On Sun, 2005-06-19 at 07:29, R P Herrold wrote:
> On Sat, 18 Jun 2005, Major.Mikey wrote:
>
> > Well, I'm sure you all have heard by now that a company in
> > Tucson that handles credit card information had a
> > cyber-breakin.
> >
> > 1- What operating system does this company use?
>
> - The compromise vector sems to be a tailored Windows
> harvesting tool. Shame on them for using a consumer grade
> operating system for their workstation desktops handling
> restricted data.
>
> > I am having all my credit card numbers changed! What do all
> > of those who are wiser than me think about that?
I doubt it would help, because it'll just happen again. In the past few
years, my outgoing mail has been stolen (stopped putting bills in my
mailbox after that), my tax accountant had her computers stolen, and my
mortgage company had their computers stolen also. Recently our Amex
card was compromised so we cancelled it and probably won't reapply. No
idea how it happened, but we only used it at Costco, because that's the
card Costco requires you to use. This may have been related to the
Tucson break-in but none of our other cards (fingers crossed) have been
attacked yet. A friend of mine says that "pimply faced clerks are using
their camera phones to capture people's credit card numbers." One thing
I've noticed since he said that is that Amex is the ONLY card that has
its "validation number" on the front of the card, rather than the back.
(In other words, you just need one photo of the card, not two.) The
fraudsters who got our number were trying to use it on the Internet,
where the merchants always make you enter that 3-or-4-digit validation
number. An interesting coincidence? I think not!!
Vaughn
>
> - I have been working in this part of the ISO (independent
> servicing organization) credit card capture and clearance
> business for several years. This scenario has been in my
> nightmares for the last 5 years.
>
> Clearly the company in question failed to meet its VISA CISP
> and related Associations obligations, and some heads should
> roll. The compromised business (CSI) may be part of the
> walking dead already, although they are a moderately big
> player.
>
> As a practical matter, there is no way for an lay user to know
> which ISO is handling their CC swipe data on behalf of the
> merchant. As such seeking a changed credit card number is
> like applying putting on bug repellant before going golfing.
> i.e., a harmless 'feel good' measure, but not one directly not
> addressing the true issues.
>
> Taking ownership of one's own infosec, as in following a
> sustained program of reviewing monthly card settlement
> statements is much more likely to catch the occasional fraud.
>
> - Russ Herrold
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)