> Try to use "Verified-By-Visa" and "Mastercard-Securecode" as rarely as possible. If only your CVV2 code is getting sniffed, you are not liable for any damage, because the code is physicly printed and could have been stolen while you payed with your card at a store. Same applies if someone cloned your CC reading the magnetic stripe or sniffing RFID. Only losing your VBV or MCSC password can cause serious trouble.
Does anyone know if this (using verified-by-visa, mastercard-securecode remove any payment protection if you get key-logged etc) is correct?
If you are purchasing stuff online, I advise using a credit card and CVV. Federal law (in the US) limits your damages to $50 total in the event of Fraud. (Not true of debit cards, or 3DSecure).
You can cancel the "mandatory" VBV page by pressing the back button. At first, the VBV page did have a tiny link that let you opt-out, but it disappeared some time in 2009.
I was quite surprised when I had finally given up and was ready to empty the Newegg shopping cart, only to find the order was accepted when I used the back button to escape VBV.
I don't know how many times now I've gone to an e-commerce site and the stupid Mastercard-Securecode has popped up, or my order has been frozen for verification -- and I immediately go straight to Amazon. Perhaps the real beneficiary here is Amazon. They know my order history and they know when I order a $4000 TV to an address I been shipping $X amount of stuff to without incident.
With amazon, you get to stab the air bubbles with a knife and wad them up.
Also, reliable ship times are neat.
For in-person transactions, merchants can check your signature against the one on the card or alternatively ask to see a photo ID. The process is there, though it's hardly ever done.
In fact, that is not the purpose of your signature. The purpose is that you are signing a contract and agreeing to pay. It has nothing to do with security or fraud and merchants are not supposed to check signature matches - only that you signed.
A smiley face is a valid signature, as long as it is you and you agree to the credit card contract.
My point in bringing up the signature line on the back of the card is that, while it might not meet your personal standard of effectiveness, it is an example of "a pin at checkout is a good one to reduce fraud. However it is more work for the consumer, and reduces the bank's liability."
Signature verification is an old-fashioned, and perhaps imperfect, nonetheless established method of security.
If you have ever used traveler's checks, you will know that they also use signature-matching as the method of security/verification.
None of the above is legal advice as IANAL, however I do believe it is correct.
Do you really think a merchant can verify those electronic scribbles on a tiny, crappy pen input device? No. Any mark made by you with the intent to sign is a legal signature.
Read more here:
3DS attempts to create a 'cardholder present' situation, hence the shift of liability.
The idea is that this absolutely crack proof scheme requires you to authenticate yourself to your bank in a fairly complex three way handshake.
In the old (read pre-VBV) days the card companies and issuing banks would saddle the merchants with any charges that were disputed using the chargeback mechanmism.
Verified-by-Visa removes this safeguard by adding an additional layer of authentication which supposedly has the same strength as you being on-premise and signing on the dotted line to authorize your purchase. This will effectively remove a lot of the excuses that you might have had such as 'it wasn't me', 'I wasn't there' and 'I never meant to buy this', which were the most common excuses consumers would come up with after using a service for anywhere up to 6 months and then yanking back all 6 months worth of payments and saddling the merchants with the loss of income, pay-outs to affiliates already made and additional charge-back fees on top of that.
So even if the goal was a fairly noble one it looks as though the whole idea is predicated on one tiny little detail, which is that VBV is supposedly hack-proof, but in fact this is highly dependent on both your bank and the security of their implementation. Neither of those are as ironclad as they should be to remove all doubt.
But of course the banks/card companies are not willing to end up holding the bag if there is trouble so it falls to the consumer to prove that they really were not involved in the transaction and that is very hard.
On the positive side in this whole debate: Even if a consumer is defrauded there is always someone who benefits and following the money usually leads to the perp. That's why it is hard to order stuff online with credit cards that were not issued in the country that the person using them is from, that's why it is hard to spend your money on three different continents with the same credit card within a single day and so on.
Lots and lots of money goes in to early warning fraud detection (before the fraud happens) and this nips a very large percentage of potential fraud in the bud.
Something very strange I noticed with Verified by Visa and with Mastercard Secure Code is that both sometimes forget that you have already enrolled and make you re-enroll (i.e., answer their weak "security questions", like date of birth, and then choose a password).
It happened once with Verified by Visa and twice with Mastercard Secure Code so far. (No, my card numbers had not changed.)
These systems can't be trusted to even reliably remember my previous password.
Yes. It's the whole point of the system, to remove even more risk from the CC companies and banks, and put it on you.
The worst part is the information required for the "I forgot my password" process is often not terribly hard to get hold of (date of birth, that kind of thing).
The best option at this stage is probably to have a "normal" credit card for everyday use which is specifically NOT VbV enabled, and a special VbV credit card that you keep at home for internet purchases from companies that require it. Or just don't buy from those companies.
Transaction fees are not the problem, putting a stop to consumer fraud and charge-backs are the net win for the merchant.
In my case not activating Secure By Visa let me proceed with the transaction normally, but they certainly tried to imply it was necessary.
In Canada it pops up a browser window that prompts for various personal information and its URL points at ... drumroll ... https://secureserver.net. If that's not by the book appearance of a phishing site, I don't know what is.
I very suspicious of that the first time I was subjected to Verified by Visa.
The other thing that infuriated me about Verified by Visa is that when you are forced to sign up for it, it thanks you for choosing to sign up. The only choice I had was to sign up or not make the transaction!
The same group (security research at cambridge) are also the ones who produced the 'chip and pin is a joke'
paper you might be referring to.
The user is liable if the card is stolen, and it is used to conduct fraud using the PIN code.
If the card is stolen, and the fraudster simply uses it online, or via some place that doesn't ask for a PIN, then you are not liable for that fraud.
I'm sure there are rare edge cases, but my experience with Barclays has always been very good in this regard.
1. Writing the PIN on a post-it note and sticking it to the back of the card.
2. Writing the PIN on some paper and keeping it in the same place the card is kept.
3. Giving the card to someone else (partner, kids, relatives, etc.), along with the PIN, to run an errand for them.
4. Saying the PIN out loud as they type it in.
5. Asking the customer assistant/whoever is dealing with the transaction to enter the PIN for them.
Chip&Pin, while claiming to be more secure, enabled and made convenient basic forms of fraud, such as that in points 3 and 5.
I'd actually argue that the shifting of liability from the card issuer/merchant to the card holder/customer in the UK is a direct consequence of C&P allowing careless people to be more lax with the security of their card.
Cover the pad with one hand (and maybe your wallet) and type it with the other
You can do it quite naturally. Of course it helps if you type the pin fast as well (by fast I mean not taking 1s per digit)
It really peeves me that they are training people to accept entering sensitive information into something it would be so very easy to fake. There's nothing to prove that it is actually what it says it is.
On top of that, if you forget your phrase the security question (the usual researchable ones) and answer sequence happens within the iframe without recourse to any external site or emails.
As other comments have said, none of this is for the customers benefit.
[polymorphism code - to hide virus signature]
Randomness is your friend, make your own crypter and make it so fucking random on every compile, that AV reverse engineers kill themselfs (HINT: randomize the crypters sourcecode using perl scripts)
I started coding about a year ago, hacking old malware sourcecodes and reading russian boards. Most botnet operators are dumb as fuck, who don't even care about their traces, the ones you see on TV, catched by Microsoft and Brian Krebs. If you have more knowledge you can automatize nearly everything, like creating scripts that rewrite your sourcecode for your crypters so your malware gets undetected again, saving you hard work.
[finding infections on a computer]
Use GMER (http://www.gmer.net/) every now and then when your spider sense is tingling. Srsly, you can't fool GMER, it scans from the deepest possible point in your system, at ring0 and is impossible to fool, there is nothing deeper than ring0 on a usual PC where malware can hide stuff from. I always wondered why other AV vendors don't do it like GMER, it can detect all rootkits. But when a AV can detect everything, who will pay 30$ a year for signature updates...
> My bank had around 20,000 customers using smsTAN and 3 (I was the 4th lol) using HBCI.
He is German, of college age and an early customer at one of 2 or 3 banks that provide HBCI. Consider him nailed.
I also bet he has published security related work under his real name at some point, especially since he has been applying for jobs. Most people in the security industry applying for legit work who don't have qualifications pad out their resumes with online research (or speaking at conferences, etc.).
You have 17 bits left. Use them wisely.
He's probably lying too.
Interesting idiom. I hadn't heard it before, but the usage makes sense.
> Even if 90% of those 7,200 were mined by botnets, and 100% of those mined were sold, that would represent well under 10% of the daily trading volume.
This is a perfectly correct instance of the subjunctive mood (http://en.wikipedia.org/wiki/Subjunctive_mood), I think, not a language trap.
Edit: definitely not a Pole. Likely in former Eastern Germany though (lots of people there have a working knowledge of Russian / Polish, people from the Western parts not so much).
Universities in former Eastern Germany with an engineering department?
well, as a German, I'd like to point out that this might have something to do with the fact that he is kind of an asshole. There are nice and well-mannered people here too.
This is one thing I've been trying to convince people to do for ages but, for some reason, that one extra click turns so many people off. The extra minute or two I probably spend a day clicking on plugins to activate them will pale in comparison to how much time I'll have to spend recovering from being infected.
* 30% of victims are Americans.
* 80% have an antivirus installed.
* An average income of $40 per day (bitcoin only). May vary up to $1,000.
If he has root-level control of the systems, why doesn't he install the needed drivers himself?
Somebody already asked him this question on reddit, but he didn't answer.
Does anyone have any idea why he wouldn't/couldn't/shouldn't install drivers himself?
People obviously think they're safe when they have an AV solution installed...
Furthermore those guys don't understand that eventually they're hurting the web. All that will bring stricter legislation and governments will start enforcing rules like IP identification for just about anyone out there.
I can understand organized crime exploiting the cyberspace. But for individuals its just plain stupid.
There is also the addition that you are just interacting with a computer, a keyboard, a mouse and a screen. I bet if you asked this guy if he would go out and mug someone he'd say no, because he'd be face to face with the person... he'd see the upset and pain he's caused.
Not saying it's right, but there is certainly a bit of psychology involved here, gaining from the computer doesn't seem like a crime to those not in charge of their own compass.
I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.
one thing i want to believe, you can't build a future on crime, or can you?
It sounds like you're considering a life of crime. Probably thinking about how you could be like that botnet guy on Reddit. Getting money without working is a nice thought, after all.
You know, the "ethical reactions" stem from that guy doing evil things. He knows he's being evil but doesn't care. Some people find that appalling.
For him, it's just an easy way to make money, and the fact that he produces no value to society at large is irrelevant. He even gets to work on challenging problems!
In fact, what he's doing is quite similar to working for the financial industry, doing HFT or whatever. It's clearly wrong, and clearly harmful to mankind, but it's easy money, so ethics are thrown out the window.
It is generally easier to make money by scamming/abusing people than by doing something valuable. That doesn't mean you should.
It may only take him an hour or two a day to manage the network but I doubt that's all the time he spends on it. From reading the AMA and my own personal experience I bet this guy spends much of his time researching tools, improving his code, testing AV software, and browsing / contributing to "industry" forums. This isn't even taking into account the time he spent upfront before it made him any money.
It may be something he enjoys but it's not as easy as clicking a few buttons every day and watching the money pile up. It's sad to think that all this time could be spent building a legitimate product instead of something like this.
Next up: I thought I was hot stuff, now I'm a convict, ask me anything.
There have been several in depth discussions and posts on both hacker news and reddit which comprehensively make the case for both.
In the past I've left well paid positions out of moral issues, in different industries. For instance, when my algorithms were getting patented, or I was increasingly made to work in .NET.
People have different views. However, stealing CCs and massively screwing over random people... you cannot possibly put that in the same breadth.
Well duh? Of course you are. It's you working for the financial industry, after all.
We could debate this all day without getting anywhere. It's easy for you to blow smoke up everyone's ass, pretending your work is beneficial because it provides "liquidity" or whatever. You can confuse us laymen with fancy terms we don't understand.
But in case you're being sincere, here's something to peruse: http://maxkeiser.com/ and http://zerohedge.com
You work for an industry whose raison d'être is making money with money. This is vastly different from producing something of value.
Not-so-obviously, if I had qualms about my job I wouldn't be doing it. Some people are for sale, I'm not.
> But in case you're being sincere, here's something to peruse: http://maxkeiser.com/ and http://zerohedge.com
I know these sites. They're rather juvenile but sometimes there's stuff of real value there. There are crooks in finance, and everywhere else, which doesn't mean "finance is bad" by definition.
> You work for an industry whose raison d'être is making money with money. This is vastly different from producing something of value.
There is nothing bad about making money from financial services. If you stretch it a bit, you can call it "making money with money" the same as you can argue that the sole reason for any imaginable job is making money. It's not.
> Not-so-obviously, if I had qualms about my job I wouldn't be doing it. Some people are for sale, I'm not.
So participating in the financial industry driving the Western world's economy off a cliff is fine, but having to work with .NET is where you draw the line?
> I know these sites. They're rather juvenile
These sites discuss (the economic) Reality, and what's going on in it. Trying to discredit them is logical, of course, for someone working for the financial industry.
Here's someone with a more somber take on things, in case it helps: http://globaleconomicanalysis.blogspot.com/ - he's on the same page with the aforementioned two, though.
> There is nothing bad about making money from financial services.
No? Well, what good is there about it? How does it benefit the real economy, where people use their time and skills to produce something of value, which they then exchange for goods and services as necessary?
What is it that grounds the financial industry into the real economy? In other words, in what ways is it not about making money with money?
> If you stretch it a bit, you can call it "making money with money" the same as you can argue that the sole reason for any imaginable job is making money. It's not.
Huh? A job is an arrangement where an employer pays someone a salary in exchange for using his time/skills in a way that benefits the employer (in a monetary sense, ultimately).
For both parties involved, it is about making money. Otherwise we're talking about some kind of charitable operation.
I consider my job to be good in the sense that the alternative to be worse. Quite like a free market I consider it to be good, because it's the MUCH better alternative to a CAPTIVE market. Because that's in fact the only alternative. Some manipulative politicians trying to justify their job would tell you the alternative is a "regulated market" - it honestly is not about more or less regulation, it's about better or worse regulation. The freest market is not the least nor the most regulated, it's the best regulated.
> These sites discuss (the economic) Reality, and what's going on in it. Trying to discredit them is logical, of course, for someone working for the financial industry.
You've very conveniently cherry-picked my criticism about them. I like these sites and they're rather good. However, their style is indeed juvenile. That's the way they're redacted, the public they cater to the most and very likely the personality of the main contributors.
They also seem to be quite libertarian-leaning. Like myself. Which is totally besides the point, anyway.
> For both parties involved, it is about making money. Otherwise we're talking about some kind of charitable operation.
But you're missing the point that it's not ONLY about that. Thankfully, most of us don't work just for mere subsistence and are in the position to choose one work over another based in more than pay.
This point is related to the post because I'd actually take this job over most other jobs taking a significant pay cut. I've worked in telecom, microchip design, even videogames, and this is my favourite job so far. I'd take it over any of my previous jobs on equal pay and they weren't bad jobs for the most part. I'd even take a pay cut. That's how much I like my job and how positive for society I think it is. My sister is a doctor, I think my job is more positive for society than even that, it affects way more people.
I submit that you're doing the exact opposite of what you think you are. When you make financial manipulation require fewer highly paid people, you increase profit margins. The primary effect of this is to increase the volume of such activity.
For instance I have 2 contracts right now. One will help people find a college program that they want, and the other will help people find a job that they want. These are causes whose value proposition is pretty clear to me. I don't need to justify my work on the basis of, "I'm getting rid of people who do what I do." Rather I can say, "I'm helping good things happen for people."
Thus I don't see a problem in the fact that my successes create more demand for people like me.
On the one hand, I'm helping people preserving their pension funds by detecting risky situations early. These people don't want highly speculative markets or high profits, they don't want their savings protected from the money printing machine among other things.
I'm also helping decide producers what should they be doing next, to meet demand and so people don't suffer shortages. I don't work for a bucket shop or a commodity hoarding fund. I help supply meet demand and more people have their needs met and better met than otherwise thanks to people like me. There would be a lot more poverty in the world without this industry. In fact, there was a lot more poverty in the world as a direct result of the lack of this level of commerce in the past. It's not our duty to stop the poorest regions of the world from over-breeding, though, which is the main reason for poverty nowadays (including pockets of poverty in wealthy nations).
> There would be a lot more poverty in the world without this industry.
You are so fucking full of shit that it's disgusting.
Really now? Wow. Wasn't expecting that. Tell me, again, how exactly is it good for society?
> My job helps making a level field and removes the need of extra people working in trying to scalp away from market fluctuations.
This smells like a rationalization of HFT. Is that what you do? It is quite popular among the HN folks after all.
> I consider my job to be good in the sense that the alternative to be worse.
That's quite an achievement in the art of Rationalization. In a similar vein, I guess shooting someone in the head is better than torturing them to death.
> Quite like a free market I consider it to be good, because it's the MUCH better alternative to a CAPTIVE market.
Umm.. so your job's goodness is comparable to a free market being good by way of being better than a captive one? Care to elaborate?
> Because that's in fact the only alternative.
A captive market is the only alternative to a free market.. or your job? What's the point here?
> The freest market is not the least nor the most regulated, it's the best regulated.
This seems to make sense, but how is it related to what you do?
> You've very conveniently cherry-picked my criticism about them.
Well, your only criticism of those sites was that they're "rather juvenile", which didn't leave much room for cherry-picking. But of course, "cherry-picking" is a common accusation on HN.
> That's the way they're redacted, the public they cater to the most and very likely the personality of the main contributors.
> But you're missing the point that it's not ONLY about that.
Actually, I didn't miss that detail in what you said. I just wanted to see if you'd "go there". You didn't disappoint.
You see, a job not being only about money is just as blindingly obvious as the fact that not every single goddamn black guy is a better dancer than your average white guy.
> This point is related to the post because I'd actually take this job over most other jobs taking a significant pay cut.
Glad you cleared that up, I was starting to wonder. But what else would you say, especially at this point? Of course you're going to make that claim, because for you, this has been all about rationalizing what you do right from the start.
> My sister is a doctor, I think my job is more positive for society than even that, it affects way more people.
That's quite an audacious load of bullshit right there.
Yes, your job has far-reaching potential consequences, including - but not limited to - collapsing economies and countries along with them, causing massive loss of wealth for us little folks, social unrest, chaos on the streets, people killing each other for food, power-grabs by totalitarian forces, and so on.
Before you start foaming at the mouth, note the word "potential" there.
Here's a first-hand account of the consequences of hyperinflation in Argentina: http://ferfal.blogspot.com/2008/10/thoughts-on-urban-surviva...
Hyperinflation is certainly one of the potential consequences for what the financial industry is doing, and you are helping them.
You definitely can.
But whether or not you would want to is another thing.
Questioning his subjective opinions on morals sounds a bit of a waste of energy after this.
Can you explain? I really don't understand? Because it's making people more security-conscious or something?
I am amazed that magnetic stripes are still the norm for credit cards in the US. Europe has managed to move all but completely to chip-based cards, but the US hasn't.
Does the cost of fraud due to magnetic stripes outweigh the cost to upgrade the entire US system, or is the market just too fragmented to coordinate such a transition?
Really, the chip things are an example of security theater. Yes, they're more "secure" in the sense of being harder to defeat. No, they're probably not actually worth it in terms of the cost of upgrading all the infrastructure.
A serious upgrade would need to look at things like two factor authentication, c.f. Google Wallet, etc...
In the US fraud may be small (but it's increasing). But magnetic stripes are very unsafe
Chip'n'Pin may have some issues, but it's much safer to most common attacks such as
- card stripers (very inconspicuous)
- physical theft of the card (because it requires a pin)
And, as someone that had a striped card, it's a pain (even if liabilities are $0)
 Really the amortized upgrade cost. Remember that chips are dinosaur technology already, and have known problems. What's the point of doing an upgrade if you need to dump it all and start over in 6 years anyway?
It seems like the upgrade of terminal equipment could be done quite cheaply if it was done as part of the regular cycle of equipment refresh, for example.
I'm not sure how many PoS are already equipped to deal with chip cards. In the USA/Canada it's hit or miss (most misses), and in Europe it was the standard 10 years ago (but most readers take swipe cards).
Replacing cards is cheap and they can be replaced as they expire
What would be the upgrade cost for each PoS? $100? Some systems are more integrated than others (like card reader integrated with the register as one device) so this may cost more.
Or maybe it's just a matter of issuing the cards to justify the stores to upgrade.
So they aren't really moving in the direction of issuing cards with chips. I never actually encountered a situation where I was aware I could use the chip, over 5 years or whatever it was.
That's only if the credit card company believes or accepts your story.
I once reserved a flight by telephone using a credit card, but at the airport I paid for the flight with cash. Later I found that my credit card was charged for the flight. The airline said that they couldn't find any evidence that I had paid in cash, and even though their policy was to get a signature when paying by credit card, they could not produce my signature. But they still insisted that I had paid by credit card.
I complained to the credit card issuer, but they took the airline's word (United Airlines, by the way) over mine.
It's not enough that charges are fraudulent -- if the merchant is mistaken in their belief (or lying), you are on the hook!
> a US credit card costs 2$ on the black market and a UK starts at 60$, americans are all in debt.
chip and pin is definitely broken (defcon presentation) http://www.youtube.com/watch?v=JABJlvrZWbY
Anything under £100 and might be out of luck.
Take Mastercard's scheme
• The cover applies to Mastercard debit cards, prepaid cards and Maestro cards, and to purchases made on a Mastercard credit card which don't qualify for section 75 cover
• There is a minimum spend of £10 but no upper limit on spending
PS: Subsection (1) does not apply to a claim—
(a)under a non-commercial agreement, F1. . .
(b)so far as the claim relates to any single item to which the supplier has attached a cash price not exceeding [F2£100] or more than [F3£30,000][F4, or]
I guess he's just lazy or thinks he's incapable of making as much as easily legally, maybe he likes the thrill and challenge of it all, maybe he thinks he's invincible and there's zero chance of him getting caught. Either way he's very foolish for continuing to do this especially if he has no endgame in sight.
given the real return on his enterprise, i agree with your assesment that he can probably make much more with a real legitimate job and just avoid that risk altogether.
* He tried to apply for a job at Kaspersky during last year. Didn't have enough credentials and still whines about it.
* He hangs out on Anonymous IRC.
* Uses Liberty Reserve.
* Exchanges bitcoins to dollars (periodically I guess).
* May be German-speaking. Understands Russian.
Given that there's only 1,000 CVV2 values (10,000 for Amex) isn't putting so much into CVV2 value a bit ridiculous? Someone who really wanted to could get a CVV2 value in only 500 auth attempts on average.
If you store CVV2 in your database against your merchant agreement, and someone steals it, I'm sure the credit card comp will come after you for the losses.
As far as being non-PCI compliant, you as a merchant are only compliant right at the time of the audit. And maybe not even then, given Heartland's experience. The whole PCI thing is to give Visa and MasterCard a way to do some CYA.
That's going to trip a fraud check at the bank and get the card frozen long before 500 attempts.
That company passed PCI-DSS because these were in-flight transactions, if that had been a historical database they would not have passed.
Sometimes banks make it mandatory, sometimes not. It's not * required* to make a transaction, it merely offers an (optional) extra level of security.
Also, the banks will offer differing levels of chargeback cover based on these factors.
? He says Linux does help.
if you know how your computer is beating inside, you are hard to fool
Then when asked about his future, he says he plans to work for an AV company!
He can see what's wrong, but he can't do what's right.
And that, my friends, is the problem.
The problem is why he didn't get that job at Kaspersky. He is obviously skilled so what happened?
I see a LOT of stories on HN and other Tech sites about these kinds of attacks. Unfortunately, I rarely, if ever, hear about hackers getting arrested for this sort of activity.