5. Credit Card Fraud

Okay, let's lay off the banks for a moment and consider the common, garden variety credit card:

Each credit card has a 13 to 16 digit number that is constructed in a particular manner governed by a mathematical algorithm called a Luhn Formula. This is designed to ensure that only certain numbers are usable; you can't just make up any old number and have it be considered valid. A freely downloadable program can be obtained that will prompt for a real card number as a base, and then generate a bunch of similar Luhn-validated numbers as directed. If the range specified is 500, the program generates 500 credit card numbers from the base entered. It is reasonable to assume that such a short range of numbers will have a similar expiry date to that of the base card. The hacker visits a merchant and purchases an item for download. The hacker enters a fake name and address, a fake security number (from the rear of the card), and a card number from the range delivered, along with the expiry date of the base card. If the bank has actually issued the card number to a customer, then depending on the level of diligence of the payments gateway, the payment might go through. How can this be? Simple, because many payment gateways receive security numbers, names and addresses, and store that data upon receipt, but never actually check it for validity. So if the card has been issued, and the card structure and expiry date are fine, then the payment is passed and the download proceeds. If the actual card holder doesn't spot the hack, then it will never be detected.

A procedure named 3D Secure is now being instituted by Master Card and VISA. In its current form, it employs usernames, passwords and PINs as described earlier, so it will be subject to all of the attacks outlined above. Interestingly, it shifts the burden of responsibility onto the card holder and his/her issuing bank. So now, if you get defrauded through online credit card theft, you're going to get stuck with the bill as well! We will take an in-depth look at this later in the series.

To the systems administrator and security systems architects, the Internet is a battlefield. You are always hoping that you will not get hit, and must quickly move into damage control mode if you are. The secret here is to actually realize that you have been hit, detect the intrusion, and close off the breach before word gets out. Once the hacker jungle drums go off, a perpetual swarm of NMAPpers and other trouble arrives on the scene. (NMAP is a very famous 'security' scanner program that allows a hacker to engage a number of very clever techniques to probe a system with a minimum of disturbance.)

To the hacker, the Internet is a chess board. The structure of the game is defined by systems and hardware designers, and the movement of pieces is defined by systematic probing and well-defined attack strategies.

PINs And Passwords - For The Ten Millionth Time, They're One Of The Biggest Holes

Consumer habits are another hacker's playground. Where people have a choice, they reuse PINs and passwords for multiple applications. For instance, a PIN for a credit card is often also the PIN for an ATM, the online bank, and potentially even the owners home alarm system! This means that a PIN or password broken in one site may grant access to many sites and utilities.

There are several important questions to ask here. Into how many sites do users enter password and PIN details? Do users keep separate passwords and PINs for each site? If users do keep separate identity management information for each site, where do they record their connection details?

Administrators and ordinary workers in many sites will have access to connecting users PINs and passwords that are retained in databases at those sites. Banks, gateways and vendors who hold credit cards on-site, or who give access to user financial accounts, must realize that protecting access to their site may not be enough if the user's ID is stolen somewhere else.