[Rhodes22-list] Shoddy credit card security

Herb Parsons hparsons at parsonsys.com
Fri Oct 24 00:35:46 EDT 2008 

good try, but it's his official site.

Michael D. Weisner wrote:
> Brad,
>
> Newsflash - maybe the site is not real!  What a great way to collect credit 
> card info and cash!  Set up a bogus prez candidate donation site to collect 
> credit card numbers.  Now why didn't I think of that?
>
> Mike
> s/v Shanghaid'd Summer ('81)
>        Nissequogue River, NY
>
> From: "Brad Haslett" <flybrad at gmail.com>Sent: Thursday, October 23, 2008 
> 11:06 PM
>   
>> Ben,
>>
>> Follow up report-
>>
>> One thing I learned from my old boss at CFS in Little Rock in the late
>> 70's is never, never, ever do anything on credit with a political
>> campaign. Obama is living on the "float".
>>
>> Brad
>>
>> ----------------
>>
>> BarackObama.com's Lax Security Opens Door to Online Donor Fraud
>>
>>
>> by Patrick Ruffini | October 23, 2008 at 2:26 PM
>>
>>
>> I just contributed $5 to Barack Obama.
>>
>> I didn't want to. Ideally, I could have contributed $0.01 and cost
>> them money. But it was the only way to confirm the root cause of the
>> fraudulent micro-donations to the Obama campaign ("Doodad Pro" for
>> $17,300 and "Good Will" for $11,000).
>>
>> The Obama campaign has turned its security settings for accepting
>> online contributions down to the bare minimum -- possibly to juice the
>> numbers, and turning a blind eye towards the potential for fraud not
>> just against the FEC, but against unsuspecting victims of credit card
>> fraud.
>>
>> The issue centers around the Address Verification Service (or AVS)
>> that credit card processors use to sniff out phony transactions. I was
>> able to contribute money using an address other than the one on file
>> with my bank account (I used an address I control, just not the one on
>> my account), showing that the Obama campaign deliberately disabled AVS
>> for its online donors.
>>
>> AVS is generally the first line of defense against credit card fraud
>> online. AVS ensures that not only is your credit card number accurate,
>> but the street address you've submitted with a transaction matches the
>> one on file with your bank.
>>
>> Authorize.net, the largest credit card gateway provider in the
>> country, lists AVS as a "Standard Transaction Security Setting,"
>> recommends merchants use it, and turns it on by default. So, in order
>> for AVS to be turned off, it has to be intentional, at least with
>> Authorize.net.
>>
>> Authorize.net's website describes it this way:
>>
>>    Bankcard processors implemented the Address Verification Service
>> (AVS) to aid merchants in the detection of suspicious transaction
>> activity. The payment processing network compares the billing address
>> provided in the transaction with the cardholder's address on file at
>> the credit card issuing bank. The processing network returns an AVS
>> response code that indicates the results of this comparison to the
>> payment gateway. You can configure your account to reject certain
>> transactions based on the AVS code returned. For example, the AVS code
>> "A" indicates that the street address matched, but the first five
>> digits of the ZIP Code did not.
>>
>> The end result? "Donors" like "Doodad Pro" can submit tons of
>> donations totaling well above the $2,300 limit using different bogus
>> addresses (this does clarify how donations from "Palestine", or PA,
>> got through). And the campaign has no way to reliably de-dupe these
>> donations, besides looking at the last four digits of the credit card
>> number, which with 3.1 million donors is an identifier that could be
>> shared by literally hundreds of donors, and is not as easy to eyeball
>> like a common name or address would be. The ability to contribute with
>> a false address, when the technology to prevent it not only exists but
>> comes standard, is a green light for fraud.
>>
>> One could understand the oversight if prior to the bogus donor story
>> breaking. But you'd think they would have taken measures to step up
>> their donor security in the aftermath of the revelations. Having AVS
>> turned on would have stopped or significantly deterred the fraudulent
>> donations (or, at a very minimum, made them easily detectable). By
>> turning this basic setting off, the Obama campaign invited this kind
>> of fraud and has taken no steps to correct it.
>> __________________________________________________
>> To subscribe/unsubscribe or for help with using the mailing list go to 
>> http://www.rhodes22.org/list
>> __________________________________________________
>>
>>
>>     
>
> __________________________________________________
> To subscribe/unsubscribe or for help with using the mailing list go to http://www.rhodes22.org/list
> __________________________________________________
>
>
>

More information about the Rhodes22-list mailing list