This is similar to how dictionaries (before the internet) would post fake entries to discover if competitors were copying them. Or how (some claim) map makers would plant fake places to identify similar copying. In the credit card case though, it wouldn't harm innocent users who may mistakenly think the fake is real.
Your assumption is that these retail companies are storing full credit card information in some large database somewhere, that is not the case at all. Most large retailers only store the full credit card information for seconds while they process the transaction, when the transaction is complete it is discarded.
What the criminals are targeting is the card terminals themselves. Meaning when you swipe your card, as the transaction is being conducted they take a copy of the information and re-transmit it to a host somewhere they control (or to a C&C machine on that network, which they then exfiltrate somehow).
Plus even if you could get your "gotcha" credit cards into the criminal's hands, the chance of law enforcement buying one back is tiny, since the stolen batch is mixed with other cards, and only then a small sub-set is sold (since they verify if the card is still active, and meets other conditions).
My point is, it just won't work with the situation we're dealing with today. Chip & Pin may help reduce retail card theft as it is harder to reproduce a physical card to later use, and internet transactions should require the CSC which a brick and mortar store won't record (even momentarily).
Seen it at former jobs as a dba, helped to change that at some, and its among the top ten list of things to check when I start at new one.
So instead of storing known gotcha cards in these databases, a likely better solution would be to discontinue the use of these databases.
Most major retailers don't store credit card numbers. The full information never leaves the terminal, and is discarded when the transaction is complete.
PS - Thanks for "Not downvoting" but why would you anyway? Nothing I said contradicts anything you've said. I said large retailers aren't storing CC information. Are you claiming they do? If so, name names.
For example, about two years ago I had a property management company ask me to build out a site to handle rent payments for them. They wanted to store and have access to the full credit card numbers to manually process transactions for failed or late payments. When I told them they were not allowed to do that they terminated the contract with me. I know they went on to hire a developer to build out a site for them and store credit card numbers. While I don't know if they are still doing it, it did happen for an extensive period of time.
At any time, anyone with access to a payment terminal who knew where to look could process transactions manually from these records. They could have double charged and skimmed, done reversals for a cut, or copied and sold customer profiles with CC numbers. These were BSA products marketed to small and medium sized businesses, so no one questioned compliance.
That said, on the flip side, because of things like "Dual Control" the PCI DSS is physically impossible for some small companies to abide by. In the past we dealt with credit cards and had a few audits, and they admitted that many of the points are aimed at companies that don't consist of just two people.
Also, look at it from their POV. In a normal course of business a lot of these mom and pops probably already are storing credit card information on paper and/or in word documents. So you're saying the system you build for them is going to be, in some ways, less useful than their current ad-hoc system.
My mom & pop tax guy emails me my tax return as an encrypted pdf, with the password being... the last 4 digits of my SSN.
On the flip side though, to some extent, I would consider these records safer than a website. At least to gain access to these records you would have to physically enter the building, climb in the attic, sift through hundreds of boxes, gather the info you want, and then leave. This would also require you be in the general location of the building and have knowledge of the records being there. Hacking a website database from across the globe is a whole lot easier, so you I would say that their existing paper system is more secure to a degree.
PCI DSS is largely a marketing ploy, and way for them to shift liability from banks and the network to the merchants.
As a security standard PCI DSS is terrible
Further storing card numbers is not a violation of PCI-DSS, it would be impossible for them require that as reoccurring billing, auto-pay, etc have a requirement for the PAN to be stored.
Look at Amazon, it stores my card number, in full, so I can checkout with out having to reenter it every time
Either way, they did take PCI DSS seriously, and passed audits: dual control requirements for keys and all that. Still, accounting could print reports with many credit card numbers, although it was all logged and relatively well tracked.
I have not worked in a lot of big retailers though, but I have seen others that featured searching for a missing receipt by credit cards number, or refunds to the original CC way past the window where a processor can just reverse a charge. There's also online retailers, that definitely remember your credit card number. So I suspect there are plenty of retailers that at least have historically kept CC numbers, whether being PCI compliant or not is another matter entirely.
I haven't read Brian's post though because I'm getting 503 errors atm.
Anywho, just going to engage in some half-assed napkin-math to explore the idea:
Card numbers: 6 digits for institution and 9 for the customer and 1 for checksum. Let's assume merely 20 big issuers "worth attacking". The possibility-space to search is then (20 * 9^10), or ~70 million.
Suppose that--by design--it takes 2 seconds to compute the hash. Covering the whole range would take ~4420 years. That's... not a very comforting margin.
Perhaps you could hash the credit-card along with the year-month in which the purchase occurred, but attackers probably aren't interested in >12 month old cards, so that's only a small 12x slowdown there.
Beyond that, most things display first four & last four, so you can probably assume they have that too.
Yes, I agree. Even two seconds of waiting for your search is a little on the high side, UI-wise.
> Beyond that, most things display first four & last four
My impression is that "only last four" is the most-common.
It might be a different story if the system required users to also enter in data like the exact customer first/last name.
I would much rather engage in some discussion even if their opinion is honestly held than downvote someone I disagree with. If someone is a shill or not listening to reason on the other hand...
Most do just tokenize with a third party processing company though.
I'm a stickler about enforcing data retention (and non-retention) standards where I work. We never store any credit card information. That would be an outrageous liability.
(There are other types of data you can NEVER store (also described in the above document) like the CVV or PIN code, which is perhaps what you meant.)
What I said was:
> What the criminals are targeting is the card terminals themselves. Meaning when you swipe your card, as the transaction is being conducted they take a copy of the information and re-transmit it to a host somewhere they control (or to a C&C machine on that network, which they then exfiltrate somehow).
Which is accurate:
> The apparent credit and debit card breach uncovered last week at Home Depot was aided in part by a new variant of the malicious software program that stole card account data from cash registers at Target last December, according to sources close to the investigation.
So malware was intercepting the raw CC information inside the card terminal on its way to the payment processor upstream. This allowed them to remotely infect every single Target store in the country, and steal information without setting foot there.
As for buying it back, see my comment about LE not needing to make such purchases for this to work. And if the CC companies know about the fake numbers, the process of verifying that the number works, would itself, inform of the breach.
Couldn't work around that by having some device that attaches to a randomly selected POS terminal, and then executes a series of dummy transactions using thousands of "canary cards" that were assigned to the store?
They could perhaps set this up with the credit cards companies so any use of the canary cards are automatically flagged when they're used outside of the store that was issued them.
The way it would work is that shops are given hobeypot cards and asked to use them weekly for dummy payments. The moment one of these cards show up anywhere else than the shop it was sent to you can expect the shop has been hacked.
It is not failsafe and you will have to wait until a batch with this card is stolen before this tells you where.
You wouldn't need law enforcement to buy it. You just need the bank to watch for a transaction on any of these cards that's not from the merchant it was assigned to.
The shops would combat this by narrowing the information available about a card pre-purchase.
Here is what a record looks like on Rescator (a popular autoshop for credit cards) pre-purchase:
Imho they are running the standard 'enemy IP' blocklists used by p2p filesharers for may years. Where one sees law enforcement using computers, one must first assume incompetence. In all likelihood he/she was using a machine at a known cop shop (Windows) without any sort of IP masking.
Some cops are highly trained IT specialists, but many investigators are actually just senior traffic enforcers who have been promoted into "technology crime" units. They have training and paper certifications, but lack any deep knowledge re technology. They make lots of mistakes. Think flowers by irene.
They have every incentive to wait until the very end to tip their hand.
For all we know this screen upon checkout is random, and whoever doesn't complain to get their money back is the cop. Most fraud outfits have major customers they deal with or cashout teams they offer specific BINs over chat, the online store is for bottom tier thieves on public sites.
May have flagged him prior, but like the opportunity to take government money.
> Then again, perhaps Rescator’s site simply noticed something amiss when my source funded his account with Bitcoin.
Maybe they walked the transactions back to some well-known funding source for law enforcement/government.
Smart crooks don't break the law. Stupid ones do.
Breaking the law isn't cost effective, and I am not talking about morals, I am saying that the additional overhead involved in covering your tracks and the potential liabilities (years of $0 or negative dollars income, legal fees) doesn't make sense.
Only rarely do you get a legitimately intelligent criminal, and that is often the result of personality issues/emotional problems.
There are plenty of very successful and intelligent criminals that have long, prosperous careers in theft.
Bernie Madoff ran a very successful, very illegal Ponzi scheme until he was nearly 80.
And that's not even to touch on the internet ability to let you violate the laws of counties you aren't physically in against citizens your gov doesn't care about (eg Russia to US), and therefore greatly reduce the risk for punishment.
Anyone know why?? Seems like an odd choice.
There is a interesting phenomenon with IMs in that they tend to have popularity based on geographical locations and language borders, despite being on Internet.
Examples: in russia Icq is king. Brazil had Icq until MSN Messenger showed up, Icq tried and failed to get it back, gave up, then Microsoft became stupid and closed MSN Messenger, now the leader is Facebook messaging and whatsapp. Last I checked in us people used aim and yahoo clients.
Gmail messenger was a popular second place in many countries until Google killed it in favour of hangouts, now for text people use Facebook and for video they use Skype, that was, and kept their leading position.
In China the thing is Baidu client.
In Africa there is some messenger clients tied to local isps and phone companies.
Does law enforcement have any achievements or are they wasting time?
These don't even know to use vpn exit points and not use government ip addresses? Seriously?
The Romanian court handed down [a] suspended sentence