[Rhodes22-list] Shoddy credit card security
Michael D. Weisner
mweisner at ebsmed.com
Fri Oct 24 09:36:10 EDT 2008
Herb,
>From your past responses, I presume that you are involved in some form of IT
consulting and should therefore know that there is really no such thing as
"an official site." While I am not looking to provide an out for the Obama
campaign, as implied by your "good try", I was just thinking that what
appears may not be exactly so. I am sure that there are crooks in all walks
of life, I was just indicating that this may be a different kind of crook: a
thief robbing the thieves, if you will. It probably would not be that hard
to interpose a harvester site to intercept such lucrative info enroute to a
poorly secured site. Since everyone is blaming the Obama campaign for lax
security, they might be ripped off and might not even know because of the
security failures!
The "official" registration, at the prestigious GoDaddy.com (tongue firmly
...) is the registrar of record is as follows:
Registrant:
Obama for America
233 N. Michigan Ave
Suite 1100
Chicago, Illinois 60601
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: BARACKOBAMA.COM
Created on: 28-Dec-04
Expires on: 28-Dec-15
Last Updated on: 16-Oct-07
It is interesting to note that the site was created nearly 4 years ago.
When did he decide to run??
Mike
s/v Shanghaid'd Summer ('81)
Nissequogue River, NY
From: "Herb Parsons" <hparsons at parsonsys.com>Sent: Friday, October 24, 2008
12:35 AM
> good try, but it's his official site.
>
> Michael D. Weisner wrote:
>> Brad,
>>
>> Newsflash - maybe the site is not real! What a great way to collect
>> credit
>> card info and cash! Set up a bogus prez candidate donation site to
>> collect
>> credit card numbers. Now why didn't I think of that?
>>
>> Mike
>> s/v Shanghaid'd Summer ('81)
>> Nissequogue River, NY
>>
>> From: "Brad Haslett" <flybrad at gmail.com>Sent: Thursday, October 23, 2008
>> 11:06 PM
>>
>>> Ben,
>>>
>>> Follow up report-
>>>
>>> One thing I learned from my old boss at CFS in Little Rock in the late
>>> 70's is never, never, ever do anything on credit with a political
>>> campaign. Obama is living on the "float".
>>>
>>> Brad
>>>
>>> ----------------
>>>
>>> BarackObama.com's Lax Security Opens Door to Online Donor Fraud
>>>
>>>
>>> by Patrick Ruffini | October 23, 2008 at 2:26 PM
>>>
>>>
>>> I just contributed $5 to Barack Obama.
>>>
>>> I didn't want to. Ideally, I could have contributed $0.01 and cost
>>> them money. But it was the only way to confirm the root cause of the
>>> fraudulent micro-donations to the Obama campaign ("Doodad Pro" for
>>> $17,300 and "Good Will" for $11,000).
>>>
>>> The Obama campaign has turned its security settings for accepting
>>> online contributions down to the bare minimum -- possibly to juice the
>>> numbers, and turning a blind eye towards the potential for fraud not
>>> just against the FEC, but against unsuspecting victims of credit card
>>> fraud.
>>>
>>> The issue centers around the Address Verification Service (or AVS)
>>> that credit card processors use to sniff out phony transactions. I was
>>> able to contribute money using an address other than the one on file
>>> with my bank account (I used an address I control, just not the one on
>>> my account), showing that the Obama campaign deliberately disabled AVS
>>> for its online donors.
>>>
>>> AVS is generally the first line of defense against credit card fraud
>>> online. AVS ensures that not only is your credit card number accurate,
>>> but the street address you've submitted with a transaction matches the
>>> one on file with your bank.
>>>
>>> Authorize.net, the largest credit card gateway provider in the
>>> country, lists AVS as a "Standard Transaction Security Setting,"
>>> recommends merchants use it, and turns it on by default. So, in order
>>> for AVS to be turned off, it has to be intentional, at least with
>>> Authorize.net.
>>>
>>> Authorize.net's website describes it this way:
>>>
>>> Bankcard processors implemented the Address Verification Service
>>> (AVS) to aid merchants in the detection of suspicious transaction
>>> activity. The payment processing network compares the billing address
>>> provided in the transaction with the cardholder's address on file at
>>> the credit card issuing bank. The processing network returns an AVS
>>> response code that indicates the results of this comparison to the
>>> payment gateway. You can configure your account to reject certain
>>> transactions based on the AVS code returned. For example, the AVS code
>>> "A" indicates that the street address matched, but the first five
>>> digits of the ZIP Code did not.
>>>
>>> The end result? "Donors" like "Doodad Pro" can submit tons of
>>> donations totaling well above the $2,300 limit using different bogus
>>> addresses (this does clarify how donations from "Palestine", or PA,
>>> got through). And the campaign has no way to reliably de-dupe these
>>> donations, besides looking at the last four digits of the credit card
>>> number, which with 3.1 million donors is an identifier that could be
>>> shared by literally hundreds of donors, and is not as easy to eyeball
>>> like a common name or address would be. The ability to contribute with
>>> a false address, when the technology to prevent it not only exists but
>>> comes standard, is a green light for fraud.
>>>
>>> One could understand the oversight if prior to the bogus donor story
>>> breaking. But you'd think they would have taken measures to step up
>>> their donor security in the aftermath of the revelations. Having AVS
>>> turned on would have stopped or significantly deterred the fraudulent
>>> donations (or, at a very minimum, made them easily detectable). By
>>> turning this basic setting off, the Obama campaign invited this kind
>>> of fraud and has taken no steps to correct it.
>>> __________________________________________________
>>> To subscribe/unsubscribe or for help with using the mailing list go to
>>> http://www.rhodes22.org/list
>>> __________________________________________________
>>>
>>>
>>>
>>
>> __________________________________________________
>> To subscribe/unsubscribe or for help with using the mailing list go to
>> http://www.rhodes22.org/list
>> __________________________________________________
>>
>>
>>
> __________________________________________________
> To subscribe/unsubscribe or for help with using the mailing list go to
> http://www.rhodes22.org/list
> __________________________________________________
>
>
More information about the Rhodes22-list
mailing list