Steal my card, then my ID (and bouncing bear)

Another scary IT Blogwatch today, in which we uncover the grimy world of credit card fraud and ID theft. Not to mention bear comedy math...

WaPo's Brian Krebs has been lurking in the murky credit card underground:

While public attention has remain fixed on a series of high-profile data losses or database breaches at federal government agencies, large corporations and universities, experts who study financial fraud say hackers increasingly are targeting small, commercial Web sites. In some cases, criminals are able to gain real-time access to the sites' transaction information, allowing them to steal valid credit card numbers and quickly charge large numbers of fraudulent purchases.
Small e-businesses offer fewer total victims, but they often present a softer target, either due to flaws in the software merchants use to process online orders or an over reliance on outsourced Web site security.
...
Hard data on the number of security breaches at small e-commerce businesses is hard to come by, often because companies are not required to disclose the information publicly, unlike public institutions and large corporations where tougher security standards and notification requirements are in place.
...
Over the course of 10 hours spent monitoring conversations on online fraud forums, [I] found conclusive evidence of four commercial Web sites whose customer databases had been compromised within the past month. None of the businesses was even aware of the compromises before being contacted.
...
The data security problem at Web businesses is big enough that Visa, MasterCard and other major credit-card companies this month demanded tougher security guidelines for all online merchants, new standards that can spell heavy fines if ignored or flouted.

And Krebs has more background on his blog:

I gathered piles of data from talking with nearly two dozen victims whose personal and financial information was posted into the fraud forums. Some of more colorful material from those interviews was left out of the story, mainly for flow and length reasons. Anyway, several chilling and common threads were clear from the interviews with victims.
First, the initial credit-card theft is only the first step in a larger identity theft scam. Second, far too many sites are compromised each month by hackers and scammers while their owners remain completely oblivious or in denial. Finally, many of the victims of credit-card theft interviewed for this piece said they decided to shop at the sites that lost their data because they were the least-expensive vendor found through bargain shopping sites.
...
Nearly all of the victims contacted for this story reported between $50 and $600 charges made at various sites that sell background checks on consumers ... they allow thieves to build more complete dossiers on victims that further aid in identity theft or add value to the records in case they are re-sold on the black market.
...
Three-out-of-four stored CVV2 numbers ... the three or four digit code printed on the back of all credit cards ... created by the credit issuers as a way to ensure that the person submitting a credit-card number is in fact the person holding the card. The payment card industry standards issued by all credit-card companies emphatically state that this code is to be used for verification purposes only and is under no circumstances supposed to be stored by online merchants. As you might imagine, stolen credit-card records that also include this CVV2 number are far more valueable for data thieves, mainly because most sites these days require the entry of the codes before accepting an order.

Martin McKeay:

I'd hate to have been one of the merchants who got a phone call from Brian Krebs ... Being told that their site's been compromised and that the credit card information they've been collecting is for sale on the Internet has to be a major blow, possibly a killing blow, to their business.

The Payment Card Industry (PCI) Data Security Standards were created to combat this exact sort of situation; but if less than 30% of the Tier 1 merchants, those with 6 million or more credit card transactions a year have become PCI compliant, who could expect a greater percentage of lower tier merchants to be compliant.  The truth of the matter is many of the lower tier merchants have never heard of PCI and are making little or no effort to become compliant.
...
Visa and MasterCard have taken great strides  by introducing the PCI requirements but awareness of the program is still spotty and they are sending merchants mixed signals by encouraging the use of the CVV2 data ... I would suggest they change the system so that there's a financial incentive for merchants to become compliant, rather than a penalty for not being compliant.  It's obvious to me merchants respond better to incentives they know they''ll get than penalties they might some day have to pay.

Techdirt's Joe:

When discussing security, people tend to focus on big events, like viruses that cause havoc very quickly, or the laptop thefts at the VA. But as we mentioned recently, the real danger is in quiet, slow-moving attacks that can go undetected for a long period of time. It's for this reason that hackers who are in it for money are putting their effort into malware of this variety. And it's also the reason that an increasing number of attackers are quietly attacking small businesses, with a fewer number of potential victims. Swiping mountains of data from a major corporation is likely to raise alarms bells much quicker. Furthermore, small businesses are less likely to have advanced security in place. Some have said that nothing will happen to really fight identity theft until there's a "digital Enron", an event so calamitous that the government and corporations are moved to act. But the reality is just the opposite; there are more and more mini-disasters, and fewer of the type of attacks that might be compared to Enron.

Rich Mogull tries it out for himself:

Brian did a little hunting on some underground IRC channels and witnessed a large amount of stolen personal data being exchanged, then went out and talked with around two dozen victims. One of his more interesting tidbits was that a bunch of the credit card numbers were being used to purchase background checks
...
I decided to pony up and run a check on myself to see how bad these are. My conclusion? We need regulation. Badly. It’s yet another case where seemingly innocent pieces of public information have tremendous consequences when aggregated and correlated on the scale of the Information Age.

I set just one basic rule- what could I find on one site using nothing more than my name. Some sites let you search on SSN, but since that’s supposedly secret (probably not hard to find) I restricted myself to name only.
...
It wasn’t all accurate, but it’s close enough to get my attention ... probably 70% complete ... more than enough information to track me down, and everything you’d need to start some identity fraud other than my SSN.

In times of old all this information was available, but scattered across the written files or proprietary databases of potentially hundreds of agencies and sources. Neighbors, associates, historical phone numbers, local banks and storage facilities weren’t the most available pieces of information without some legwork.
...
Don’t believe me- go pay your $40 and see for yourself.

Slashdotters discuss:

coolgeek: Credit card companies ... forgive charges to your cards all the time. But who pays for it? Does anyone really know? Well, any merchant knows that it is the merchant that pays for fraudulent and otherwise disputed charges. That, plus a $30-35 charge just like a returned check fee.

silas_moeckel: Visa makes money on CC fraud it's a $35 fee on every chargeback and the chargeback is for the full ammount not the 2%ish removed. Visa like to make everybody think they are being the nice guy and eating the costs but realy they are just fleecing the vendors that are stuck paying the bill or not accepting CC and loosing that business.

fahrbot-bot: Some credit cards offer the ability to create virtual cards for specific amounts and defined time periods. The "cards" validate just like the real thing and are linked to your real card, but are only valid for a defined period, amount, or number of transactions.

Buffer overflow:

Around the Net

• Payton Byrd: Gartner + Pointy Haired Types = Worst Nightmare
• Mike Rothman: NetworkWorld All-Stars: Rained Out
• Rossj: Windows DRM cracked. Again.
• Good Morning Silicon Valley: Don't worry, Ann, if the Fifth doesn't work, we can always plead insanity
• Good Morning Silicon Valley: ESPN out of its league in wireless game
• Jacqui Cheng, Ars: Sony issues global li-ion battery recall
• Shayne Nelson: The Operating System That Couldn't

Around Computerworld

• David DeJean: Can the IBM/Lotus Sametime magic strike twice?
• Sound Off: Vista/MacBook Review: What do you think?
• Shark Tank: Oops!
• Douglas Schweitzer: Sophos now has us covered even better!

And finally... Bear_in_tree + trampoline * tranquilizer_gun = ... comedy? [no bears were hurt in the making of this video]

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.