For Visa it was 835ms for valid, 762ms for dummy, prefix and check digit appears to be checked client side.
Or more likely "someone will notice, eventually"
Also in infosec: what is old is new. We still find shitty comparison routines (timing attacks) and SQL injection... some day :)
If the rand function produces uniform random numbers, then with enough samples the signal comes out ontop the noise.
If it is non-uniform, then with enough samples you can determine the non uniformity, and you are at square 1 again.
Use proper security instead of obscurity.
And it's not a thing anyone has a legitimate interest in submitting more than that per second.
I.e. the padding to add is (5 - duration_of_operation) with duration of operation being far lower than 5 s.
What would be a proper first step to harden API for timing attacks?
An easy mitigation would be to just drop the card number into a queue and process asynchronously without waiting and returning to the user.
I used to work at a big bank in the US and the parent's description sounds exactly like how it would work.
Bonus, if they can't separate which exclusions were from legitimate requests and which came from this script, they can't just delete those entries from the database.
Of course, no one should do this...
I think they would probably just declare them all invalid, and roll back to yesterday.
There's some exceptions (tokens etc.), but not relevant to this use case.
The first 6 digits of a card number is called the BIN code. That leaves just 9 digits that have to be spammed.
The fact that BIN lists are publicly available is reducing the space significantly.
An expiration date will get you a bit farther, but you really need the CVV also.
The net result of submitting all card numbers will not be "oh, well, I guess all card numbers are private now.." it will instead be "clear that table and start over."
Doing otherwise -> access in excess of authority -> CFAA violation
Just because you can easily walk through an unlocked door doesn’t mean doing so is always legal.
Maybe I’m misunderstanding.
It's like lockpicking a door lock. Even if you don't get in, I'm sure it's still a crime.
Who decides? On what criteria? Can you appeal? Are they elected or appointed officials? Who supervises the “list makers”?
Act of DOS could be considered damage, not to even metion opt-out from revenue source...
Wasn't something I mentioned earlier but using the reCAPTCHA audio is also another solution for gcap. I haven't ever used it personally but always seemed like a cool idea.
It’s also very satisfying to know I’m not an unpaid mechanical Turk for google anymore and that it’s a machine solving another machine’s challenge.
Still pretty expensive if you wanted to do every single Valid CC #, though.
This one in particular is simple enough that nearly any technique you wanted to throw at it would succeed with minimal fine tuning. I'd be shocked if it took an afternoon even if you'd never broken a captcha or done any image processing before, and that's without borrowing an off-the-shelf ML solution.
Plus, even if you had a 50% failure rate you'd just need twice as many calls. That's not trivial, but it doesn't really affect the viability of the idea.
> To opt-out from our anonymization of your personal information to perform data analyses, please provide your Mastercard or Maestro payment card number
What we're opting out from is the use of the data, right?
I guess the charitable interpretation is that this was written by somebody incompetent, not by someone trying to be deliberately obfuscatory...
But otherwise it probably comes down to occams razor and they had some random corporate web guy half-ass the copy on the website which they aren't investing any sort of high quality resources.
It's easy to mistake poor workmanship or miss information as some sort of purposeful evasion.
Hell, another scenario is the lawyers gave it a run by an neutered the text in an effort to make it non-liable and no-one decided to make it readable again.
Not that I like defending these monopolies. Just some better understanding of how things like this work IRL over the years.
She's no more qualified than any other Masshole when it comes to dutifully towing the party line and but she was uniquely qualified to head the CFPB and shouldn't have been passed over for that.
 Which is basically all she's done in congress but as someone who was a republican until they stopped being fiscally conservative and who studied markets and fought for the little guy all her life who can blame her for being a little tepid on some of the fiscally wilder things that come out of the Bernie/AOC crowd and the jackboot-ier things that come out of the authoritarian neoliberal old guard.
Doesn’t opting out from anonymization mean opting in for PII?
I bet in the mind of a bank exec, it may very well. An amusing point.
There are laws in some countries preventing this, but your point is entirely valid and even makes me wonder about opting out.
Heeeey, wait a minute, is this some banking MILDEC type scenario? Who are you? (j/k)
> Allow apps to ask permission to track you across apps and websites owned by other companies.
I think it could be better stated, but changing to to “allow apps to track you” would not be a setting they could actually offer.
- I entered the number
- Then moved to the front of the input field
- Deleted a char, and re-entered it, because
- an end-of-field char change removes the whole number
Wait a sec, even two seconds, and the number will auto-obscure.
Then it works.
(or JCB? What other weird cards do HN users even have?)
I did manage to find this (https://optout.aboutads.info/?c=3&lang=en) which they claim to honour.
I probably should be purging cookies more often :/
Much of this buying and selling of data within the paid advertising industry hides in plain sight because it goes by so many names - contextual targeting, relevancy data, media enrichment, lead enhancement, blah blah blah...
Go to: https://usa.visa.com/legal/global-privacy-notice/additional-...
Then click on: “Visa Products & Services: How does Visa use personal information to benefit consumers and businesses?”
Then scroll to the bottom of that section and you’ll see the VAS link: ”U.S. cardholders can opt out of Visa using their card transaction data for VAS.” where you can opt out.
iPhones will auto capitalize text in the capatcha box, so make sure the text is all lowercase.
I don’t personally like typing my credit cards into websites without making sure it is legit.
Also, does this form really amount to anything other than "we promise we won't spy you that much?" Are banks audited in this regard, or are they subject to the same non-existent regulations as the Sillycon Valley surveillance?
You can sometimes click the small blue triangle in the corner of an ad (called adchoices) to see how it was targeted.
This means that the audience is 18+ living in USA, but the combination of the targeting plus the optimisation (click and conversion prediction, mostly) means that it seems much more targeted than it is.
Stripe/etc definitely get itemized, but credits cards get less as far as I know.
Lol, I should probably pay more attention to usernames :)
I've worked on the payment processing end, but as I said that was several years ago, as well as on the consumer data end (e.g. using services like Plaid). You could equally be right about what ends up going from Stripe/Braintree/etc to Visa/Mastercard/etc, though comments/links about Level 3 payment data make me think that the itemized level of detail will increase in usage, and also as you say transactional data is certainly bought and sold outside of the payment networks.
This requirement seems very easy to abuse. Annoying and inconveniencing users into submission already works wonders, people accept all kinds of EULAs, cookie conditions and privacy policies. I wouldn't want expiring user choices to become another tool in this arsenal.
It says "Verified by: Cloudflare, Inc." AND Organization is also Cloudflare, Inc.
Shouldn't the Organization be Visa?
How do I know that this is Visa?
Genuinely curious since I've not seen certs like this..
Cardholder agreements for credit cards typically say that you aren’t liable for any fraudulent charges so long as you report them within a couple of billing cycles. I once had my credit card number stolen, called the bank to report it, and they reversed the charge and sent me a new card via FedEx Express. The whole process took less than ten minutes.
What don’t I know? Is it just that when companies emphasise “no credit card information was stolen” in their data breach announcements that this gives a false impression that this data is more important to keep secret, or what?
Otoh, it can be pretty time consuming and annoying to charge back transactions and get a new card. In Switzerland for instance I have to print out a multi page form, fill it in, send it back by physical mail (yup) then my bank follows up after a few weeks a a few more phone calls. And I have to pay a fee to get the card replaced. So yeah the transactions aren’t on me but the hassle and fees are... This was much more straightforward in North America though.
The case where the backend is plaintext HTTP is different because a third party between Cloudflare and Visa could eavesdrop that silently (split fibre can make this utterly seamless for normal network technology) with no permission from either of them.
But in the other three cases either Visa, or Cloudflare, or both would have to agree to let somebody else snoop, which agreement they could make even if this was on-premises at Visa's own facility. That's not a technical problem, that's Visa betrayed you for whatever reason.
Arguably one of the options that would be "considered insecure by browser standards" is actually safer for Cloudflare sites, because you can't attack it from the Web PKI. Cloudflare Origin CA isolates you from such an attack, bad guys would need to attack Cloudflare to get a valid certificate from them, certificates from another CA would not work if it's locked down to Cloudflare Origin CA.
Source: Using CF Enterprise.
Or would they just create a "different" marketing campaign, and just opt everybody into that one?
Or you do it like the EU and make excessive data processing opt-in. (Where by "excessive" I mean something that doesn't fall within recital 47 of GDPR: "legitimate [e.g. marketing] interests of [the company] may provide a legal basis for processing, provided that [users' rights] are not overriding, taking into consideration the reasonable expectations of [users]". It's a grey area where this line is exactly, but Visa can't simply do whatever they want. They have to tell you what data they process, but nobody reads that, and for unexpected (arguably excessive) things they'd have to ask you to opt in.) But I guess that's a little beyond the scope of this comment thread.
Source: That is what everyone did when microsoft turned Do Not Track on by default on IE. That's what you get with "self regulation".
Visa will just say, on their news page: "we updated our terms and condition, if you opted out in the past you must opt out again"
The only winning move against corporation involves NOT giving them your money. Anything else is futile in the current US legal landscape.
Oh, and they will probably work with the FBI to get whoever did that behind bars pretty quick.
Not saying that’s right, just that’s my commentary on the state of things today.
So is the rest of the world not covered by this data collection effort or are they just denied the opportunity to opt out at all?
What is the process requesting from lexis nexis?
as a european I'm totally ok without this support.
marketingreportoptout-visa.com is still available for any scammer to register. It costs Visa (or anyone) less than $200 to register it for 10 years. Can't they at least register these very obvious domains?
How difficult is it to use URLs like this?
A new subdomain for every different "website" is the clean solution in my opinion.
I can’t imagine why /s
Credit score companies (5 years): https://www.optoutprescreen.com/
Spam mail (10 years): https://www.dmachoice.org/
> To opt out permanently: You may begin the permanent Opt-Out process online at www.optoutprescreen.com. To complete your request, you must return the signed Permanent Opt-Out Election form, which will be provided after you initiate your online request.
> Telemarketing [...] Telephone numbers on the registry will only be removed when they are disconnected and reassigned, or when you choose to remove a number from the registry.
Meanwhile, the DMAchoice site says:
> It is not a tool to effectuate rights under any specific law including the California Consumer Privacy Act (CCPA).
So I'm not buying that legally mandated opt-outs come with the annoying expiration dates.
Especially since this means anything you submit will be decrypted by Cloudflare. It may then be transmitted in the clear to whoever runs the backend sever that Cloudflare is proxying for.
Thankfully merchants are generally opaque in terms of the metadata provided to the payment processors. I for one am thankful my card statements have "Amazon purchase" instead of the specific item purchased, for instance.
I know staples.com, many hotel chains, and airlines already use this.
I could see companies whose lines of business tend to have higher fraud rates take advantage of providing more data in exchange for cheaper fees.
How do you buy airline tickets that way? How do you purchase things online for delivery during a pandemic?
you can purchase things in cash at Walmart, Target, etc. which has never closed during the pandemic
This has not been true for some time. Ticket counters require payment cards.
I asked about purchasing things online because it's not safe to shop in person at the moment.
Even Amtrak is now not accepting cash anymore:
Looks like the only option left is drive a car and fill up at gas stations which accept cash (for the time being). I'm not super familiar with EV charging stations but I don't think I've seen one that accepts cash, if that's any hint as to where we are headed.
the only way to free yourself from counterparties is to use cash or crypto. no company will help you.
Besides, considering that Visa, Mastercard, etc are all headed toward "data and AI" model, it's not going to matter ultimately. The entire business world is going towards collecting data and selling your data.
Isn't data the "new oil"?
And this was somehow brought to the front page of Hacker News?
This is a very low effort scam. At least put in some effort beyond your dozen shadow accounts on HN.
Although I didn't check to see if they're using OV or EV certs.
Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3
Subject: C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=marketingreportoptout.visa.com
This is set side in section 184.108.40.206 "Reserved Certificate Policy Identifiers" of the Baseline Requirements, although you could just Google it because OIDs are unique.
Cloudflare, as issuer, have confirmed that Cloudflare, the certificate subscriber, are really Cloudflare, because they're the same entity. That's actually an allowed shortcut, and, I'd argue, one of the most secure possibilities for such validation of business entities.
If you were wondering if this is really Visa that doesn't help you at all. For that you'd best rely on the fact that visa.com is the domain you care about and so logically Visa must have authorised Cloudflare to serve this name.
The predecessor of this site, back in summer, was not on Cloudflare, that too had an OV certificate, but for "Visa International Service Association" in Foster City. I guess somebody decided that letting Cloudflare handle this was cheaper/ easier.
Edited to add: Predecessor's certificate https://crt.sh/?id=3134907318
Ah yes, thanks for pointing that out.
I'm not sure there's a practical distinction between EV and non-EV certs any more anyway. Browsers no longer show any indication of difference, and customers are not likely to inspect certs.
From a risk perspective, it looks like Visa is all-in on Cloudflare for consumer-facing infrastructure:
* Cloudflare terminates visa.com TLS, so it would be easy to swap an origin server without attracting notice, even if the cert was pinned or otherwise monitored
* Cloudflare also operates registered nameservers for visa.com, so they could issue DV certs at will
It looks strange, but it makes some sense. Visa deals with imperfectly-compliant handlers of cardholder data as their business, and they obviously have all sorts of risk modeling built into those relationships.
I'm sure they require Cloudflare to certify to a high level of PCI-DSS, and have carefully-apportioned liability in all of the paperwork.
I believe EV user interface treatment is still a thing in Internet Explorer, and for all I know the Chromium Edge has it too, I never run those browsers. Some minority browsers also distinguish, mostly using the CA/B reserved OID whereas historically Firefox and Chrome had a list of issuer specific policy OIDs flagged.
From the issuer's point of view, the generic EV OID is reserved by that same document for certificates which obeyed the BR rules for how to identify the name, business number (if appropriate) and location of the business, but that is not so different from OV. Private OIDs might correspond to some other (potentially stricter) policy.
There is another CA/B document about EV, but in practice reform has mostly taken place in the BRs and so rules there, or enacted by the trust stores (e.g Apple's 398 day rule) make most of the provisions of the CA/B EV rules obsolete.
The original goal of EV was to find a mutually satisfactory way to improve on the status quo at that time which was a price free fall for long-lived domain validated certificates using whatever method satisfied the issuer's needs to confirm control over the names issued. The browsers got issuers to do a better job (their main ask) and the issuers got a cool UI (the "green bar") to help sell expensive certificates.
The most important legacy of that was the standing meeting, the CA/Browser Forum, which means there is an ongoing dialog between the CAs and the browser vendors rather than them only talking when there's a grave and urgent problem. It took some work to design a structure that's legal, that gets the job done but isn't a cartel, because cartels are illegal (OPEC is/ was a cartel but its members are sovereign entities, and so they are immune to prosecution for running a cartel)
There's considerable value in being able to get the other participants in an ecosystem to agree (even if begrudgingly) that a policy change is necessary rather than forcing it upon them. Getting to 825 day certificate lifetimes was done by agreement, and not even so very long ago, while 398 day lifetimes was done by Apple's fiat after they struck out in negotiations.
Visa doesn't have to worry about PCI-DSS, unlike a retailer who is going to "stop" Visa from doing stuff that is prohibited by PCI-DSS? Nobody. Like the banks, the networks gave themselves the independent right to decide to just break the rules if they want to. For example if your e-commerce website uses SHA-1 that's a huge No-no right? But if Visa has a system that uses SHA-1 and replacing it to do SHA-256 would cost say $1M, they can decide actually it's fine as it is, they keep the $1M and that's OK under rules they helped write.
And who still has access to receive traffic for the visa.com domain after it hits cloudflare. This is a much higher bar.