I like my bank...

[chrisvenus]

Just as I'm about to leave work my phone rings. Its my bank/credit card fraud team on the phone (no, not all of them, just one of them). "Hello, Mr Venus, I'd like to just confirm some transactions with you..."

"yes, yes," I thought, "I spent money at amazon on the internet. Whoopy! Bug me with a few questions that I can say yes, I did spend these things, and then you can go away happy that you're earning your money." Yeah, that's right, I'm cynical sometimes...

"Firstly, Mr Venus, did you purchase something form Singapore airlines today?"

"What? err... no, no I didn't actually..."

"Did you spend money at oxfam?"

"Err... No... Not guilty on that one too..."

And then she went on to more that I did actually spend money on. I'm sure most people say it but I have no idea how somebody could have got my card details. Then I think about it and I realise that there are probably lots of ways that somebody could have got them. Mostly by being a dishonest **** who works in any number of online industries. I myself have been the recipient of large numbers of credit card details when I was asked to do a reskinning of an e-commerce site and I wanted the data in the site so I could check that things were looking right. I got the data including all the customer details with their credit card nunmbers in plain text in the database. So when I think about it I realise that getting somebody's credit card details probably isn't that hard at all.

the funny thing about it though that apparently the singapore airlines transaction was declined because my expiry date was wrong. That's kind of weird because I can't think how somebody could have got the rest of my detail (ie the card number and the magic three on the back) and not got my expiry date. it may have been done manually and the tpyer missed something, saw the decline and decided not to risk it again (having not realised he typoed) but it just seems funny...

Unfortunately it seems my online banking is not as up to date as the lady in the fraud department so I couldn't check the rest of my transactions then. She certainly didn't read any out and she quoted me getting petrol last week so I assume that she caught all the fraudulent ones. Must check at the end of the week though and make sure nothing else goes through. I'd worry about my debit card too except that it expires end of this month anyway so anybody who has it has two weeks at most to take advantage of it. I'll keep my eye on it but no point panicing about my other cards.

So yeah, there's my bit of excitement. It makes me suddenly a whole lot happier about those credit card fraud phone calls I occasionally get when it is all my spending. It also makes me wonder what more can be done to make online transactions more secure either on my part or in general. What are the latest hints and whatnot that you should be following?

Comments

[mi-guida.livejournal.com]

Shit! So they've given you the money back on those ones that weren't you....?

I remember you said somewhere refused your debit card which you assumed was because of the expiry date - that wasn't linked, then?

[chrisvenus]

I wondered and did check online banking after that in case but no, that was debit and this is credit. I think that was stupid people in that case. :)

[mi-guida.livejournal.com]

Ah, fair enough. I am paranoid and check all my accounts online at least once a week - especially given the fact that they never even checked last year when I was jumping around Europe spending money in all sorts of different places with no warning.

[fi-h.livejournal.com]

I have a teacher friend who had his credit card details stolen and used to buy child pornography and he was arrested and given bail for a weekend before the credit card company confirmed he had recorded suspicious activity on his card and the police had checked every single one of his 10000 photos on his various computers. It makes me want to be very very careful with my cards. (Glad they checked with you and its all sorted) x

[(Anonymous)]

"so anybody who has it has two weeks at most to take advantage of it"

Ah crap, I'd best get to it then! ;-)

Carl (Ebrey...hello).

[chrisvenus]

Now there's a name I've not heard in a long time...

What you doing stalking me here then or have you been stalking me seretly for years?

I hear you have a growing family as well. Congratulations and all that...

[susanofstohelit.livejournal.com]

this weekend in class I learned the formula to generate the magic numbers - they aren't as magic as we'd like to think.

[chrisvenus]

which magic numbers? The three on the back? I didn't think they were generated from any other information...

[susanofstohelit.livejournal.com]

I didn't entirely understand the math (he said it was derived from bayes theorum) but the prof said they're generated the same way as check digits on UPCs.

[cultureofdoubt.livejournal.com]

There's a checksum on the 16 digits that is fairly well known. Don't know about the CRC however.

If it's based on Bayes Theorem then it sounds like its broken.

[cultureofdoubt.livejournal.com]

CRC CVV2
CRC is a checksum variety. CVV2 is the 3 digit CC number.

[evath.livejournal.com]

CCV2 or whatever changes on a new card with the same number, can't see that being a formula....

[cultureofdoubt.livejournal.com]

Yeah, would be horribly insecure.

[chrisvenus]

The reason I wasn't sure they were generated from other info is because I've had a new cdard with the same 16 digit number and different CVV on the back which means that if it is generated then it has been done so using more information than just that and I'm vaguely surprised (surprised because I thought the whole point of that number is that even if you ahd all the other information from the strip you couldn't derive that and so couldn't use it for customer not present transactions...

[cultureofdoubt.livejournal.com]

Can happen to anyone. And they can be incredibly fast catching them.

My brother got a phone call in under an hour basically asking if he was in Spain or London. And the charges for whichever one he wasn't in got cancelled, along with some others. (He was pretty lucky to have actually made the journey that brought that one to light so quickly I guess)

[ao-lai.livejournal.com]

I'm not sure there are any exciting new hints and whatnot, it's still all common sense really. Run all the AV and Anti-Spyware you can and do sweeps as often as you're prepared to put up with. Never click on a link in an e-mail. Be very careful where you get your WoW plugins from... All that kind of stuff.

Sadly, there's just no way to be 100% secure nowadays, even then. That's where the bank doing this stuff comes in. :)

[ao-lai.livejournal.com]

Oh, and keep everything up to date. Don't use IE with an out of date Realplayer in particular.

More may come to me...

[chrisvenus]

In general I go for never using real player at all. :) But yeah, I hadn't actually thought about keyloggers/trojans/whatever...

[gatita-militar.livejournal.com]

So, the perpetrator got your details, attempted to skip the country to live the high life in Singapore, failed, considered his/her failure, had a massive attack of conscience and bought a Sub-saharan African family a goat/well/fence and some fair trade chocolate?

[chrisvenus]

Sounds about right, yeah. I think it was more than a goat, a well and a fence even...

[undyingking.livejournal.com]

all the customer details with their credit card nunmbers in plain text in the database

:-( this is the sort of thing that gives e-commerce a bad name. Why would anyone do that unless they were either (a) aiming to facilitate fraud, or (b) incredibly stupid and / or lazy? Did the customers know?

[wimble.livejournal.com]

We've got a problem in this area. We do keep any relevant credit card details encrypted in our Oracle database. But we need to be able to decrypt them when we need. And sometimes that need is automated. So the upshot is that the decryption key is stored in the database too (a different bit of the database, admittedly). And basically, if you run the right bit of code:

SELECT card_number
INTO num
FROM credit_cards;
SELECT key
INTO key
FROM card_key;
num:=decrypt(num, key);

Voila. You've got it in plain text.

(Obviously, I paraphrase. Hopefully, it's slightly more obscure than that!)
Of course, doing this does require getting access to our Oracle databases first, which are passworded. But probably not very well :(

[undyingking.livejournal.com]

But we need to be able to decrypt them when we need

Why would you need to, JFI?

[chrisvenus]

surely before you ask that question you should be asking why you need to keep them? I'm not sure I see much point in keeping them if you can't decrypt them... You could confirm somebody is using the same card I suppose by crypting newly given details and comparing them but that seems like a pointless exercise...

[undyingking.livejournal.com]

why you need to keep them

Good point, I wasn't thinking ;-)

[wimble.livejournal.com]

As Chris says, because we (alledgedly) need to reuse them.

Might be something to do with accomodation payment, but not my problem, to be honest.

For systems which use regular credit card payments (online games, this, that and the other), do the credit card companies provide a "subscription" facility, where we could invoke one communication, and receive payments at specific points in the future? Or do we need to recontact them whenever we want money?

We're certainly doing the latter, I've no idea at all whether the former's possible (and I don't need to care either, this is just idle curiousity).

[undyingking.livejournal.com]

do the credit card companies provide a "subscription" facility

Yes, they do. You can set up (what are effectively) CC standing orders (regular payments for same amount) or direct debits (arbitrary schedule for arbitrary amounts), as long as your customer has agreed to such, and it'll be handled by the card company without you having to enact a transaction each time.

Customers will sometimes be a bit wary of this, but if you explain that the alternative is either (a) them having to resubmit their details every time, or (b) you keeping their details yourself, they generally see the sense of it.

[chrisvenus]

I don't know really. The software in question was Actinic. I doubt the client realised what they sent me and I wasn't quite sure how to raise the issue of "Do you realise you sent me all this information" since it was hard enough anyway and I didn't think that sort of conversation could possibly make life easier.

The software itself was pretty shonky and thinking about it there might have been more security than I described since I was viewing it through the software, not directly in the database, and its possible that all the stuff they gave me included necessary decryption keys, etc. (I think they gave me a dump of everything they had). I loathed the software though. It felt badly put together and unnecessarily complicated. I wouldn't be hugely surprised if it was badly written. I also wouldn't be that surprised if it was badly set up such that the clients had not marked information as secure or something.

I also have a vague feeling (though I may be wrong) that the store didn't have live CC verification so it may be that it needed to store info in such a way sthat it could be presented to sales reps to then manually process orders...

But yeah, it does give e-commerce a bad name. Luckily I've worked on better sites like http://www.buyepson.co.uk/ (in its first incarnation) which worked on MS Commerce server and was excellent to work with and probably even nicer now its in .NET.

[undyingking.livejournal.com]

didn't have live CC verification

I guess if it was quite a while ago and they were a very small business that would be a kind of excuse. Even so, I wouldn't want to be one of their customers with that sort of arrangement.

[chrisvenus]

It was about 5 years ago I was doing this work and I suspect given I was doing a design refresh the site itself would have been a few years old at least so I'd put it at a 2000 setup as a ballpark maybe earlier.

[undyingking.livejournal.com]

Mm, we were taking live CC payments "through" the DMG site (so the details were actually being entered on the bank's secure page, and our site and staff didn't have any access to them) in 2000, but IIRC we had to write our own ecommerce front end to manage it.

[dominic hargreaves (from livejournal.com)]

> It also makes me wonder what more can be done to make online transactions more secure either on my part or in general. What are the latest hints and whatnot that you should be following?

Well, this new-fangled idea that the banks have come up with, Verified With Visa, and whatever Mastercard have, would be great, except for two insane problems with the implementations:

Often implemented as an iframe, so almost impossible for joe public to verify that the form they are typing into is actually from their bank, not the evil phishing site purporting to be selling them viagra.

Even if they did get the VbV logon page not as an iframe, it comes from some random domain you've never heard of, not connected with your bank. How am I supposed to be able to verify this? The bank gives no indication of what I should expect.

The banks really should try harder to teach their customers about meaningful security - otherwise how can they be surprised when people trip up with phishing scams?

Avoiding Online Fraud

[planetniles.livejournal.com]

It seems my warning was at least a week late.

I was converting some old notes from one system to another (if any of you played in my "T.I.M.E.Soc" game...) when I came across Chris' name and thought to Google him up and see what he was up to.

First thing I came across was enough information to steal his identity and get up to mischief in his name. Thankfully I'm a good person and immediately fired off an email to warn him about it. Then I thought to look at the rest of the stuff and saw this.

Basically putting up personal info online is a big no no. You wouldn't shout your intimate details to strangers in the street nor would you hand them your money but put up too much info online and you might as well be.

I use Garlik.com (https://www.garlik.com/index.php) which effectively searches the web, keeps me up to date with what info is online about me and also examines my credit status (which would uncover if anyone had used my identity to open up accounts in my name), amongst other things. Sorry to get preachy but it's Serious Business, as you found out.

Be safe out there folks,
Niles