Re: [Full-Disclosure] Credit card numbers
On Thu, 2003-07-17 at 10:49, Myers, Marvin wrote: > Maybe it is only me, but does anyone else notice a big jump in the > number of merchants that are printing the entire credit card number > and expiration date on receipts? > > Over the past 6 months I have had to educate about a dozen local > merchants about the possible abuse scenarios that exist with this type > of information leakage. If there > > Is not already some sort of law governing this policy, there should > be. > I believe there's a patent on the idea of only listing four digits of a credit card. So yes, there's an actual financial incentive to do the wrong thing. A local grocery store was doing 8 digits for a while - before they went out of business. Another shows all of them - they seem to be doing well. Shredders are your friends. But don't let that stop you from complaining to the merchant in question. Don't behead the person behind the counter - but maybe ask them to relay a message to their manager. On a related note, how do you get web vendors not to store your credit card # on their hard disks longer than absolutely necessary? I trust (ssl data entry * number of orders) a lot more than a merchant's ability to stay up to date on patches until my card expires. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] Credit card numbers
Title: Message This is or will soon be illegal in California. Part of the anti-identity theft legislation movement there. They will also be requiring the ability to attach PINs to credit reports. They will be requiring that all merchants use credit card systems which do NOT print the full credit card number and/or expiration date. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myers, MarvinSent: Thursday, July 17, 2003 1:49 PMTo: [EMAIL PROTECTED]Subject: [Full-Disclosure] Credit card numbers Maybe it is only me, but does anyone else notice a big jump in the number of merchants that are printing the entire credit card number and expiration date on receipts? Over the past 6 months I have had to educate about a dozen local merchants about the possible abuse scenarios that exist with this type of information leakage. If there Is not already some sort of law governing this policy, there should be. Marvin R. Myers
Re: [Full-Disclosure] Credit card numbers
There are many companies that still leave the full numbers on their receipts. I am going to give away a pretty big secret right now. If you have ever eaten at the "99 Restaurant" you will notice that they have the MOST sensitive information out of any company I have ever used my credit card at. Here's a list of what is on the receipt: 1) Full CC# - nothing blanked out 2) Full Name - just as it appears on the card 3) Expiration date 4) Customer signature (if they signed their copy) Now here's how to easily get them. When I was in high school I used to go there late on Friday and Saturday nights and snag all the receipts out of the "conveniently placed" trash receptacle right outside the front door. Friday and Saturday nights are the best because they usually have the most customers (at the bar, drunk people, etc...) Anyway, I have kept this pretty much a secret for a long time now and since we are on the topic and I don't exploit this anymore I figured I should make it public. There is even a way to get the CVV2 numbers from the back of the cards, but I will NOT tell you how to do that! If you check out the restaurant, I'm sure you will figure out how I got the CVV2 numbers as well. AND DON'T F**KING EMAIL ASKING HOW TO DO IT!!! Peace out... Kris
Re: [Full-Disclosure] Credit card numbers
On Thu, 2003-07-17 at 14:57, Dan Stromberg wrote: > On Thu, 2003-07-17 at 10:49, Myers, Marvin wrote: > > Maybe it is only me, but does anyone else notice a big jump in the > > number of merchants that are printing the entire credit card number > > and expiration date on receipts? > Shredders are your friends. But don't let that stop you from > complaining to the merchant in question. Don't behead the person behind > the counter - but maybe ask them to relay a message to their manager. I've seen this quite a bit up here in Reno. Yet up here we have no anti-identity theft, let alone other information security legislation. My solution is to cross out with a pen all but the last 4 digits and the expiry date on BOTH copies of the receipt. This has infuriated a few local vendors, though it seems that most are easily educated on the liability it poses. chris -- Christopher Neitzert http://www.neitzert.com/~chris chris(at)neitzertcom - GPG Key ID: 7DCC491B signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Credit card numbers
Myers, Marvin wrote: > Maybe it is only me, but does anyone else notice a big jump in the > number of merchants that are printing the entire credit card number > and expiration date on receipts? In Denmark they out 4 ciphers, but sadly the position of them alternate(jeez). No expiry date on the receipt, but VISA has limited lifetime, so <50 tries should do it. -- kokanin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Credit card numbers
Perhaps it is just my imagination here, and I do realize this is an unmoderated list, but this seems to be a more than unacceptable email. This is a professional list - would you go up to someone at a computer security conference and tell em "oh yeah, I used to card during highschool all the time"? My favorite phase is the "I don't exploit this *ANYMORE*" (emphasis added) Nick Jacobsen [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> -Original Message- From: Kristian Hermansen Sent: Thu 7/17/2003 12:43 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [Full-Disclosure] Credit card numbers There are many companies that still leave the full numbers on their receipts. I am going to give away a pretty big secret right now. If you have ever eaten at the "99 Restaurant" you will notice that they have the MOST sensitive information out of any company I have ever used my credit card at. Here's a list of what is on the receipt: 1) Full CC# - nothing blanked out 2) Full Name - just as it appears on the card 3) Expiration date 4) Customer signature (if they signed their copy) Now here's how to easily get them. When I was in high school I used to go there late on Friday and Saturday nights and snag all the receipts out of the "conveniently placed" trash receptacle right outside the front door. Friday and Saturday nights are the best because they usually have the most customers (at the bar, drunk people, etc...) Anyway, I have kept this pretty much a secret for a long time now and since we are on the topic and I don't exploit this anymore I figured I should make it public. There is even a way to get the CVV2 numbers from the back of the cards, but I will NOT tell you how to do that! If you check out the restaurant, I'm sure you will figure out how I got the CVV2 numbers as well. AND DON'T F**KING EMAIL ASKING HOW TO DO IT!!! Peace out... Kris <>
Re: [Full-Disclosure] Credit card numbers
Nick Jacobsen wrote: > Perhaps it is just my imagination here, and I do realize this is an > unmoderated list, but this seems to be a more than unacceptable email. > This is a professional list - would you go up to someone at a computer > security conference and tell em "oh yeah, I used to card during > highschool all the time"? My favorite phase is the "I don't exploit > this *ANYMORE*" (emphasis added) Bah, I used to shoplift for a living, I don't do it anymore. I believe god forgives sinners as long as they admit it. Occasionally I actually break in to other peoples computers. Boo-fucking-hoo. This list isn't corporate-whores-trying-to-gather-enough-strings-to-get-a-clue. -- kokanin, speaker of truth, friend of jesus, son of God. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
This is a professional list - would you go up to someone at a computer security conference and tell em "oh yeah, I used to card during highschool all the time"? Oh grow up Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
Carding is for "hackers" who enjoy prison. If you are considering illegal activity that involves theft or the possibly involvement of the secret service, I suggest you first ask yourself whether or not you enjoyed high school cafeteria food and then imagine eating that for the next 20-30 years. The issue isn't about what people are about to do, but what people have done. Everyone has made mistakes, that's just an inherent part of life. Learning from the problems is the main issue. I've never carded, nor plan to, but I'm not so foolish to think that I couldn't learn something about security from someone who has had experience in that area. So, yes, grow up and realize everyone has something to offer. Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Credit card numbers
Carding is for "hackers" who enjoy prison. If you are considering illegal activity that involves theft or the possibly involvement of the secret service, I suggest you first ask yourself whether or not you enjoyed high school cafeteria food and then imagine eating that for the next 20-30 years. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of northern snowfall Sent: Thursday, July 17, 2003 6:59 PM To: Nick Jacobsen Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Credit card numbers > > >This is a professional list - would you go up to someone at a computer >security conference and tell em "oh yeah, I used to card during >highschool all the time"? > Oh grow up Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Credit card numbers
Also I'm really not entirely sure what's so professional about this list. What deems a professional anyway? I mean seriously, you stopped hacking and got a job instead so now you're a professional? You avoided prison until the age of 18 and someone was foolish enough to pay you for your "intellectual property" so now you are a professional? Or maybe you have a CISSP and you know absolutely everything and that makes you a professional. Come on please. Nothing is even remotely at black and white as it's made out to be. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of gml Sent: Thursday, July 17, 2003 6:18 PM To: 'northern snowfall'; 'Nick Jacobsen' Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Credit card numbers Carding is for "hackers" who enjoy prison. If you are considering illegal activity that involves theft or the possibly involvement of the secret service, I suggest you first ask yourself whether or not you enjoyed high school cafeteria food and then imagine eating that for the next 20-30 years. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of northern snowfall Sent: Thursday, July 17, 2003 6:59 PM To: Nick Jacobsen Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Credit card numbers > > >This is a professional list - would you go up to someone at a computer >security conference and tell em "oh yeah, I used to card during >highschool all the time"? > Oh grow up Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
i used to card during high school all the time. /m - Original Message - From: "gml" <[EMAIL PROTECTED]> To: "'northern snowfall'" <[EMAIL PROTECTED]>; "'Nick Jacobsen'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, July 17, 2003 3:18 PM Subject: RE: [Full-Disclosure] Credit card numbers > Carding is for "hackers" who enjoy prison. If you are considering illegal > activity that involves theft or the possibly involvement of the secret > service, I suggest you first ask yourself whether or not you enjoyed high > school cafeteria food and then imagine eating that for the next 20-30 years. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of northern > snowfall > Sent: Thursday, July 17, 2003 6:59 PM > To: Nick Jacobsen > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Credit card numbers > > > > > > >This is a professional list - would you go up to someone at a computer > >security conference and tell em "oh yeah, I used to card during > >highschool all the time"? > > > Oh grow up > > Don > > http://www.7f.no-ip.com/~north_ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
PRAISE THE LORD! /m robertson is a nutjob. - Original Message - From: "Knud Erik Højgaard" <[EMAIL PROTECTED]> To: "Nick Jacobsen" <[EMAIL PROTECTED]>; "Kristian Hermansen" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, July 17, 2003 3:15 PM Subject: Re: [Full-Disclosure] Credit card numbers > Nick Jacobsen wrote: > > Perhaps it is just my imagination here, and I do realize this is an > > unmoderated list, but this seems to be a more than unacceptable email. > > This is a professional list - would you go up to someone at a computer > > security conference and tell em "oh yeah, I used to card during > > highschool all the time"? My favorite phase is the "I don't exploit > > this *ANYMORE*" (emphasis added) > > Bah, I used to shoplift for a living, I don't do it anymore. > I believe god forgives sinners as long as they admit it. > Occasionally I actually break in to other peoples computers. > Boo-fucking-hoo. > This list isn't > corporate-whores-trying-to-gather-enough-strings-to-get-a-clue. > > -- > kokanin, speaker of truth, friend of jesus, son of God. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Credit card numbers
I would have mentioned the butt sex, but I guess the food is pretty bad too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of gml Sent: Thursday, July 17, 2003 6:18 PM To: 'northern snowfall'; 'Nick Jacobsen' Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Credit card numbers Carding is for "hackers" who enjoy prison. If you are considering illegal activity that involves theft or the possibly involvement of the secret service, I suggest you first ask yourself whether or not you enjoyed high school cafeteria food and then imagine eating that for the next 20-30 years. smime.p7s Description: S/MIME cryptographic signature
Re: [Full-Disclosure] Credit card numbers
On a related note, how do you get web vendors not to store your credit card # on their hard disks longer than absolutely necessary? I trust (ssl data entry * number of orders) a lot more than a merchant's ability to stay up to date on patches until my card expires. Check out http://www.mbna.com and look for their "Shopsafe" service. In short, you can generate temporary CC numbers that are linked to your real CC. You can put limits on the temp numbers like a low limit, one time use and one-vendor use. The last one rocks for "subscriptions" to websites ;) It's not perfect, but it's better than nothing. slugbait (They should be paying me :P) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] credit card numbers
carding is still very much the same as it was 10 years ago, before online shopping kicked off. basically its a ring of losers who dig in the trash cans, use deceptive web pages (ie fake logins for paypal, ebay, etc.), steal numbers from cc vendors databases, and then trade them off because they are too much of pussies to actually try to use any of them... for example if you ever visit an irc carding room or a carding newsgroup its all the same: Thrash1: i have 10 gazillion ccs w/cvv2 and full info, selling for $25 each Thrash2: huh, i dont understand. how do u use these credit cards online Thrash3: newbie, get out, go screw yourself Thrash2: whats cvv2 Although it can be a serious problem carding remains largely the same deal as before. The best thing online vendors can do is to encrypt cc information as well as any accounts tied to those numbers (ie user/pass) in case another one of those 0day shopping cart sploits come out. Another thing they can do is to delete cc info after "x" days or just not store it at all ... after all, doesn't that eliminate the problem all together? Also, sorry about the stupid vacation message. I got about 20 million emails that said something along the lines of: >Its July, dipshit. :) -- Justin Shin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Credit card numbers
Well butt sex is one thing but I mean could you eat high school cafeteria food every day for 20-30 years. I know I can't. Although I would certainly enjoy the time alone in my cell far away from computing, security and infosec mailing lists. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Phelps / Dreamwright Studios Sent: Thursday, July 17, 2003 7:08 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Credit card numbers I would have mentioned the butt sex, but I guess the food is pretty bad too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of gml Sent: Thursday, July 17, 2003 6:18 PM To: 'northern snowfall'; 'Nick Jacobsen' Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Credit card numbers Carding is for "hackers" who enjoy prison. If you are considering illegal activity that involves theft or the possibly involvement of the secret service, I suggest you first ask yourself whether or not you enjoyed high school cafeteria food and then imagine eating that for the next 20-30 years. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
Good lord. Trashing 101. This is so 30 years ago. Why is this even on the list? Chris Watson Bestor G. Brown #433 Wichita, KS USA M.M AIM: BSDUNIX44 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Credit card numbers
My point being was that at a certain point regardless you realize hopefully as you grow up that carding is REALLY INCREDIBLY STUPID and often results in a serious prison sentence. -Original Message- From: micah mcnelly [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 6:47 PM To: gml; 'northern snowfall'; 'Nick Jacobsen' Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Credit card numbers i used to card during high school all the time. /m - Original Message - From: "gml" <[EMAIL PROTECTED]> To: "'northern snowfall'" <[EMAIL PROTECTED]>; "'Nick Jacobsen'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, July 17, 2003 3:18 PM Subject: RE: [Full-Disclosure] Credit card numbers > Carding is for "hackers" who enjoy prison. If you are considering illegal > activity that involves theft or the possibly involvement of the secret > service, I suggest you first ask yourself whether or not you enjoyed high > school cafeteria food and then imagine eating that for the next 20-30 years. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of northern > snowfall > Sent: Thursday, July 17, 2003 6:59 PM > To: Nick Jacobsen > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Credit card numbers > > > > > > >This is a professional list - would you go up to someone at a computer > >security conference and tell em "oh yeah, I used to card during > >highschool all the time"? > > > Oh grow up > > Don > > http://www.7f.no-ip.com/~north_ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
On Thursday 17 July 2003 03:51 pm, gml wrote: > My point being was that at a certain point regardless you realize hopefully > as you grow up that carding is REALLY INCREDIBLY STUPID and often results > in a serious prison sentence. Not to mention the fact that it generally causes serious financial damage and distress to innocents. This isn't page-defacement or software-license evasion. Someone is actually harmed by these actions. -- Jeremiah Cornelius, CISSP, CCNA, MCSE Information Security Technology - farm9.com email: [EMAIL PROTECTED] - mobile: 415.235.7689 "What would be the use of immortality to a person who cannot use well a half hour?" --Ralph Waldo Emerson ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
On Thu, 17 Jul 2003, northern snowfall wrote: > >Carding is for "hackers" who enjoy prison. If you are considering illegal > >activity that involves theft or the possibly involvement of the secret > >service, I suggest you first ask yourself whether or not you enjoyed high > >school cafeteria food and then imagine eating that for the next 20-30 years. It's not the food that scares me, (I ate public school food in Brooklyn NY, those aren't rasins in the stuffing kids) it's your new "girlfriend" with the 42" chest and the hairlip. He likes you ALOT, you wish you had shoe laces to hang yourself with. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Myers, Marvin wrote: | Maybe it is only me, but does anyone else notice a big jump in the | number of merchants that are printing the entire credit card number and | expiration date on receipts? | Over the past 6 months I have had to educate about a dozen local | merchants about the possible abuse scenarios that exist with this type | of information leakage. If there | Is not already some sort of law governing this policy, there should be. | | | Marvin R. Myers | This may not be exactly what you're looking for, but the Gramm-Leach-Bliley Act has some protections for consumer credit card information: http://thomas.loc.gov/cgi-bin/bdquery/z?d106:SN00900:| Thanks, Jeff - -- Jeff Bollinger, CISSP University of North Carolina IT Security Analyst 105 Abernethy Hall mailto: jeff @unc dot edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/F/W8voVlxVBmgsURAgxJAJ9kbu8KeQH8Jg4gJH347OCfN9yzHgCZAdON nLiywjVil5HeaxA28Rd92d8= =UscJ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Credit card numbers
> > Nick Jacobsen wrote: > > > Perhaps it is just my imagination here, and I do realize this is an > > > unmoderated list, but this seems to be a more than unacceptable > > > email. This is a professional list - would you go up to someone at a Haha, this a professional list! : ) Too funny!! We'd like it to be... But we all know running a unmoderated list will NEVER result in a professional list however hard we try. Same as why we have police. A few individuals think they cannot be valuable to society, or some such. Next thing we hire people to keep them in check, and off it goes until we all suffer for the few. Why would this be different? The idea is right - having a list where all security announcements can be made. However one have to have the time and ability, and be willing, to stop non security related posts. Not too hard, but many thinks it cannot be done. All you need is the ability to differentiate. (In the end if you're not sure you could just post it. Then if it runs away into some BS stop it.) It can still be full disclosure as far as security goes. ALL security related mail is posted, simple. Name calling is not security related so it goes to /dev/null. > > > computer security conference and tell em "oh yeah, I used to card > > > during highschool all the time"? My favorite phase is the "I don't > > > exploit this *ANYMORE*" (emphasis added) > > > > Bah, I used to shoplift for a living, I don't do it anymore. > > I believe god forgives sinners as long as they admit it. > > Occasionally I actually break in to other peoples computers. > > Boo-fucking-hoo. > > This list isn't > > corporate-whores-trying-to-gather-enough-strings-to-get-a-clue. > > > > -- > > kokanin, speaker of truth, friend of jesus, son of God. > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Steve Szmidt VP Information Technology Video Group Distributors, Inc. 727-585-7737 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html