> -----Message d'origine----- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part de > Michael Welter > Envoyé : dimanche 19 juin 2005 23:15 > À : Commercial and Business-Oriented Asterisk Discussion > Objet : Re: [Asterisk-biz] RE: VISA - MC - Fraud > > Danny Froberg wrote: > > Very interested. > > The poster's comment about using the MD5 sum of the CC# is very good. > What credit card number, officer? > > The way I would design it would be: > > The vendor, while opening a new account, would send an email > to [EMAIL PROTECTED] The email would contain:
Hello As we all know, making forged emails is very easy, so how can you guarantee The identity of the sender > > . MD5 sum of the CC# > . the first <n> digits of the CC# (unencrypted), enough to > identify the bank and country . IP address . callback > telephone number . name on card (?) . billing address . city/country. IP addess cannot be used because the existence of anonymous proxy services And who about phone numbers provided through VOIP (can change of owner very often) > The name on the card might be useful in the case of a > lost/stolen wallet. The name loosely ties together all the > cards in the wallet. > The billing address would also tie together the cards. > > The email reply would contain the country code of the CC and > whether any chargebacks had been received for that CC# or > that IP. Also the country of the IP. It would also contain > the number of queries from other vendors in the past <n> hours. > The IP address is Not cannot be used as an unique key > When a chargeback was received, the vendor would send an > email to [EMAIL PROTECTED] with the CC# MD5 sum as the > subject. The system would register the complaint and then > send an email to all those who had queried on that CC#. An > email would also be sent to all vendors who had queried on > the offenders IP. > Again how can you guarantee the the email is not a fake trying to create lots of false entries in the database > But this could go a lot further. "Friends and Family" is > what it would be called :-) When a chargeback is received, > the offenders complete Asterisk cdr would be emailed to > [EMAIL PROTECTED] The system would construct a graph (the > calling tree) of the offender's calling and called numbers > (ranked by frequency of use) and reply to the vendor. > Whenever one of those numbers was called in the future, or > whenever a caller's CallerID matched, the vendor could have > the account flagged for investigation. > Great it will be possible to make a DOS on phone numbers (past and future) > The system could also build a combined (global) calling tree > using all submitted cdrs. Overlapping calling trees would > give good insight. > > Another thought is having a bot monitor the IRC channels > where CC# are traded. When a bot identified a CC#, it would > be entered into the database. > So with a goof bot on irc you can generate thousands of CC numbers >From real users of any bank and blacklist them > A legit user who was denied would simply have his bank > reissue his credit card (this would happen anyway after he > rejects a charge). > And the user will go to an other VOIP provider and you'll lose is money and the business > I would be very interested in doing this, and I have the > bandwidth to support a reasonable number of transactions. To > stay under the lawyer's radar, I'm thinking this would be a > subscription only (not public) service. I don't think a > vendor would be obliged to inform the perp why service was > being denied. Why not doing something easier Just for example making a blacklist-e164.org domain and putting the offending numbers with a redirection to nowhere for example As like RBLS's for emails So anybody can use it Best Regards Thierry > _______________________________________________ Asterisk-Biz mailing list Asterisk-Biz@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-biz