[Asterisk-biz] RE: VISA - MC - Fraud

[Thierry Wehr]

> -----Message d'origine-----
> De : asterisk-biz-bounces at lists.digium.com 
> [mailto:asterisk-biz-bounces at lists.digium.com] De la part de 
> Michael Welter
> Envoyé : dimanche 19 juin 2005 23:15
> À : Commercial and Business-Oriented Asterisk Discussion
> Objet : Re: [Asterisk-biz] RE: VISA - MC - Fraud
> 
> Danny Froberg wrote:
> 
> Very interested.
> 
> The poster's comment about using the MD5 sum of the CC# is very good. 
> What credit card number, officer?
> 
> The way I would design it would be:
> 
> The vendor, while opening a new account, would send an email 
> to query at blacklist.cc.  The email would contain:

Hello

As we all know, making forged emails is very easy, so how can you guarantee
The identity of the sender

> 
> . MD5 sum of the CC#
> . the first <n> digits of the CC# (unencrypted), enough to 
> identify the bank and country . IP address . callback 
> telephone number . name on card (?) . billing address . city/country.

IP addess cannot be used because the existence of anonymous proxy services
And who about phone numbers provided through VOIP (can change of owner very
often)

> The name on the card might be useful in the case of a 
> lost/stolen wallet.  The name loosely ties together all the 
> cards in the wallet. 
> The billing address would also tie together the cards.
> 
> The email reply would contain the country code of the CC and 
> whether any chargebacks had been received for that CC# or 
> that IP.  Also the country of the IP.  It would also contain 
> the number of queries from other vendors in the past <n> hours.
> 
The IP address is Not cannot be used as an unique key

> When a chargeback was received, the vendor would send an 
> email to chargeback at blacklist.cc with the CC# MD5 sum as the 
> subject.  The system would register the complaint and then 
> send an email to all those who had queried on that CC#.  An 
> email would also be sent to all vendors who had queried on 
> the offenders IP.
> 

Again how can you guarantee the the email is not a fake trying
to create lots of false entries in the database

> But this could go a lot further.  "Friends and Family" is 
> what it would be called :-)  When a chargeback is received, 
> the offenders complete Asterisk cdr would be emailed to 
> cdr at blacklist.cc.  The system would construct a graph (the 
> calling tree) of the offender's calling and called numbers 
> (ranked by frequency of use) and reply to the vendor. 
> Whenever one of those numbers was called in the future, or 
> whenever a caller's CallerID matched, the vendor could have 
> the account flagged for investigation.
>

Great it will be possible to make a DOS on phone numbers (past and future)

> The system could also build a combined (global) calling tree 
> using all submitted cdrs.  Overlapping calling trees would 
> give good insight.
> 
> Another thought is having a bot monitor the IRC channels 
> where CC# are traded.  When a bot identified a CC#, it would 
> be entered into the database.
>

So with a goof bot on irc you can generate thousands of CC numbers
>From real users of any bank and blacklist them

> A legit user who was denied would simply have his bank 
> reissue his credit card (this would happen anyway after he 
> rejects a charge).
>

And the user will go to an other VOIP provider and you'll lose is money and
the business

> I would be very interested in doing this, and I have the 
> bandwidth to support a reasonable number of transactions.  To 
> stay under the lawyer's radar, I'm thinking this would be a 
> subscription only (not public) service.  I don't think a 
> vendor would be obliged to inform the perp why service was 
> being denied.

Why not doing something easier
Just for example making a blacklist-e164.org domain and putting
the offending numbers with a redirection to nowhere for example
As like RBLS's for emails
So anybody can use it

Best Regards
Thierry

>