For Visa it was 835ms for valid, 762ms for dummy, prefix and check digit appears to be checked client side.
Or more likely "someone will notice, eventually"
Also in infosec: what is old is new. We still find shitty comparison routines (timing attacks) and SQL injection... some day :)
If the rand function produces uniform random numbers, then with enough samples the signal comes out ontop the noise.
If it is non-uniform, then with enough samples you can determine the non uniformity, and you are at square 1 again.
Use proper security instead of obscurity.
And it's not a thing anyone has a legitimate interest in submitting more than that per second.
I.e. the padding to add is (5 - duration_of_operation) with duration of operation being far lower than 5 s.
What would be a proper first step to harden API for timing attacks?
An easy mitigation would be to just drop the card number into a queue and process asynchronously without waiting and returning to the user.
I used to work at a big bank in the US and the parent's description sounds exactly like how it would work.
Bonus, if they can't separate which exclusions were from legitimate requests and which came from this script, they can't just delete those entries from the database.
Of course, no one should do this...
I think they would probably just declare them all invalid, and roll back to yesterday.
There's some exceptions (tokens etc.), but not relevant to this use case.
The first 6 digits of a card number is called the BIN code. That leaves just 9 digits that have to be spammed.
The fact that BIN lists are publicly available is reducing the space significantly.
An expiration date will get you a bit farther, but you really need the CVV also.
The net result of submitting all card numbers will not be "oh, well, I guess all card numbers are private now.." it will instead be "clear that table and start over."
Doing otherwise -> access in excess of authority -> CFAA violation
Just because you can easily walk through an unlocked door doesn’t mean doing so is always legal.
Maybe I’m misunderstanding.
It's like lockpicking a door lock. Even if you don't get in, I'm sure it's still a crime.
Who decides? On what criteria? Can you appeal? Are they elected or appointed officials? Who supervises the “list makers”?
Act of DOS could be considered damage, not to even metion opt-out from revenue source...
Wasn't something I mentioned earlier but using the reCAPTCHA audio is also another solution for gcap. I haven't ever used it personally but always seemed like a cool idea.
It’s also very satisfying to know I’m not an unpaid mechanical Turk for google anymore and that it’s a machine solving another machine’s challenge.
Still pretty expensive if you wanted to do every single Valid CC #, though.
This one in particular is simple enough that nearly any technique you wanted to throw at it would succeed with minimal fine tuning. I'd be shocked if it took an afternoon even if you'd never broken a captcha or done any image processing before, and that's without borrowing an off-the-shelf ML solution.
Plus, even if you had a 50% failure rate you'd just need twice as many calls. That's not trivial, but it doesn't really affect the viability of the idea.
> To opt-out from our anonymization of your personal information to perform data analyses, please provide your Mastercard or Maestro payment card number
What we're opting out from is the use of the data, right?
I guess the charitable interpretation is that this was written by somebody incompetent, not by someone trying to be deliberately obfuscatory...
But otherwise it probably comes down to occams razor and they had some random corporate web guy half-ass the copy on the website which they aren't investing any sort of high quality resources.
It's easy to mistake poor workmanship or miss information as some sort of purposeful evasion.
Hell, another scenario is the lawyers gave it a run by an neutered the text in an effort to make it non-liable and no-one decided to make it readable again.
Not that I like defending these monopolies. Just some better understanding of how things like this work IRL over the years.
She's no more qualified than any other Masshole when it comes to dutifully towing the party line and but she was uniquely qualified to head the CFPB and shouldn't have been passed over for that.
 Which is basically all she's done in congress but as someone who was a republican until they stopped being fiscally conservative and who studied markets and fought for the little guy all her life who can blame her for being a little tepid on some of the fiscally wilder things that come out of the Bernie/AOC crowd and the jackboot-ier things that come out of the authoritarian neoliberal old guard.
Doesn’t opting out from anonymization mean opting in for PII?
I bet in the mind of a bank exec, it may very well. An amusing point.
There are laws in some countries preventing this, but your point is entirely valid and even makes me wonder about opting out.
Heeeey, wait a minute, is this some banking MILDEC type scenario? Who are you? (j/k)
> Allow apps to ask permission to track you across apps and websites owned by other companies.
I think it could be better stated, but changing to to “allow apps to track you” would not be a setting they could actually offer.
- I entered the number
- Then moved to the front of the input field
- Deleted a char, and re-entered it, because
- an end-of-field char change removes the whole number
Wait a sec, even two seconds, and the number will auto-obscure.
Then it works.
(or JCB? What other weird cards do HN users even have?)
I did manage to find this (https://optout.aboutads.info/?c=3&lang=en) which they claim to honour.
I probably should be purging cookies more often :/
Much of this buying and selling of data within the paid advertising industry hides in plain sight because it goes by so many names - contextual targeting, relevancy data, media enrichment, lead enhancement, blah blah blah...
Go to: https://usa.visa.com/legal/global-privacy-notice/additional-...
Then click on: “Visa Products & Services: How does Visa use personal information to benefit consumers and businesses?”
Then scroll to the bottom of that section and you’ll see the VAS link: ”U.S. cardholders can opt out of Visa using their card transaction data for VAS.” where you can opt out.
iPhones will auto capitalize text in the capatcha box, so make sure the text is all lowercase.
I don’t personally like typing my credit cards into websites without making sure it is legit.
Also, does this form really amount to anything other than "we promise we won't spy you that much?" Are banks audited in this regard, or are they subject to the same non-existent regulations as the Sillycon Valley surveillance?
You can sometimes click the small blue triangle in the corner of an ad (called adchoices) to see how it was targeted.
This means that the audience is 18+ living in USA, but the combination of the targeting plus the optimisation (click and conversion prediction, mostly) means that it seems much more targeted than it is.
Stripe/etc definitely get itemized, but credits cards get less as far as I know.
Lol, I should probably pay more attention to usernames :)
I've worked on the payment processing end, but as I said that was several years ago, as well as on the consumer data end (e.g. using services like Plaid). You could equally be right about what ends up going from Stripe/Braintree/etc to Visa/Mastercard/etc, though comments/links about Level 3 payment data make me think that the itemized level of detail will increase in usage, and also as you say transactional data is certainly bought and sold outside of the payment networks.
It says "Verified by: Cloudflare, Inc." AND Organization is also Cloudflare, Inc.
Shouldn't the Organization be Visa?
How do I know that this is Visa?
Genuinely curious since I've not seen certs like this..
Cardholder agreements for credit cards typically say that you aren’t liable for any fraudulent charges so long as you report them within a couple of billing cycles. I once had my credit card number stolen, called the bank to report it, and they reversed the charge and sent me a new card via FedEx Express. The whole process took less than ten minutes.
What don’t I know? Is it just that when companies emphasise “no credit card information was stolen” in their data breach announcements that this gives a false impression that this data is more important to keep secret, or what?
Otoh, it can be pretty time consuming and annoying to charge back transactions and get a new card. In Switzerland for instance I have to print out a multi page form, fill it in, send it back by physical mail (yup) then my bank follows up after a few weeks a a few more phone calls. And I have to pay a fee to get the card replaced. So yeah the transactions aren’t on me but the hassle and fees are... This was much more straightforward in North America though.
The case where the backend is plaintext HTTP is different because a third party between Cloudflare and Visa could eavesdrop that silently (split fibre can make this utterly seamless for normal network technology) with no permission from either of them.
But in the other three cases either Visa, or Cloudflare, or both would have to agree to let somebody else snoop, which agreement they could make even if this was on-premises at Visa's own facility. That's not a technical problem, that's Visa betrayed you for whatever reason.
Arguably one of the options that would be "considered insecure by browser standards" is actually safer for Cloudflare sites, because you can't attack it from the Web PKI. Cloudflare Origin CA isolates you from such an attack, bad guys would need to attack Cloudflare to get a valid certificate from them, certificates from another CA would not work if it's locked down to Cloudflare Origin CA.
Source: Using CF Enterprise.
This requirement seems very easy to abuse. Annoying and inconveniencing users into submission already works wonders, people accept all kinds of EULAs, cookie conditions and privacy policies. I wouldn't want expiring user choices to become another tool in this arsenal.
Or would they just create a "different" marketing campaign, and just opt everybody into that one?
Or you do it like the EU and make excessive data processing opt-in. (Where by "excessive" I mean something that doesn't fall within recital 47 of GDPR: "legitimate [e.g. marketing] interests of [the company] may provide a legal basis for processing, provided that [users' rights] are not overriding, taking into consideration the reasonable expectations of [users]". It's a grey area where this line is exactly, but Visa can't simply do whatever they want. They have to tell you what data they process, but nobody reads that, and for unexpected (arguably excessive) things they'd have to ask you to opt in.) But I guess that's a little beyond the scope of this comment thread.
Source: That is what everyone did when microsoft turned Do Not Track on by default on IE. That's what you get with "self regulation".
Visa will just say, on their news page: "we updated our terms and condition, if you opted out in the past you must opt out again"
The only winning move against corporation involves NOT giving them your money. Anything else is futile in the current US legal landscape.
Oh, and they will probably work with the FBI to get whoever did that behind bars pretty quick.
Not saying that’s right, just that’s my commentary on the state of things today.
So is the rest of the world not covered by this data collection effort or are they just denied the opportunity to opt out at all?
What is the process requesting from lexis nexis?
as a european I'm totally ok without this support.
marketingreportoptout-visa.com is still available for any scammer to register. It costs Visa (or anyone) less than $200 to register it for 10 years. Can't they at least register these very obvious domains?
How difficult is it to use URLs like this?
A new subdomain for every different "website" is the clean solution in my opinion.
I can’t imagine why /s
Credit score companies (5 years): https://www.optoutprescreen.com/
Spam mail (10 years): https://www.dmachoice.org/
> To opt out permanently: You may begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.
> Telemarketing [...] Telephone numbers on the registry will only be removed when they are disconnected and reassigned, or when you choose to remove a number from the registry.
Meanwhile, the DMAchoice site says:
> It is not a tool to effectuate rights under any specific law including the California Consumer Privacy Act (CCPA).
So I'm not buying that legally mandated opt-outs come with the annoying expiration dates.
Especially since this means anything you submit will be decrypted by Cloudflare. It may then be transmitted in the clear to whoever runs the backend sever that Cloudflare is proxying for.