[Asterisk-biz] RE: VISA - MC - Fraud

[Michael Welter]

Danny Froberg wrote:
> Well maybe time to create such an entity, since none thats
> international / global exists, and it's definitely not cost efficient to
> signup with every local credit information system on the planet ;) 
> 
> Heck if I know, we need some way to protect ourselves.
> 
> And the system wouldn't contain any credit information, only blacklists
> (or similar).
> 
> Shoot some suggestions, regulatory considerations can be overcome in a
> wide variety of nations.
> 
> Some kind of joint effort seems to be needed however. And a system like
> this would only work if quite a few companies joined in to provide data.
> 
> I for one am quite willing to host the systems while it's being built, I
> can even foot the bill. Later if successful (working) we can figure
> something out if it turns into a high traffic/resource hog.
> 
> Let me know if *anyone* would be interested...
> 
Very interested.

The poster's comment about using the MD5 sum of the CC# is very good. 
What credit card number, officer?

The way I would design it would be:

The vendor, while opening a new account, would send an email to 
query at blacklist.cc.  The email would contain:

. MD5 sum of the CC#
. the first <n> digits of the CC# (unencrypted), enough to identify the 
bank and country
. IP address
. callback telephone number
. name on card (?)
. billing address
. city/country.

The name on the card might be useful in the case of a lost/stolen 
wallet.  The name loosely ties together all the cards in the wallet. 
The billing address would also tie together the cards.

The email reply would contain the country code of the CC and whether any 
chargebacks had been received for that CC# or that IP.  Also the country 
of the IP.  It would also contain the number of queries from other 
vendors in the past <n> hours.

When a chargeback was received, the vendor would send an email to 
chargeback at blacklist.cc with the CC# MD5 sum as the subject.  The system 
would register the complaint and then send an email to all those who had 
queried on that CC#.  An email would also be sent to all vendors who had 
queried on the offenders IP.

But this could go a lot further.  "Friends and Family" is what it would 
be called :-)  When a chargeback is received, the offenders complete 
Asterisk cdr would be emailed to cdr at blacklist.cc.  The system would 
construct a graph (the calling tree) of the offender's calling and 
called numbers (ranked by frequency of use) and reply to the vendor. 
Whenever one of those numbers was called in the future, or whenever a 
caller's CallerID matched, the vendor could have the account flagged for 
investigation.

The system could also build a combined (global) calling tree using all 
submitted cdrs.  Overlapping calling trees would give good insight.

Another thought is having a bot monitor the IRC channels where CC# are 
traded.  When a bot identified a CC#, it would be entered into the database.

A legit user who was denied would simply have his bank reissue his 
credit card (this would happen anyway after he rejects a charge).

I would be very interested in doing this, and I have the bandwidth to 
support a reasonable number of transactions.  To stay under the lawyer's 
radar, I'm thinking this would be a subscription only (not public) 
service.  I don't think a vendor would be obliged to inform the perp why 
service was being denied.

Know thine enemy.

Comments?