[Rhodes22-list] Shoddy credit card security
Michael D. Weisner
mweisner at ebsmed.com
Fri Oct 24 14:14:05 EDT 2008
Herb,
First of all, I was not talking about folks who follow the rules, or the law
for that matter. I was thinking about Internet criminals who illegally
change the DNS to point to their copy site, collect the information, and
then send it on to the original site so as not to be detected. These
schemes are rampant in banking fraud. The classic case does not even
require one to repoint the nameserver but simply send out a phishing email
with an embedded link to the target site, pointed to the interception site.
I must get 10 emails daily, requesting contributions to McCain's political
campaign and have detected several that contain phishing links. They were
forwarded to abuse at johnmccain.com, although I never received any
confirmation from them that they were even remotely interested in
investigating.
BTW, I had one of my corporate domain names stolen by domain name slammer
and used by a former employee. It seems that the registrar sent US mail to
the business a few months prior to the expiration of the domain
registration. The mail was directed to the employee since he managed that
site. He appears to have responded to the letter, paid the registration and
moved the site to them.
We are prosecuting on several fronts ("all sorts of legal action"),
including mail fraud (the most significant penalty) and it is anything but
straightforward. The name of the entity (corporation, individual, etc.) has
no real claim on the domain. The site is still under his control and legal
papers served on the hosting agent has not been able to recover or delist
the domain.
You need to protect your domain names very carefully, maintaining tight
security on passwords (change them often) and locking the registration to
prevent domain slammers from moving them. My advice is not to rely on the
legal system for protection, since many of these agencies on the Internet
are not within our borders and do not respond or answer to our legal system.
Mike
s/v Shanghai'd Summer ('81)
Nissequogue River, NY
From: "Herb Parsons" <hparsons at parsonsys.com>Sent: Friday, October 24, 2008
1:31 PM
> Oh no no no, you are so wrong.
>
> If I own the a domain name, and in my case I do - parsonsys.com, anyone
> else that lays claim to a web site using my name is subject to all sorts
> of legal action.
>
> Furthermore, if you were decide one day that you wanted to "park" the
> domain name herbparsons.com (or even barakobama.com), and could show no
> legitimate use for it other than wanting to reserve it (in other words,
> your name wasn't Herb Parsons, or Barak Obama, you didn't have a
> legitimate company with that name, ), I could challenge you for the
> domain name, and would almost certainly win.
>
> Face it, barakobama.com is Barak Obama's web site. Official.
>
>
> I can not build a website and state on it that "This is the official web
> site for the
>
> Michael D. Weisner wrote:
>> Herb,
>>
>> >From your past responses, I presume that you are involved in some form
>> >of IT
>> consulting and should therefore know that there is really no such thing
>> as
>> "an official site." While I am not looking to provide an out for the
>> Obama
>> campaign, as implied by your "good try", I was just thinking that what
>> appears may not be exactly so. I am sure that there are crooks in all
>> walks
>> of life, I was just indicating that this may be a different kind of
>> crook: a
>> thief robbing the thieves, if you will. It probably would not be that
>> hard
>> to interpose a harvester site to intercept such lucrative info enroute to
>> a
>> poorly secured site. Since everyone is blaming the Obama campaign for
>> lax
>> security, they might be ripped off and might not even know because of the
>> security failures!
>>
>> The "official" registration, at the prestigious GoDaddy.com (tongue
>> firmly
>> ...) is the registrar of record is as follows:
>>
>> Registrant:
>> Obama for America
>> 233 N. Michigan Ave
>> Suite 1100
>> Chicago, Illinois 60601
>> United States
>>
>> Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
>> Domain Name: BARACKOBAMA.COM
>> Created on: 28-Dec-04
>> Expires on: 28-Dec-15
>> Last Updated on: 16-Oct-07
>>
>> It is interesting to note that the site was created nearly 4 years ago.
>> When did he decide to run??
>>
>> Mike
>> s/v Shanghaid'd Summer ('81)
>> Nissequogue River, NY
>>
>> From: "Herb Parsons" <hparsons at parsonsys.com>Sent: Friday, October 24,
>> 2008
>> 12:35 AM
>>
>>> good try, but it's his official site.
>>>
>>> Michael D. Weisner wrote:
>>>
>>>> Brad,
>>>>
>>>> Newsflash - maybe the site is not real! What a great way to collect
>>>> credit
>>>> card info and cash! Set up a bogus prez candidate donation site to
>>>> collect
>>>> credit card numbers. Now why didn't I think of that?
>>>>
>>>> Mike
>>>> s/v Shanghaid'd Summer ('81)
>>>> Nissequogue River, NY
>>>>
>>>> From: "Brad Haslett" <flybrad at gmail.com>Sent: Thursday, October 23,
>>>> 2008
>>>> 11:06 PM
>>>>
>>>>
>>>>> Ben,
>>>>>
>>>>> Follow up report-
>>>>>
>>>>> One thing I learned from my old boss at CFS in Little Rock in the late
>>>>> 70's is never, never, ever do anything on credit with a political
>>>>> campaign. Obama is living on the "float".
>>>>>
>>>>> Brad
>>>>>
>>>>> ----------------
>>>>>
>>>>> BarackObama.com's Lax Security Opens Door to Online Donor Fraud
>>>>>
>>>>>
>>>>> by Patrick Ruffini | October 23, 2008 at 2:26 PM
>>>>>
>>>>>
>>>>> I just contributed $5 to Barack Obama.
>>>>>
>>>>> I didn't want to. Ideally, I could have contributed $0.01 and cost
>>>>> them money. But it was the only way to confirm the root cause of the
>>>>> fraudulent micro-donations to the Obama campaign ("Doodad Pro" for
>>>>> $17,300 and "Good Will" for $11,000).
>>>>>
>>>>> The Obama campaign has turned its security settings for accepting
>>>>> online contributions down to the bare minimum -- possibly to juice the
>>>>> numbers, and turning a blind eye towards the potential for fraud not
>>>>> just against the FEC, but against unsuspecting victims of credit card
>>>>> fraud.
>>>>>
>>>>> The issue centers around the Address Verification Service (or AVS)
>>>>> that credit card processors use to sniff out phony transactions. I was
>>>>> able to contribute money using an address other than the one on file
>>>>> with my bank account (I used an address I control, just not the one on
>>>>> my account), showing that the Obama campaign deliberately disabled AVS
>>>>> for its online donors.
>>>>>
>>>>> AVS is generally the first line of defense against credit card fraud
>>>>> online. AVS ensures that not only is your credit card number accurate,
>>>>> but the street address you've submitted with a transaction matches the
>>>>> one on file with your bank.
>>>>>
>>>>> Authorize.net, the largest credit card gateway provider in the
>>>>> country, lists AVS as a "Standard Transaction Security Setting,"
>>>>> recommends merchants use it, and turns it on by default. So, in order
>>>>> for AVS to be turned off, it has to be intentional, at least with
>>>>> Authorize.net.
>>>>>
>>>>> Authorize.net's website describes it this way:
>>>>>
>>>>> Bankcard processors implemented the Address Verification Service
>>>>> (AVS) to aid merchants in the detection of suspicious transaction
>>>>> activity. The payment processing network compares the billing address
>>>>> provided in the transaction with the cardholder's address on file at
>>>>> the credit card issuing bank. The processing network returns an AVS
>>>>> response code that indicates the results of this comparison to the
>>>>> payment gateway. You can configure your account to reject certain
>>>>> transactions based on the AVS code returned. For example, the AVS code
>>>>> "A" indicates that the street address matched, but the first five
>>>>> digits of the ZIP Code did not.
>>>>>
>>>>> The end result? "Donors" like "Doodad Pro" can submit tons of
>>>>> donations totaling well above the $2,300 limit using different bogus
>>>>> addresses (this does clarify how donations from "Palestine", or PA,
>>>>> got through). And the campaign has no way to reliably de-dupe these
>>>>> donations, besides looking at the last four digits of the credit card
>>>>> number, which with 3.1 million donors is an identifier that could be
>>>>> shared by literally hundreds of donors, and is not as easy to eyeball
>>>>> like a common name or address would be. The ability to contribute with
>>>>> a false address, when the technology to prevent it not only exists but
>>>>> comes standard, is a green light for fraud.
>>>>>
>>>>> One could understand the oversight if prior to the bogus donor story
>>>>> breaking. But you'd think they would have taken measures to step up
>>>>> their donor security in the aftermath of the revelations. Having AVS
>>>>> turned on would have stopped or significantly deterred the fraudulent
>>>>> donations (or, at a very minimum, made them easily detectable). By
>>>>> turning this basic setting off, the Obama campaign invited this kind
>>>>> of fraud and has taken no steps to correct it.
>>>>> __________________________________________________
>>>>> To subscribe/unsubscribe or for help with using the mailing list go to
>>>>> http://www.rhodes22.org/list
>>>>> __________________________________________________
>>>>>
>>>>>
>>>>>
>>>>>
>>>> __________________________________________________
>>>> To subscribe/unsubscribe or for help with using the mailing list go to
>>>> http://www.rhodes22.org/list
>>>> __________________________________________________
>>>>
>>>>
>>>>
>>>>
>>> __________________________________________________
>>> To subscribe/unsubscribe or for help with using the mailing list go to
>>> http://www.rhodes22.org/list
>>> __________________________________________________
>>>
>>>
>>>
>>
>> __________________________________________________
>> To subscribe/unsubscribe or for help with using the mailing list go to
>> http://www.rhodes22.org/list
>> __________________________________________________
>>
>>
>>
> __________________________________________________
> To subscribe/unsubscribe or for help with using the mailing list go to
> http://www.rhodes22.org/list
> __________________________________________________
>
>
More information about the Rhodes22-list
mailing list