Open question; What's the long game on securing the way credit cards work? Who's working on something interesting that could thwart the whole 'name+number+ccv' leak thing that's been perpetuating in this industry for decades?
I'm just reaching out for anyone who knows about any grand plans, initiatives or rehabs of how credit cards currently work. Keen to read more.
This is a solved problem, really, some banks are less keen on implementing it: generate single use / single purpose credit card numbers in your ebank / mobile app. Leaks are total useless. Also, more than a decade ago already many European banks were sending a text SMS above a treshold and only approved on a positive reply. Today you'd likely offer sending a push notification.
You have 16 digits on a Visa/MasterCard, the first six is the bank identifier and the last is a checksum digit thus you have 9 digits to "waste" -- and you can recycle them.
> KrebsOnSecurity [has] a link to 26 million credit and debit cards. So far the banking sector is [not in a hurry for] re-issuing cards.
Krebs should publish those card numbers to light a fire under the feet of the bankers to re-issue the cards and get them to demand better security on merchant terminals or servers or wherever the info came from. Of course he should publish only the numbers, without the associated names, CVVs, expiry dates, PINs, or other security info.
I don't think there is a risk in publishing just numbers, is there? The search space for valid card numbers is so tiny that I find it hard to believe that anyone could generate a false transaction with just the number and no other associated info.
Krebs could go a step further and provide a verification site à la haveibeenpwned.com where your enter your card number, or the last ten digits or something, and it tells you whether you've been pwned.
I find this kind of black hat cybercrime stuff fascinating. If I wanted to learn more about it (just for learning sake) what would be some good resources?
Honestly, join these groups and read what they talk about on the forum. Look up what the bigger fraud marketplaces are. Go on tor and read stuff in the dark net markets. All of them more or less talk about methods they're using and they help each other out. This type of stuff ranges from low level script kiddie (copy cat) people to high-level hackers that develop their own methods, search out vulnerabilities and so on.
A good podcast I would recommend is called dark net diaries. They have lots of episodes on cryber crime. Episode 32 specifically talks about carding and how the secret service took down a guy who acquires the credit card numbers. Most of it involves putting malware on point of sale machines or hacking companies.
Learn Russian and read their forums. Otherwise it'll be a bit more difficult. If you don't know anyone involved in fraud it can be difficult to get inside. You really won't get anywhere if you don't have much to offer.
Are these idiots really still using bitcoin for doing shady stuff lol? Bitcoin can totally be traced. Most people using it are so weak in terms of their security.
This is not looking at the whole picture. The key is, you do not allow your BTC usage to comingle with your real identity. This means you both buy and sell stuff solely with BTC. If you want to buy stuff in the "real world" then you can trade some for Monero or maybe ZCash, and then convert to USD. (Optionally mix it further in other ways..)
BTC is really "psuedoanonymous" because while you can certainly trace my transactions if you know a wallet address, you still have no idea who or where I am as long as I do not reveal that wallet to be connected to any "real world" identity.
This is still not easy though. For example, if you're serious then you must only transmit transactions within Tor, otherwise the originating IP may single you out. Ideally you should use different wallets for each transactions, and only pool them together after they have each been converted to XMR or similar.
There's lots of gotchas but frankly it's a decent system.
[+] [-] sekasi|6 years ago|reply
I'm just reaching out for anyone who knows about any grand plans, initiatives or rehabs of how credit cards currently work. Keen to read more.
[+] [-] chx|6 years ago|reply
You have 16 digits on a Visa/MasterCard, the first six is the bank identifier and the last is a checksum digit thus you have 9 digits to "waste" -- and you can recycle them.
[+] [-] tyoma|6 years ago|reply
[+] [-] cantrevealname|6 years ago|reply
Krebs should publish those card numbers to light a fire under the feet of the bankers to re-issue the cards and get them to demand better security on merchant terminals or servers or wherever the info came from. Of course he should publish only the numbers, without the associated names, CVVs, expiry dates, PINs, or other security info.
I don't think there is a risk in publishing just numbers, is there? The search space for valid card numbers is so tiny that I find it hard to believe that anyone could generate a false transaction with just the number and no other associated info.
Krebs could go a step further and provide a verification site à la haveibeenpwned.com where your enter your card number, or the last ten digits or something, and it tells you whether you've been pwned.
[+] [-] solotronics|6 years ago|reply
[+] [-] miohtama|6 years ago|reply
[+] [-] piracy1|6 years ago|reply
[+] [-] rajacombinator|6 years ago|reply
[+] [-] newguy1234|6 years ago|reply
A good podcast I would recommend is called dark net diaries. They have lots of episodes on cryber crime. Episode 32 specifically talks about carding and how the secret service took down a guy who acquires the credit card numbers. Most of it involves putting malware on point of sale machines or hacking companies.
https://darknetdiaries.com/
[+] [-] rwmurrayVT|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] newguy1234|6 years ago|reply
[+] [-] abstractbarista|6 years ago|reply
BTC is really "psuedoanonymous" because while you can certainly trace my transactions if you know a wallet address, you still have no idea who or where I am as long as I do not reveal that wallet to be connected to any "real world" identity.
This is still not easy though. For example, if you're serious then you must only transmit transactions within Tor, otherwise the originating IP may single you out. Ideally you should use different wallets for each transactions, and only pool them together after they have each been converted to XMR or similar.
There's lots of gotchas but frankly it's a decent system.
[+] [-] malux85|6 years ago|reply
[deleted]
[+] [-] stevespang|6 years ago|reply
[deleted]