just a matter of time before industry must recalibrate how it works.

More below for those who are curious:

Comment Trolls and jesters (Score 4, Interesting) 369

Al Gore once titled a movie of his "an inconvenient truth". The premise being that the truth can be isn't convenient, pretty or profitable. It's an argument that was widely embraced by the left when it was in there favor. Now that it is against their favor it is condemned (flashbacks of wikileaks anyone?).

Milo has previously stated that in today's society only trolls are allowed to speak the truth. This position used to be taken by the court jester or fool, the one person who could speak freely, to say what no one else dared. In today's society sites like 4chan have become the fool, saying what no one else dares.

4chan or it's replacement while always exist because history has always demanded that the truth be told, no matter how politically incorrect it is.

Comment Yiip Yap (Score 3, Interesting) 129

It seems every time someone discovers how to do old thing on a new medium and it makes news. Put missiles on a drone, bully someone online, use a new technology to commit a heinous crime? All of these things received widespread news coverage, when they are really nothing more than pencils with erasers:

In reality these are human nature stories, not technology stories. There is nothing new here, just the combination of things that have already been invented. I want to hear about innovation and invention, not pencil erasers. This is a technology site and should be better than this.

Comment Risk? (Score 5, Insightful) 367

We already have inequality in our DNA, and not just the *ist kind. Some people are inherently susceptible or resistant to certain diseases, more likely to live longer and so on. The very nature of DNA is to be unequal and provide genetic diversity. Species that lack enough diversity in their DNA have a habit of going extinct.

Parents will decide to look out for the best interest of their child and enhance their child's opportunities in life. The body, can and will be hacked, get over it.

Comment Prevent? (Score 4, Interesting) 138

That train left year ago. He's delusional if he thinks a race is even an option. The US is years behind and isn't even in the running. Hell we've just started to realize this is something we ought to /start/ training professionals for. We've still got people trying to outlaw security tools.

We're years behind the competition, where professionals have been getting trained and put to work for many years. We're just getting to the point of having courses in hacking, never mind college degree based level training. How the hell are we going to enter a race when only a handful of three letter agencies even have professional hackers in their employ? This isn't the kind of thing your going to call up your local friendly pen-test company for. You can't win a race you refuse to enter.

Comment Re: I beg to differ (Score 2) 138

That's nonsense. Immigrants have always been subject to inspections and requirements to fit societal standards. Storekeepers and others also freely practiced discrimination (Jews, Irish, Germans, Asians, etc.).

I'm not saying I agree or disagree with either side on this debate. I'm saying that the setting of standards and rejecting immigrants who fail to meet those standards is well established in American history (sometimes with tragic consequences).

Slashdot Top Deals

The explanation requiring the fewest assumptions is the most likely to be correct. -- William of Occam