OT: Another massive credit card theft - VMS

This is a discussion on OT: Another massive credit card theft - VMS ; http://www.physorg.com/news125249255.html In short: Someone hacked into the supermarket chain "Hannaford"'s network and intercepted some 4.2 million card numbers "in transit" to the credit card processing facility. This happened between Dec 7 and March 10. (Not sure how they detected this, ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 26

Thread: OT: Another massive credit card theft

  1. OT: Another massive credit card theft

    http://www.physorg.com/news125249255.html

    In short: Someone hacked into the supermarket chain "Hannaford"'s
    network and intercepted some 4.2 million card numbers "in transit" to
    the credit card processing facility. This happened between Dec 7 and
    March 10.

    (Not sure how they detected this, and they are not revealing where in
    the link the interception occured (speculation is that it was likely on
    an internal link that may not have been encrypted).

    While this was going on, Hannaford succesfully passed some credit card
    processing security audit.


    This even is different in that it didn't involve someone getting access
    to a disk database. They intercepted data on the fly in a network.

  2. Re: OT: Another massive credit card theft

    In article <47e40ce2$0$3914$c3e8da3@news.astraweb.com>, JF Mezei writes:
    >http://www.physorg.com/news125249255.html


    I've had 2 new bank ATM cards issued in the past month because of fraud.
    It turns out that the theft occurred at my pharmacy which I frequent all
    too often. Wanna guess what it is that they use for their PoS systems?


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  3. Re: OT: Another massive credit card theft

    VAXman- @SendSpamHere.ORG wrote:
    > In article <47e40ce2$0$3914$c3e8da3@news.astraweb.com>, JF Mezei writes:
    >> http://www.physorg.com/news125249255.html

    >
    > I've had 2 new bank ATM cards issued in the past month because of fraud.
    > It turns out that the theft occurred at my pharmacy which I frequent all
    > too often. Wanna guess what it is that they use for their PoS systems?
    >
    >


    is that like saying I get 3 guess and the first 2 don't count...

  4. Re: OT: Another massive credit card theft

    In article <47e40ce2$0$3914$c3e8da3@news.astraweb.com>, JF Mezei
    writes:

    A bit off-topic, but here's a question: Why the "fear" when someone has
    stolen credit-card numbers? The credit-card number (even the additional
    3-digit security number on the back) is not secret; anyone from whom one
    has bought anything via credit card knows it. As far as I know, a
    signature is required in order to cause the customer to pay. For
    purchases without a signature (common on the internet), the burden of
    proof is on the person who claims a purchase was made.

    As long as you take a look at your bill and deny things you didn't do,
    there is no danger.

    Or are these thieves just speculating on getting a huge number of
    credit-card numbers and hoping that at least a few of the corresponding
    customers won't check their bills?


  5. Re: OT: Another massive credit card theft

    Phillip Helbig---remove CLOTHES to reply wrote:
    > Or are these thieves just speculating on getting a huge number of
    > credit-card numbers and hoping that at least a few of the corresponding
    > customers won't check their bills?


    By the time a customer has received his bill, the thieves will have
    racked up expenses until the credit card was maxed out. (or the bank
    clued in on the abnormal spending pattern).

    Similar situation with how a bank mails the renewed cards to customers.
    Before the advent of "card not valid before" dates, postal employees
    would often steal the cards in the system and use them big time. They
    had the card and address as well as credit limit of the cardholder in
    the letter. The legitimate cardholder would not complain because he/she
    still had his old and still valid credit card.

    In Canada, banks worked with Canada Post to reduce this to a minimum and
    several "gangs" were caught. (turns out that a lot of "never received"
    cards that were fraudulently used passed though a particular postal
    sorting station. (those stats date bad from the late 1980s and were done
    on an all mighty microvax II).

    Also remember that there are store owners/employees who collude with the
    thieves. (This was extremely common at gas stations before the advent of
    POS terminals authorizing all transactions). Essentially, a "friend"
    walks in to buy a stereo with a solen credit card. The colluding
    employees passes the transaction through, gets authorization. Then the
    "friend" decides to return the stereo for a refund. The store refunds
    the purchase of the stereo in cash, minus a "restocking fee" which the
    store (and/or colluding employee keeps in their pocket).

    When you get attacked on the street, it is very simple, you call and
    cancel your cards right away and the thieves have only perhaps 30
    minutes to shop with it. Those cards do not have much resale value. But
    cards which are obtained without the cardholder noticing it have a lot
    of value because you can use them for a number of days before either the
    bank or the cardholder notices it.

    (Banks now have some software that checks current purchases your normal
    spending patterns/locations and will flag a suspicious transaction).

    If you've never used a credit card in a payphone, expect to get a phone
    call if the card is ever used in a payphone on a saturday morning. (when
    counterfeit cards are usually tested for validity).

  6. Re: OT: Another massive credit card theft

    In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes:
    >In article <47e40ce2$0$3914$c3e8da3@news.astraweb.com>, JF Mezei
    > writes:
    >
    >A bit off-topic, but here's a question: Why the "fear" when someone has
    >stolen credit-card numbers? The credit-card number (even the additional
    >3-digit security number on the back) is not secret; anyone from whom one
    >has bought anything via credit card knows it. As far as I know, a
    >signature is required in order to cause the customer to pay. For
    >purchases without a signature (common on the internet), the burden of
    >proof is on the person who claims a purchase was made.


    You've obviously not been a victim of credit card fraud. It doesn't matter
    if there is a signature or even if it's a legitimate signature. Hell, even
    the US Courts system permits fraudulent *signed* documents (aka, forged) to
    be submitted into evidence. The burden is then thrust upon the _victim_ of
    the fraudulent signature prove that the signature invalid. The credit card
    companies, in this regard, are better than the US courts.



    >As long as you take a look at your bill and deny things you didn't do,
    >there is no danger.


    The credit card companies would have you believe that. It's not that easy.
    The victim often winds up having to pay for the fraud. I'm now paying off
    a mortgage on my previously owned outright properly because of such fraud.



    >Or are these thieves just speculating on getting a huge number of
    >credit-card numbers and hoping that at least a few of the corresponding
    >customers won't check their bills?


    All they need is the number. The card they're using might even be a valid
    card. I've watched this in action. Nobody checks once they've swiped the
    card's magnetic stripe to see if the number charged at the PoS matches the
    number on the card. This is how much of this fraud is perpetrated. Your
    number is written on the magnetic stripe. The fraudster then goes into a
    merchant to make a purchase. The card is swiped for an approval, assuming
    the number has not yet been reported stolen, and then the fraudster scrawls
    a scribble on the receipt. They walk away with the merchant's merchandise
    and the real card number holder gets the bill.

    The pattern is that the fraudulent card is usually used for a small, incon-
    sequential purchase prior to some large purchase. A recent fraud against
    my account was a small purchase at a Dunkin Donuts in Miami, Fl. This way,
    the fraudster verifies if the card is functioning. Usually, they can tell
    as such places are trying to move customers through quickly. If their pur-
    chase does not complete, and quickly, the fraudster simply bolts from the
    merchant. If the sale does succeed, it's a sure bet that there'll be some
    significant purchase(s) made very soon thereafter.

    In my recent case, my card number was stolen from the miniscule-n-flaccid
    weendoze based PoS at my pharmacy twice within a month -- along with many
    other numbers of this pharmacy's patrons. I've pissed way a good week of
    my life filling out the affidavits and talking with the fraud department
    of my bank -- both on the phone and in person at the branch -- because of
    this fraud. Do the credit card companies really care? No. They write it
    off, or invalidate the fraud claim and the account holder is left paying.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  7. Re: OT: Another massive credit card theft

    VAXman- @SendSpamHere.ORG wrote:

    > You've obviously not been a victim of credit card fraud. It doesn't matter
    > if there is a signature or even if it's a legitimate signature...


    In Sweden, if I claim I havn't done a particular purchase on my
    CC-bill, it's up to the CC company (and/or my bank) to prove I did.

    What they need is a receipt with my signature on, or something
    similar.

    Jan-Erik.

  8. Re: OT: Another massive credit card theft

    JF Mezei wrote:
    > Phillip Helbig---remove CLOTHES to reply wrote:
    >> Or are these thieves just speculating on getting a huge number of
    >> credit-card numbers and hoping that at least a few of the
    >> corresponding customers won't check their bills?

    >
    > By the time a customer has received his bill, the thieves will have
    > racked up expenses until the credit card was maxed out. (or the bank
    > clued in on the abnormal spending pattern).
    >
    > Similar situation with how a bank mails the renewed cards to
    > customers. Before the advent of "card not valid before" dates,
    > postal employees would often steal the cards in the system and use
    > them big time. They had the card and address as well as credit limit
    > of the cardholder in the letter. The legitimate cardholder would not
    > complain because he/she still had his old and still valid credit card.
    >
    > In Canada, banks worked with Canada Post to reduce this to a minimum
    > and several "gangs" were caught. (turns out that a lot of "never
    > received" cards that were fraudulently used passed though a
    > particular postal sorting station. (those stats date bad from the
    > late 1980s and were done on an all mighty microvax II).
    >


    About 5 years ago my Amex card went missing in the post. I did not even
    notice it had expired, and therefore did not know it was missing until a
    charge for items purchased in Schaumberg Il. appeared on my statement
    According to Amex fraud department, the card was presented at the
    establishment. Anyway, I was somewhere in Europe at the time and I left the
    matter with Amex to sort out.

    Stealing cards is big business.

    Dweeb
    > Also remember that there are store owners/employees who collude with
    > the thieves. (This was extremely common at gas stations before the
    > advent of POS terminals authorizing all transactions). Essentially, a
    > "friend" walks in to buy a stereo with a solen credit card. The
    > colluding employees passes the transaction through, gets
    > authorization. Then the "friend" decides to return the stereo for a
    > refund. The store refunds the purchase of the stereo in cash, minus a
    > "restocking fee" which the store (and/or colluding employee keeps in
    > their pocket).
    >
    > When you get attacked on the street, it is very simple, you call and
    > cancel your cards right away and the thieves have only perhaps 30
    > minutes to shop with it. Those cards do not have much resale value.
    > But cards which are obtained without the cardholder noticing it have
    > a lot of value because you can use them for a number of days before
    > either the bank or the cardholder notices it.
    >
    > (Banks now have some software that checks current purchases your
    > normal spending patterns/locations and will flag a suspicious
    > transaction).
    >
    > If you've never used a credit card in a payphone, expect to get a
    > phone call if the card is ever used in a payphone on a saturday
    > morning. (when counterfeit cards are usually tested for validity).




  9. Re: OT: Another massive credit card theft

    CyberCityNews wrote:
    > JF Mezei wrote:
    >
    >>Phillip Helbig---remove CLOTHES to reply wrote:
    >>
    >>>Or are these thieves just speculating on getting a huge number of
    >>>credit-card numbers and hoping that at least a few of the
    >>>corresponding customers won't check their bills?

    >>
    >>By the time a customer has received his bill, the thieves will have
    >>racked up expenses until the credit card was maxed out. (or the bank
    >>clued in on the abnormal spending pattern).
    >>
    >>Similar situation with how a bank mails the renewed cards to
    >>customers. Before the advent of "card not valid before" dates,
    >>postal employees would often steal the cards in the system and use
    >>them big time. They had the card and address as well as credit limit
    >>of the cardholder in the letter. The legitimate cardholder would not
    >>complain because he/she still had his old and still valid credit card.
    >>
    >>In Canada, banks worked with Canada Post to reduce this to a minimum
    >>and several "gangs" were caught. (turns out that a lot of "never
    >>received" cards that were fraudulently used passed though a
    >>particular postal sorting station. (those stats date bad from the
    >>late 1980s and were done on an all mighty microvax II).
    >>

    >
    >
    > About 5 years ago my Amex card went missing in the post. I did not even
    > notice it had expired, and therefore did not know it was missing until a
    > charge for items purchased in Schaumberg Il. appeared on my statement
    > According to Amex fraud department, the card was presented at the
    > establishment. Anyway, I was somewhere in Europe at the time and I left the
    > matter with Amex to sort out.
    >
    > Stealing cards is big business.
    >


    For the last few years, Amex has been requesting the recipient to call
    from his home phone to activate a new card. I'm not certain of all the
    details but I do recall having to call their 800 number before using the
    new card for the first time. ISTR that Master Card has a similar
    requirement.

    I recall, about six or seven years ago, telling an auditor that my
    employer was storing credit card numbers unencrypted and that I thought
    that doing so was one of those REALLY BAD IDEAS. I never heard anything
    further about it and AFAIK, they are still doing it. Fortunately, it's
    not my problem any more. . . .

    Of course the person who bought the used RZ series disk when the system
    was shut down may have gotten far more than he bargained for. . . . I
    wasn't there any longer and I'm not certain that the Unix guy who took
    over was all that swift about such things. Fortunately it's . . . .



  10. Re: OT: Another massive credit card theft

    Richard B. Gilbert wrote:

    > For the last few years, Amex has been requesting the recipient to call
    > from his home phone to activate a new card.


    For new accounts, this is easy since the account can be "inactive" until
    the legitimate cardholder calls in it activate it.

    For renewalls, this isn't so simple since the card number is already
    active with the legitimate cardholder already using that card number.
    This is where the "not valid before" date becomes important because
    thieves can't start using the card until the old card is invalid at
    which point the legitimate cardholder would have called to complain
    about non reception of the new card.

  11. Re: OT: Another massive credit card theft

    In article <47e6e179$0$5604$607ed4bc@cv.net>, VAXman- @SendSpamHere.ORG
    writes:

    > So you're telling me you could go out tomorrow, purchase a couple of new
    > computers and then call the bank and tell them it was fraud. Why didn't
    > I think of that.


    Yes, you could. However, this would naturally cause the cards to be
    blocked immediately. Also, if it turns out that you were lying, you
    will be liable for the additional costs, as well as face criminal
    charges.


  12. Re: OT: Another massive credit card theft

    "JF Mezei" wrote in message
    news:47e71248$0$28136$c3e8da3@news.astraweb.com...
    > Richard B. Gilbert wrote:
    >
    >> For the last few years, Amex has been requesting the recipient to call
    >> from his home phone to activate a new card.

    >
    > For new accounts, this is easy since the account can be "inactive" until
    > the legitimate cardholder calls in it activate it.
    >
    > For renewalls, this isn't so simple since the card number is already
    > active with the legitimate cardholder already using that card number.


    The card's expiration date is basically part of the number. The card with
    the new expiration date isn't valid until you activate it. If you don't
    call from your home phone, you will need additional identification
    information and may even have to talk to a person. I think they also kill
    your old card when you activate the new one.



  13. Re: OT: Another massive credit card theft

    John Vottero wrote:
    > "JF Mezei" wrote in message
    > news:47e71248$0$28136$c3e8da3@news.astraweb.com...
    >> Richard B. Gilbert wrote:
    >>
    >>> For the last few years, Amex has been requesting the recipient to call
    >>> from his home phone to activate a new card.

    >>
    >> For new accounts, this is easy since the account can be "inactive" until
    >> the legitimate cardholder calls in it activate it.
    >>
    >> For renewalls, this isn't so simple since the card number is already
    >> active with the legitimate cardholder already using that card number.

    >
    > The card's expiration date is basically part of the number. The card
    > with the new expiration date isn't valid until you activate it. If you
    > don't call from your home phone, you will need additional identification
    > information and may even have to talk to a person. I think they also
    > kill your old card when you activate the new one.
    >
    >


    Over here (Sweden) activation of a new card can be done by :

    - Select "activate card" on your internet banking application.
    - Doing a withdraw from an ATM using your new card and your PIN.
    - Doing a purchase in a shop using the new card and your PIN on
    the card-reader (signing a slip isn't enough).

    I *think* you can also call some number and activate it, but
    that seems just too 80's to be used over here...

    (The PIN is still the same as used by the old card.)

    Best Regards,
    Jan-Erik.

  14. Re: OT: Another massive credit card theft

    John Vottero wrote:
    >
    > The card's expiration date is basically part of the number.


    The month is part of the checksum. But the year is only look for
    odd/even. This is how they can renew your card every 2 years and not
    have to change the credit card number.


    > The card with
    > the new expiration date isn't valid until you activate it.



    For electronic POS authorizations, the bank can block the new card if it
    has not yet been activated since the POS terminal sends the expiration
    date and the bank will know that this is the "new" card being used= with
    the new expiration date.

    But for old style mechanical card imprints (they are still used here and
    there, especially during power failures), they just make sure the card
    is valid and they may accept it.


  15. Re: OT: Another massive credit card theft

    In article <47e85dca$0$28123$c3e8da3@news.astraweb.com>, JF Mezei writes:
    >John Vottero wrote:
    >>
    >> The card's expiration date is basically part of the number.

    >
    >The month is part of the checksum. But the year is only look for
    >odd/even. This is how they can renew your card every 2 years and not
    >have to change the credit card number.


    Which card? Not Visa, MC or Amex. I'm pretty sure that Discover is the
    same too. Luhn mod 10. The date is not a part of this.



    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  16. Re: OT: Another massive credit card theft

    VAXman- @SendSpamHere.ORG wrote:

    > Which card? Not Visa, MC or Amex. I'm pretty sure that Discover is the
    > same too. Luhn mod 10. The date is not a part of this.


    Month is part of the checksum, and the year is as far as odd/even of the
    year.

  17. Re: OT: Another massive credit card theft

    In article <47E6F21E.70204@comcast.net>,
    "Richard B. Gilbert" writes:
    >
    > Of course the person who bought the used RZ series disk when the system
    > was shut down may have gotten far more than he bargained for. . . . I
    > wasn't there any longer and I'm not certain that the Unix guy who took
    > over was all that swift about such things. Fortunately it's . . . .


    And other than trying to start a flamewar was there any reason why you
    tie Unix to an incompetent or just plain lazy IT worker ( I won't call
    him a professional)? I have received disks from commercial RSTS, RSX,
    and VMS sites that had not been wiped prior to letting them out the door.
    There is nothing about Unix that would lead to this kind of behaviour.
    And I know of no Windows users savvy enough to clean a disk before just
    chucking it into the skip.

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  18. Re: OT: Another massive credit card theft

    In article <47e8db05$0$23881$c3e8da3@news.astraweb.com>, JF Mezei writes:
    >VAXman- @SendSpamHere.ORG wrote:
    >
    >> Which card? Not Visa, MC or Amex. I'm pretty sure that Discover is the
    >> same too. Luhn mod 10. The date is not a part of this.

    >
    >Month is part of the checksum, and the year is as far as odd/even of the
    >year.


    I've received updated Visa and Amex cards and the account numbers have not
    change when these new cards with new expiry dates have been received.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    "Well my son, life is like a beanstalk, isn't it?"

    http://tmesis.com/drat.html

  19. Re: OT: Another massive credit card theft

    Bill Gunshannon wrote:
    > In article <47E6F21E.70204@comcast.net>,
    > "Richard B. Gilbert" writes:
    >
    >>Of course the person who bought the used RZ series disk when the system
    >>was shut down may have gotten far more than he bargained for. . . . I
    >>wasn't there any longer and I'm not certain that the Unix guy who took
    >>over was all that swift about such things. Fortunately it's . . . .

    >
    >
    > And other than trying to start a flamewar was there any reason why you
    > tie Unix to an incompetent or just plain lazy IT worker ( I won't call
    > him a professional)? I have received disks from commercial RSTS, RSX,
    > and VMS sites that had not been wiped prior to letting them out the door.
    > There is nothing about Unix that would lead to this kind of behaviour.
    > And I know of no Windows users savvy enough to clean a disk before just
    > chucking it into the skip.
    >
    > bill
    >


    I mentioned Unix because the guy who took over was primarily a Unix guy
    who had a little VMS experience. He may not have even looked at that disk.

    I've bought a couple of used disks that had interesting things on them,
    things that probably should have been erased. I learned a bit about
    disk recovery from that.

    I've bought a used computer (Alphastation 500) from a dealer, that had
    Boeing Corporation files on it, including a cute little DCL procedure to
    disable license checking.

    It seems obvious that not everyone is as concientious as they might be
    about clearing proprietary information off disks before disposing of them!


  20. Re: OT: Another massive credit card theft

    VAXman- @SendSpamHere.ORG wrote:

    > I've received updated Visa and Amex cards and the account numbers have not
    > change when these new cards with new expiry dates have been received.


    The expiry MONTH changed without any of the credit card digits changing?
    This would have required changes over the years to a lot of the checksum
    digit checking on all sort sof devices around the world.

+ Reply to Thread
Page 1 of 2 1 2 LastLast