Avoid becoming a victim of on credit card fraud

 

LEARN HOW TO GET YOUR CREDIT CARD
REPORT REPAIRED IN 30 DAYS.

READ

Dan Larkin, an FBI agent who heads the National Cyber-Forensics & Training Alliance in Pittsburgh says credit bureaus are not required to notify consumers. "The credit bureaus work on behalf of banks and companies that grant  credit," said Ari Schwartz of the Center for Democracy and Technology, a consumer advocacy group in Washington. "They're not set up to be
consumer-oriented businesses." And the credit bureaus say they are not in the habit of reaching out to consumers whose private information may have been compromised. "Normally we would not put a fraud alert on a file without a consumer  being involved" or initiating it, said Maxine Sweet, a vice president  with Experian, one of the three major credit-reporting bureaus. "That's just not something we generally do." Cyber-Criminals and Their Tools [1] and Photocopiers with disk drives may hang onto sensitive data from documents [2]

International Net-Based Credit Card/Check Card Fraud with Small Charges last updated in 2000 "In the US it does not appear to be illegal to sell credit card numbers." This site is dedicated to chronicling this fraud, and to focusing attention on important weaknesses in our banking, credit card, and e-commerce systems. Although I focus on the particular scam I was victimized by, the information here will be of interest to anyone who has been victimized by similar frauds or who wants to see e-commerce succeed. Motherload of info and Credit Card number Generator

StolenID Search
Enter a social security number or a credit card number to discover whether the number is found in "the world's largest repository of stolen and compromised personal information." The site notes that "individuals only enter credit card numbers and social security numbers. Even under the worst case scenarios, divulging this information alone is highly unlikely to lead to risk of identity theft." From a company that provides anti-identity theft tools.

Getting information from people is the best way to break security. What is a "Social Engineer, Con Artist & Grifter?"

U.S. Authorities can't touch credit card fraud from oversees.

Companies May be selling your Credit Card Numbers

IE allows man-in-the-middle attacks against online banking users 8/02

Cyber merchants are experiencing fraud rates that are 30 times higher than their bricks-and-mortar counterparts.

 

EMAIL Fraud

You can do orders via email if you only accept encrypted email and provide a company public key for this.
You use PGP to create a public and private key, then you just make your public key available on your web server. Most mail packages today know how to decrypt mail with a private key.
Call your own credit card company and get a unique number to use for your online purchase. It's only good for that one time. This technique may avoid all kinds of problems.

University Databases hacked all over the US
A [name the university] database containing about 270,000 records of past applicants including their names and Social Security numbers was hacked last month, officials said on Tuesday. To find out the latest news on this topic join the NetHappenings Mailing List.

From: Ed Gerck nma.com 7/05
"CardSystems Exposes 40 Million Identities" as a harbinger? Now that  we know more about the facts in this recent case, expect more to come.
Yes, public opinion and credit card companies can and will force  companies that process credit card data to increase their security.  
However, how about the "acceptable risk" concept that underlies the  very security procedures of credit card companies themselves and  pervades their relationships with their parties? Do As I Say, Not As 
I Do?
The dirty little secret of the credit card industry is that they are  very happy with 10% of credit card fraud, over the Internet or not.
In fact, if they would reduce fraud to _zero_ today, their revenue  would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine.
This is so because of insurance -- up to a certain level, which is well  within the operational boundaries of course, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers.  The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer.
"Acceptable risk" has been for a long time an euphemism for that business model that shifts the burden of fraud to the customer.
Thus, the credit card industry has successfully turned fraud into a sale.  This is the same attitude reported to me by a car manufacturer representative when I was talking to him about simple techniques to reduce car theft -- to which he said: "A car stolen is a car sold." 
In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car.  While the stolen car continues to generate revenue for the manufacturer in 
service and parts.
Whenever we see continued fraud, we should be certain: the defrauded is profiting from it.  Because no company will accept a continued loss without doing anything to reduce it. Arguments such as "we don't   want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs" are just a marketing way to say that a fraud has become a sale.
Because fraud is an hemorrhage that adds up, while efforts to fix it  -- if done correctly -- are mostly an up front cost that is incurred only once.  So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit 
ultimately flows from the customer -- just like in car theft.
What is to blame? Not only the twisted ethics behind this attitude but also that traditional security school of thought which focus on risk, surveillance and insurance as the solution to security problems.
There is no consideration of what trust really would mean in terms of bits and machines[*], no consideration that the insurance model of security cannot scale in Internet volumes and cannot even be 
ethically justifiable.
"A fraud is a sale" is the only outcome possible from using such security school of thought.  Also sometimes referred to as "acceptable risk" -- acceptable indeed, because it is paid for.
[*] Unless the concept of trust in communication systems is defined in terms of bits and machines, while also making sense for humans, it really cannot be applied to e-commerce. And there are some who use trust as a synonym for authorization. This may work in a network, where a trusted user is a user authorized by management to use some resources. But it does
not work across trust boundaries, or in the Internet, with no common reporting point possible.

Identity Theft Turning Point? 7/05
Posted by Dana Blankenhorn
The recent theft of 40 million card numbers at CardSystem Solutions  is a turning point in the identity theft wars.

BACK IT UP
Iron Mountain Loses More Tapes  July 8, 2005 http://www.informationweek.com/story/showArticle.jhtml?articleID=165701015
City National Bank has become the second company in two months to experience a loss of backup tapes in transit by Iron Mountain Inc. The Los Angeles-based bank disclosed Thursday that two tapes containing
sensitive data, including Social Security numbers, account numbers, and other customer information, were lost during transport to a secure storage facility.
The bank said the data was formatted to make the tapes difficult to read without highly specialized skills, but declines to say if they were encrypted. It said there's no evidence that data on the tapes has
been compromised or misused.
Iron Mountain said it lost the tapes in April. The tapes were in a small container of backup tapes belonging to a Texas-based Internet services provider that hosts applications for City National and other banks. The incident has been investigated by federal law-enforcement officials and no evidence has been found of identity-theft relating to the loss.

Security war is being lost, says Schneier
http://www.techworld.com/security/news/index.cfm?newsID=6914
By Sumner Lemon 20 September 2006

• Companies are losing the battle to secure their IT systems from attacks by hackers and other threats, influential security expert Bruce Schneier founder and chief technology officer of Counterpane Internet Security has warned.
• Where hacking was once considered a profession for hobbyists, a growing number of hackers are now criminals with a profit  motive.
• Externalities, an economic term used to describe the effects of one person's actions on another, are central to building effective security. For example, U.S banks do not spend heavily to defend against identity  theft because they are not affected when such theft occurs. To the  banks, this is an externality. However, when banks bear liability for a security breach, such as an unauthorised ATM withdrawal, they make the investments necessary to prevent these incidents from taking place, he said.The same economic lessons can be applied to software vendors. To improve the security of software, Microsoft and others should be made liable for
  selling software that is not secure. "When you use buggy software and you lose data, that's your loss and not the software company's loss,"
  Schneier said. That needs to change, according to Schneier. "The organisation that has the capability to mitigate the risk needs to be responsible for the risk," he said.