
Takeaways from the $566M BriansClub Breach - QuitterStrip
https://krebsonsecurity.com/2019/10/takeaways-from-the-566m-briansclub-breach/
======
sekasi
Open question; What's the long game on securing the way credit cards work?
Who's working on something interesting that could thwart the whole
'name+number+ccv' leak thing that's been perpetuating in this industry for
decades?

I'm just reaching out for anyone who knows about any grand plans, initiatives
or rehabs of how credit cards currently work. Keen to read more.

~~~
chx
This is a solved problem, really, some banks are less keen on implementing it:
generate single use / single purpose credit card numbers in your ebank /
mobile app. Leaks are total useless. Also, more than a decade ago already many
European banks were sending a text SMS above a treshold and only approved on a
positive reply. Today you'd likely offer sending a push notification.

You have 16 digits on a Visa/MasterCard, the first six is the bank identifier
and the last is a checksum digit thus you have 9 digits to "waste" \-- and you
can recycle them.

~~~
SaberTail
Bank of America has discontinued their ShopSafe system for single-use credit
cards. Citibank seems to still have their virtual credit card system, but it
requires Flash. Are any banks currently embracing it?

The impression I've gotten is that since most of the costs of fraud are on the
bank, rather than the cardholder, there's not much incentive for the
cardholder to go through the trouble of using single-use cards. And so it's a
better investment for the bank to develop good fraud detection algorithms.

In my anecdotal experience, the fraud detection has gotten really good. Every
time in the past decade that someone's gotten hold of my credit card number,
the bank's caught it nearly immediately.

~~~
SamReidHughes
Also, since they now just text you, they can make the algorithm more
stringent.

I've had BoA fraud detection ping me about a monthly rent check before, so I'm
not sure it's really good.

------
cantrevealname
> _KrebsOnSecurity [has] a link to 26 million credit and debit cards. So far
> the banking sector is [not in a hurry for] re-issuing cards._

Krebs should publish those card numbers to light a fire under the feet of the
bankers to re-issue the cards and get them to demand better security on
merchant terminals or servers or wherever the info came from. Of course he
should publish _only the numbers_ , without the associated names, CVVs, expiry
dates, PINs, or other security info.

I don't think there is a risk in publishing just numbers, is there? The search
space for valid card numbers is _so_ tiny that I find it hard to believe that
anyone could generate a false transaction with _just_ the number and no other
associated info.

Krebs could go a step further and provide a verification site à la
haveibeenpwned.com where your enter your card number, or the last ten digits
or something, and it tells you whether you've been pwned.

------
solotronics
Why don't credit/debit cards use elliptic curve cryptography?

~~~
miohtama
Chip cards (EMV) use crypto - the signing of the transaction happens in the
chip, with an embedded private key.

------
rajacombinator
I find this kind of black hat cybercrime stuff fascinating. If I wanted to
learn more about it (just for learning sake) what would be some good
resources?

~~~
newguy1234
Honestly, join these groups and read what they talk about on the forum. Look
up what the bigger fraud marketplaces are. Go on tor and read stuff in the
dark net markets. All of them more or less talk about methods they're using
and they help each other out. This type of stuff ranges from low level script
kiddie (copy cat) people to high-level hackers that develop their own methods,
search out vulnerabilities and so on.

A good podcast I would recommend is called dark net diaries. They have lots of
episodes on cryber crime. Episode 32 specifically talks about carding and how
the secret service took down a guy who acquires the credit card numbers. Most
of it involves putting malware on point of sale machines or hacking companies.

[https://darknetdiaries.com/](https://darknetdiaries.com/)

------
newguy1234
Are these idiots really still using bitcoin for doing shady stuff lol? Bitcoin
can totally be traced. Most people using it are so weak in terms of their
security.

~~~
abstractbarista
This is not looking at the whole picture. The key is, you do not allow your
BTC usage to comingle with your real identity. This means you both buy and
sell stuff solely with BTC. If you want to buy stuff in the "real world" then
you can trade some for Monero or maybe ZCash, and then convert to USD.
(Optionally mix it further in other ways..)

BTC is really "psuedoanonymous" because while you can certainly trace my
transactions if you know a wallet address, you still have no idea who or where
I am as long as I do not reveal that wallet to be connected to any "real
world" identity.

This is still not easy though. For example, if you're serious then you must
only transmit transactions within Tor, otherwise the originating IP may single
you out. Ideally you should use different wallets for each transactions, and
only pool them together after they have each been converted to XMR or similar.

There's lots of gotchas but frankly it's a decent system.

