[Dshield] Anti-Phishing

Chris Wright dshield at yaps4u.net
Fri Mar 10 23:03:27 GMT 2006


To back Lauras statement up, a few months back I found 4700 UKP on my credit
card for Betfair Ltd.
This is an online gambling/betting agent site.
Fair play to my Visa card issuer, they refunded me the full amount withing 2
hours of my first phone call, and phoned me to let me know what was
happening along the way.

It transpired that Betfair accepted any old credit card number and a future
date, and didn't check name, address or subscribe to any other form of
verification.
They believe (because of the other number of purchases made that same
day/week/month) that a group had used a random credit card number generator
to top up bogus accounts.

My VISA Card issuer made Betfair liable for ALL of the costs involved
because they didn't follow the guidelines for verification of a credit card
transaction.  VISA as most do, have an API for traders to submit information
to them which they at least perform some verification.  Betfair didn't
bother with any of it.

(Apart from the fact that you would think VISA would deny any transaction
from a vendor that doesn't do any verification, but then that would hurt
there business.  They rely on 'you' the card holder to verify your
transactions on your statement.  As 4700UKP was a large amount, it stood
out.  But what would have happened if they had made 1,000,000 acounts with
just 1 UKP in.   Less chance of a user spotting a small amount.  It also
begged the question of how they got any of their winnings out, if indeed
they did win whilst betting on that site).  They never found the perps, but
at least I got my money back.

So it is possible to generate valid credit card numbers quite easily if you
are not careful.

Regards

Chris 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Laura Vance
> Sent: 10 March 2006 19:17
> To: General DShield Discussion List
> Subject: Re: [Dshield] Anti-Phishing
> 
> Jon R. Kibler wrote:
> 
> >Greetings All,
> >
> >What if we were able to make life more miserable for 
> phishers? Would it slow them down or discourage them? 
> >
> >Would it be ethical to do so? Legal?
> >
> >A thought along those lines: There are dozens of programs 
> available that will generate 'legitimate' fake credit card 
> numbers, bank account numbers, etc. There are all sorts of 
> ways to generate lists of names. Use these types of programs 
> to create millions of bogus identities. Then flood the 
> phishing site with so much bogus information that it would 
> become a real chore to sort out the legitimate phish caught 
> from the decoys. To accomplish this would be simple:
> >   1) Visit the phish site and determine the information 
> they are collecting.
> >   2) Write a simple shell script to generate the required 
> bogus data in HTTP POST (or whatever method used) format.
> >   3) Have the shell script submit the bogus data (netcat, 
> etc.) to the phish site one bogus identity at a time.
> >
> >A real dumb phisher may even try to use bogus data and that 
> may be the trigger that gets them caught.
> >
> >Just a thought...
> >
> >Jon Kibler
> >  
> >
> 
> The only thing that I would be concerned about is if you 
> randomly generate real credit card numbers.  All they have to 
> do to meet the criteria for a valid card is start with the 
> correct numbers for the type of card and pass the mod-10 
> test.  There are a finite set of numbers that meet those 
> criteria, so the odds that you'll accidentally hit a valid 
> number are higher than you might feel comfortable.
> 
> When I worked for an online credit card processing company, 
> it amazed me how little information you need to successfully 
> run a credit card transaction.  All you need is the credit 
> card number and any date in the future to use as the 
> expiration date (it does not have to be the real expiration 
> date).  All of the other information is there as a 
> verification, and the merchant gets charged a higher rate if 
> they pass a transaction without it, but the transactions can 
> go through without any personally identifiable information.  
> It's a little scary.  The personal information is needed if 
> they want to steal your identity and get more credit cards in 
> your name.
> 
> The clearing house and cc processor will return special codes 
> if information doesn't match, but they won't deny the 
> transaction without it.  It's up to the Merchant to deny the 
> transaction at that point to prevent the increased 
> transaction fees.  Most legitimate businesses follow the 
> standard and deny the transaction, but in this instance we're 
> talking about people that don't care.
> 
> --
> Thanks,
> Laura Vance
> Systems Engineer
> Winfree Academy Charter Schools
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of 
> your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list