» Carding

Safer ebanking

carrumba — Sun, 25 Jul 2010 09:22:09 +0000

Recently I read an article in the newspaper about a new product incorporated in a Swiss bank where they use a security token with fingerprint check and visual data transmission interpreted by the token. Check this site if you want to know more about it and you understand German : http://www.axsionics.ch/ .
The point where many attacks will fail is the transaction combined with account information. If the Go or No Go of the transaction is controlled by the token, outside of the attackers reach, all of the known transaction attacks are useless. An attack is detected easily and the transaction won’t be conducted.
Good job. One step ahead. Now it’s the attackers turn to react to this.

How online card security fails

carrumba — Wed, 27 Jan 2010 13:14:57 +0000

Yesterday on www.lightbluetouchpaper.org.

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.

In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?

Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem.

Pizza delivery man cops to life in DarkMarket

carrumba — Sat, 16 Jan 2010 22:03:28 +0000

A former London pizza delivery man faces a 10-year prison sentence after admitting he helped found the notorious DarkMarket forum for computer crime, several news sites reported.

Renukanth Subramaniam, a 33-year-old Sri Lanka-born man from North London, pleaded guilty at Blackfriars Crown Court in London to conspiracy to defraud and furnishing false information. Authorities say he joined DarkMarket on its first day of operation in late 2005 and helped build it into an online resource for payment card fraud, with a thriving exchange for buying and selling stolen data and its own secure payment system.

DarkMarket operated for three years and had about 2,500 members at its peak. To be accepted, candidates had to provide details of 100 compromised cards to reviewers, who would then verify their validity. Members were required to adhere to a strict code of conduct that forbid foul language and pornography and demanded a kind of honor among thieves.