[Asterisk-biz] RE: VISA - MC - Fraud
Thierry Wehr
wehr at japet.com
Sun Jun 19 14:49:03 MST 2005
> -----Message d'origine-----
> De : asterisk-biz-bounces at lists.digium.com
> [mailto:asterisk-biz-bounces at lists.digium.com] De la part de
> Michael Welter
> Envoyé : dimanche 19 juin 2005 23:15
> À : Commercial and Business-Oriented Asterisk Discussion
> Objet : Re: [Asterisk-biz] RE: VISA - MC - Fraud
>
> Danny Froberg wrote:
>
> Very interested.
>
> The poster's comment about using the MD5 sum of the CC# is very good.
> What credit card number, officer?
>
> The way I would design it would be:
>
> The vendor, while opening a new account, would send an email
> to query at blacklist.cc. The email would contain:
Hello
As we all know, making forged emails is very easy, so how can you guarantee
The identity of the sender
>
> . MD5 sum of the CC#
> . the first <n> digits of the CC# (unencrypted), enough to
> identify the bank and country . IP address . callback
> telephone number . name on card (?) . billing address . city/country.
IP addess cannot be used because the existence of anonymous proxy services
And who about phone numbers provided through VOIP (can change of owner very
often)
> The name on the card might be useful in the case of a
> lost/stolen wallet. The name loosely ties together all the
> cards in the wallet.
> The billing address would also tie together the cards.
>
> The email reply would contain the country code of the CC and
> whether any chargebacks had been received for that CC# or
> that IP. Also the country of the IP. It would also contain
> the number of queries from other vendors in the past <n> hours.
>
The IP address is Not cannot be used as an unique key
> When a chargeback was received, the vendor would send an
> email to chargeback at blacklist.cc with the CC# MD5 sum as the
> subject. The system would register the complaint and then
> send an email to all those who had queried on that CC#. An
> email would also be sent to all vendors who had queried on
> the offenders IP.
>
Again how can you guarantee the the email is not a fake trying
to create lots of false entries in the database
> But this could go a lot further. "Friends and Family" is
> what it would be called :-) When a chargeback is received,
> the offenders complete Asterisk cdr would be emailed to
> cdr at blacklist.cc. The system would construct a graph (the
> calling tree) of the offender's calling and called numbers
> (ranked by frequency of use) and reply to the vendor.
> Whenever one of those numbers was called in the future, or
> whenever a caller's CallerID matched, the vendor could have
> the account flagged for investigation.
>
Great it will be possible to make a DOS on phone numbers (past and future)
> The system could also build a combined (global) calling tree
> using all submitted cdrs. Overlapping calling trees would
> give good insight.
>
> Another thought is having a bot monitor the IRC channels
> where CC# are traded. When a bot identified a CC#, it would
> be entered into the database.
>
So with a goof bot on irc you can generate thousands of CC numbers
>From real users of any bank and blacklist them
> A legit user who was denied would simply have his bank
> reissue his credit card (this would happen anyway after he
> rejects a charge).
>
And the user will go to an other VOIP provider and you'll lose is money and
the business
> I would be very interested in doing this, and I have the
> bandwidth to support a reasonable number of transactions. To
> stay under the lawyer's radar, I'm thinking this would be a
> subscription only (not public) service. I don't think a
> vendor would be obliged to inform the perp why service was
> being denied.
Why not doing something easier
Just for example making a blacklist-e164.org domain and putting
the offending numbers with a redirection to nowhere for example
As like RBLS's for emails
So anybody can use it
Best Regards
Thierry
>
More information about the asterisk-biz
mailing list