 |
merchant911.org -- helping Merchants |
|
merchant911.org -- helping Merchants |
SoftCard Vendor Exposing Card Numbers --- Monday, May 5, 2008
When a company that claims to be selling credit card security products does it with an insecure web form, I just have to wonder what they are really doing. SoftCard.biz just has me wondering.
I blogged about Softcard back in early March, but I'm going to do it again. Yes, it's THAT serious! The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc.. Note that these folks use the word "security" in their corporate identity.
I reviewed their site for possible inclusion in our website's resource pages, but promptly rejected them. My main objection, and there were several, was that their insecure sign-up form - was requesting "Identity Card Numbers" and issue dates. "Identity cards" are selectable from a drop down menu and include such ID information as Passport, Driver's license, SSN, and Credit Card. The form also requires a full name and DOB. I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.
I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
I have to wonder how much information has already been sniffed or otherwise compromised. You probably don't want to fill out this form.
Disposable Credit Card Numbers - Not All Bad --- Thursday, April 24, 2008
According to this company, e-commerce merchants can still do full manual fraud screening for on-line transactions made with virtual cards. We'll have to see if it works that way.
...more
"It's worse than we thought" --- Wednesday, April 23, 2008
Yes, dear readers, the so called experts are finally waking up and the UK press is jumping on it. Credit card fraud is worse that everyone thought! That's the case in the U.S. too, but the experts haven't quantified it yet.
more...
More Terrorist Funding by Credit Card Fraud --- Monday, April 21, 2008
According to an article in Scotland's Herald another string of card skimming devices has been discovered, this time in Scotland.
Blog entry: http://www.merchant911.org/blog/
Credit Card Fraud Funds Terrorist Activity --- Wednesday, April 16, 2008
The Australian press is currently reporting the ongoing trial of numerous terrorist suspects in a credit card fraud ring. According to the testimony of one of the suspects, Izzydeen Atik, the stolen credit card information was used to fund terrorist activities; primarily cell phone SIM cards and airline tickets.
Read the full blog post at http://www.merchant911.org/blog/index.php/2008/04/16/credit-card-fraud-funds-terrorist-activity/
Merchant911 member finds hole in WaMu security --- Monday, April 14, 2008
A Merchant911 member filed the following report this afternoon. The report shows that there is a big hole in WaMu's security. Once they have a card number, anyone can change the billing address on the card and have merchandise shipped to their door - and AVS passes!
***
Last Thursday I get 2 credit card orders from different names and states, both expensive items, both early am next day delivery, both gmail addresses, both using different cards from the same bank (WaMu in Pleasanton CA). Each order had shipping address corresponding to billing address.
Upon examination I found that the orders had passed the Address Verification System, but the IP and phone numbers were in slightly different locations than the billing/shipping address (this could happen if the order was placed from their office). Neither name was in the white pages for that location, and a reverse search did not turn up any result.
I called the phone numbers on the order and left messages. The accents on the answering machine did not correspond to the origin of the names (Anglo name, Russian accent etc). This is what tipped me off.
I called the issuing bank and they verified that the customer address was what they had on file but the phone number was not. I insisted that they call the customer on their correct phone number to verify that they placed the order.
The bank spoke with the card holders and neither customer had in fact placed the order I was calling about, and the addresses were also incorrect. But, I said, they passed the AVS??? The bank employee said that those addresses were indeed in the cardholder account when the order was placed but THE ADDRESSES WERE INCORRECT AND HAD BEEN PUT THERE BY SOMEONE OTHER THAN THE CARD HOLDER. !!!
So the latest scam is, someone changes the billing address of a stolen credit card, and then proceeds to place orders on it. The card holder doesn't even know because they no longer receive their statements in the mail. It also means that some banks are being rather nonchalant about customer change of address procedures.
***
Kudos to the member for doing manual fraud screening, getting suspicious of the order, and following up with the bank!
For my comments on this, check the blog - http://www.merchant11.org/blog
Internet Crime Complaint Center Report is a Joke --- Monday, April 14, 2008
Latest blog post -
The 2007 IC3 report has been released. It amounts to nothing more than an attempt to justify the existence of a Government agency.
http://www.merchant911.org/blog/index.php/2008/04/06/internet-crime-complaint-center-report-is-a-joke/
Internet Crime Complaint Center Report is a Joke --- Sunday, April 6, 2008
Latest blog post -
The 2007 IC3 report has been released. It amounts to nothing more than an attempt to justify the existence of a Government agency.
http://www.merchant911.org/blog/index.php/2008/04/06/internet-crime-complaint-center-report-is-a-joke/
View all news itemsReturn to Merchant 911's main site