[Asterisk-biz] RE: VISA - MC - Fraud

David Pollak dpp-asterisk at projectsinmotion.com
Sun Jun 19 16:11:18 MST 2005 

Okay... this is turning into a hard, but fun, problem.

No way to store the MD5 of the CC #.  I did some back of the napkin and 
you could figure out the CC # from the MD5 pretty easily (CC # are 16 
digits, but the last digit is a checksum, so they're only 15 digits.  
There are "common" beginning sequences based on issuing bank, so there 
are only 11 digits.  That's about 2,000 GB of data (MD5 is 160 bits)... 
so creating the "give me an MD5 and I'll give you the CC #" database 
would span 10 300GB hard drives (well, I guess if you multiplied by the 
20 common bank prefixes, you'd get 200 hard drives, but still, it's a 
bounded problem.)

In terms of submitting stuff, the system would have to know and trust 
the organization doing the look-up request.  If I were setting things 
up, I'd make sure both parties had SSL certs issued by VeriSign so we 
know who is on each end of the communications pipe (SOAP 
requests/responses).  I'd spend a lot of money running background checks 
on the company, the company's officers, and the IT staff that had access 
to the keys and the raw CC data.  We have to be able to trust the folks 
who are submitting the raw data (both the people and the machines.)  
That way, everybody in the network knows that everyone else is the 
network is vetted and doesn't have a history of running financial scams, 
etc.

Here's the fun problem... How do we exchange data describing the 
transaction without exchanging "identifying" information which may 
violate both CC agreements and various European and other privacy laws?  
I'm noodling on that, but would love to get input from others.

So, what are some of the things to deal with?
- Running through an IP anonimizer -- most of the anonimizers are run by 
the CIA anyway, but it's pretty easy to get the current hot anonimizers 
and the current IP addresses used by the anonimizers and block them.
- CC and PayPal accounts that show up in IRC channels -- Put bots in the 
hacker and underground channels and block CC #'s and PayPal accounts 
that are exchanged.

How much would merchants pay for such a service (even if it was not a 
profit-making venture, it's going to cost something)?  25 cents a 
transaction?  50 cents a transaction?  How much up-front (doing 
background checks are not free) $5K, $10K?

How could we work to get on the right side of VISA, MasterCard, etc.?  
While they have some incentive to eliminate fraud, they probably don't 
have a ton of incentive to deal with online fraud for smaller vendors 
(they just push the costs back to the vendor in the form of charge-backs 
-- it's tougher for them to push the risk onto Amazon or Target.)  There 
may be an interesting Homeland Security aspect to this as well.  Given 
the dangers of telecommunications fraud or more specifically, the 
dangers of anonymous, untrackable communications, I'd expect they would 
want to have a system that tracked purchases of communications services.

Okay, I'm ranting... but I'd be interested in any thoughts on how to 
package up the identifying information for a CC transaction (CC #, 
purchaser, and address) into a non-identifying, non-reversible hash and 
transmit that with the non-identifying information about the transaction 
(e.g., IP address, city, state, country, postal/zip code, etc.)

On another tangent, has anyone tried shipping out a welcome letter via 
UPS or FedEx as a way of "shipping a physical good", verifying the 
address, and getting a signature?  If anyone has tried it, what were the 
successes or failures of it?

Thanks,

David




snacktime wrote:

>>Why not doing something easier
>>Just for example making a blacklist-e164.org domain and putting
>>the offending numbers with a redirection to nowhere for example
>>As like RBLS's for emails
>>So anybody can use it
>>    
>>
>
>Just so people know.  You can't run a service like that where you
>store cardholder related data (and that includes a hash of the card
>number) without being a registered third pary provider with Visa. 
>That entails going through a security audit once a year done by an
>approved auditing company, and of course having a network that meets
>the criteria.  It's not cheap and it takes a considerable amount of
>time.  For us, the biggest thing was all the written policies and
>documentation they require, but if you don't have the network in place
>that will be a considerable cost also.  Two factor authentication is
>required for local and remote admin access, data backups have to be
>made at regular intervals and archived off site, etc..
>
>Chris
>_______________________________________________
>Asterisk-Biz mailing list
>Asterisk-Biz at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-biz
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20050619/e475726f/attachment.htm

More information about the asterisk-biz mailing list