[Rhodes22-list] Shoddy credit card security

Michael D. Weisner mweisner at ebsmed.com
Fri Oct 24 00:24:13 EDT 2008 

Brad,

Newsflash - maybe the site is not real!  What a great way to collect credit 
card info and cash!  Set up a bogus prez candidate donation site to collect 
credit card numbers.  Now why didn't I think of that?

Mike
s/v Shanghaid'd Summer ('81)
       Nissequogue River, NY

From: "Brad Haslett" <flybrad at gmail.com>Sent: Thursday, October 23, 2008 
11:06 PM
> Ben,
>
> Follow up report-
>
> One thing I learned from my old boss at CFS in Little Rock in the late
> 70's is never, never, ever do anything on credit with a political
> campaign. Obama is living on the "float".
>
> Brad
>
> ----------------
>
> BarackObama.com's Lax Security Opens Door to Online Donor Fraud
>
>
> by Patrick Ruffini | October 23, 2008 at 2:26 PM
>
>
> I just contributed $5 to Barack Obama.
>
> I didn't want to. Ideally, I could have contributed $0.01 and cost
> them money. But it was the only way to confirm the root cause of the
> fraudulent micro-donations to the Obama campaign ("Doodad Pro" for
> $17,300 and "Good Will" for $11,000).
>
> The Obama campaign has turned its security settings for accepting
> online contributions down to the bare minimum -- possibly to juice the
> numbers, and turning a blind eye towards the potential for fraud not
> just against the FEC, but against unsuspecting victims of credit card
> fraud.
>
> The issue centers around the Address Verification Service (or AVS)
> that credit card processors use to sniff out phony transactions. I was
> able to contribute money using an address other than the one on file
> with my bank account (I used an address I control, just not the one on
> my account), showing that the Obama campaign deliberately disabled AVS
> for its online donors.
>
> AVS is generally the first line of defense against credit card fraud
> online. AVS ensures that not only is your credit card number accurate,
> but the street address you've submitted with a transaction matches the
> one on file with your bank.
>
> Authorize.net, the largest credit card gateway provider in the
> country, lists AVS as a "Standard Transaction Security Setting,"
> recommends merchants use it, and turns it on by default. So, in order
> for AVS to be turned off, it has to be intentional, at least with
> Authorize.net.
>
> Authorize.net's website describes it this way:
>
>    Bankcard processors implemented the Address Verification Service
> (AVS) to aid merchants in the detection of suspicious transaction
> activity. The payment processing network compares the billing address
> provided in the transaction with the cardholder's address on file at
> the credit card issuing bank. The processing network returns an AVS
> response code that indicates the results of this comparison to the
> payment gateway. You can configure your account to reject certain
> transactions based on the AVS code returned. For example, the AVS code
> "A" indicates that the street address matched, but the first five
> digits of the ZIP Code did not.
>
> The end result? "Donors" like "Doodad Pro" can submit tons of
> donations totaling well above the $2,300 limit using different bogus
> addresses (this does clarify how donations from "Palestine", or PA,
> got through). And the campaign has no way to reliably de-dupe these
> donations, besides looking at the last four digits of the credit card
> number, which with 3.1 million donors is an identifier that could be
> shared by literally hundreds of donors, and is not as easy to eyeball
> like a common name or address would be. The ability to contribute with
> a false address, when the technology to prevent it not only exists but
> comes standard, is a green light for fraud.
>
> One could understand the oversight if prior to the bogus donor story
> breaking. But you'd think they would have taken measures to step up
> their donor security in the aftermath of the revelations. Having AVS
> turned on would have stopped or significantly deterred the fraudulent
> donations (or, at a very minimum, made them easily detectable). By
> turning this basic setting off, the Obama campaign invited this kind
> of fraud and has taken no steps to correct it.
> __________________________________________________
> To subscribe/unsubscribe or for help with using the mailing list go to 
> http://www.rhodes22.org/list
> __________________________________________________
>
>

More information about the Rhodes22-list mailing list