

Computer Crime, Then and Now - willvarfar
http://www.codinghorror.com/blog/2012/09/computer-crime-then-and-now.html

======
stephengillie
From Article: _One of his friends is a 15 year old hacker who goes by the name
of Cosmo; he's the one who discovered the Amazon credit card technique
described above. And what are teenage hackers up to these days?_

Adapted from the Evil Overlord list[1]: _12\. One of my advisors will be a
15-year-old hacker. Any flaws in my computer security that he is able to spot
will be corrected before implementation._

These kids should be paid to find and report these security holes, not
arrested. They're producing very valuable information in their boredom.

[1]<http://www.eviloverlord.com/lists/overlord.html>

------
Spooky23
When you think about it, a supermarket authenticates your identity to a higher
standard when you purchase beer more than many of the companies that you do
non-trivial business with. Kind of pathetic.

For a random hacker to compromise your personal security, they need to find
the last four digits of a credit card number that is relatively easy to
derive. That's scary. Much scarier is that a not-so-random hacker with even a
casual personal acquaintance can utterly destroy you.

~~~
moheeb
You know what is really scary....when I lost my Wells Fargo debit card and
requested a replacement only the last four numbers changed. The same exact
four numbers that are shown on virtually every webpage and purchase order in
the world!

Wouldn't take long to guess those last four if you were the reason I was
getting the new card (i.e. you were in possession of my old card).

------
vhf
I remember having a very good time reading Mitnick's "Art of Deception" ten
years ago.

A very good overview of what is social engineering, its methods, risks and
consequences.

------
presidentender
How about a credit card anonymization service, such that the bank allows you
to generate a virtual 'card number' useful for payments to only one merchant?

~~~
DIVx0
Several (many?) banks do this. I've used citibank's 'virtual account numbers'
in the past when dealing with merchants I did not trust.

~~~
tolos
Seconding citi virtual cards. You can also limit the maximum amount a virtual
card can be charged.

------
lifeisstillgood
Tl;dr use social engineering - computers are not the weak point, people are.

True.

~~~
mouseanon
To me the real story is how powerful the last four digits of your credit card
are and how easily they're attained. Even more shocking is your privacy
basically depends on the least secure online account you own.

Think of how easy it is to write a program like this:

    
    
      INPUT:  list of someone's online accounts,
              desired account access
      OUTPUT: step-by-step instructions of numbers to call and forms to fill out
              to obtain desired account access
    

All you would really need is a small database of the information required to
reset your password and login for a bunch of popular accounts. Your script
just has to connect the dots.

------
EvanAnderson
I agree w/ Mr. Atwood's assessment that people are, have always been, and will
continue to be the weak point.

I strongly disagree w/ his statement that no attackers still attempt frontal
assaults. Thinking that way promotes a dangerous complacency, not unlike the
complacency that I see created after a company spends a large sum to install
some security product. "Now that we have <firewall / security scanner / NIDS /
SEIM / log aggregator / patch management> product we are 'secure'!"

In my work I continue to see Internet-facing machines with shockingly poor
security posture in companies large enough to "know better". Those
vulnerabilities are, of course, still "people problems" at their heart
(sysadmins who end-run good security process, developers who won't allow
patches to be installed, etc) and they're still out there en masse.

------
brudgers
The first book about Mitnick was _Takedown_. It came out right after he was
caught.

------
tolos
I find this reassuring for my personal projects; I'm not a security expert.
I've been afraid that my VPS was going to be exploited as soon as I started
opening up services to the internet, but so far this has not been the case.
All I've done is install fail2ban and spent a short while reading up on best
practices/config settings before installing services, and everything has
worked out so far ...

~~~
doug11235
How do you know you weren't exploited? You say that you aren't a security
expert.

