Most of what he says is obvious stuff and the emphasis he puts on how much he modifies stuff makes me assume he's someone that just runs programs and doesn't have any unique insight, but he does make one interesting point:
> Try to use "Verified-By-Visa" and "Mastercard-Securecode" as rarely as possible. If only your CVV2 code is getting sniffed, you are not liable for any damage, because the code is physicly printed and could have been stolen while you payed with your card at a store. Same applies if someone cloned your CC reading the magnetic stripe or sniffing RFID. Only losing your VBV or MCSC password can cause serious trouble.
Does anyone know if this (using verified-by-visa, mastercard-securecode remove any payment protection if you get key-logged etc) is correct?
As someone in the financial payment industry, let me shed some light on it. 3DSecure (the generic name) when used, generally prevents the user from issuing chargebacks, even in the case of fraud. It's a Terms & Conditions change basically for that purchase. Since your credentials can be hijacked at your web browser level, it is possible to give up your credentials AND give up your ability to re-mediate the issue later.
If you are purchasing stuff online, I advise using a credit card and CVV. Federal law (in the US) limits your damages to $50 total in the event of Fraud. (Not true of debit cards, or 3DSecure).
VBV (or 3D secure as it is called today) is part of a move by the credit card companies and the banks to push the risk to the most vulnerable party, the consumer.
The idea is that this absolutely crack proof scheme requires you to authenticate yourself to your bank in a fairly complex three way handshake.
In the old (read pre-VBV) days the card companies and issuing banks would saddle the merchants with any charges that were disputed using the chargeback mechanmism.
Verified-by-Visa removes this safeguard by adding an additional layer of authentication which supposedly has the same strength as you being on-premise and signing on the dotted line to authorize your purchase. This will effectively remove a lot of the excuses that you might have had such as 'it wasn't me', 'I wasn't there' and 'I never meant to buy this', which were the most common excuses consumers would come up with after using a service for anywhere up to 6 months and then yanking back all 6 months worth of payments and saddling the merchants with the loss of income, pay-outs to affiliates already made and additional charge-back fees on top of that.
So even if the goal was a fairly noble one it looks as though the whole idea is predicated on one tiny little detail, which is that VBV is supposedly hack-proof, but in fact this is highly dependent on both your bank and the security of their implementation. Neither of those are as ironclad as they should be to remove all doubt.
But of course the banks/card companies are not willing to end up holding the bag if there is trouble so it falls to the consumer to prove that they really were not involved in the transaction and that is very hard.
On the positive side in this whole debate: Even if a consumer is defrauded there is always someone who benefits and following the money usually leads to the perp. That's why it is hard to order stuff online with credit cards that were not issued in the country that the person using them is from, that's why it is hard to spend your money on three different continents with the same credit card within a single day and so on.
Lots and lots of money goes in to early warning fraud detection (before the fraud happens) and this nips a very large percentage of potential fraud in the bud.
When a website asks me to use one of these, and I don't want to, how do I decline but still make the purchase? It always seems like my options are take-it-and-like-it or don't complete the transaction. Is there a third option?
In Canada it pops up a browser window that prompts for various personal information and its URL points at ... drumroll ... https://secureserver.net. If that's not by the book appearance of a phishing site, I don't know what is.
I really wouldn't be surprised. The security group at my university do a lot of stuff on banking security, and from what I've heard, this was one of the main reasons behind the switch to chip-and-PIN in the UK --- the user is now liable when his card gets stolen and used.
I've only used VbV once or twice, years ago. Do they still use iframes? I've never understood why they try to make the site more "secure" by using these services, but then use an iframe so the average user can't easily confirm if the login screen is legit or not.
at least for mastercard this is true: as per my banks tos i have to take care that nobody gains access my 'securecode' and i am liable for any unauthorized charges. (because the 'securecode' is supposed to guarantee that it is me who is using the card)
Somewhere in the thread he says that he started coding around operation payback. That is december 2010. I would assume that either he is truely a genius or that his abilities to program properly are limited.
I very much enjoyed the reading of his comments - I pulled a few of his that others may find interesting.
[polymorphism code - to hide virus signature]
Randomness is your friend, make your own crypter and make it so fucking random on every compile, that AV reverse engineers kill themselfs (HINT: randomize the crypters sourcecode using perl scripts)
[polymorphism code - to hide virus signature]
I started coding about a year ago, hacking old malware sourcecodes and reading russian boards. Most botnet operators are dumb as fuck, who don't even care about their traces, the ones you see on TV, catched by Microsoft and Brian Krebs. If you have more knowledge you can automatize nearly everything, like creating scripts that rewrite your sourcecode for your crypters so your malware gets undetected again, saving you hard work.
[finding infections on a computer]
Use GMER (http://www.gmer.net/) every now and then when your spider sense is tingling. Srsly, you can't fool GMER, it scans from the deepest possible point in your system, at ring0 and is impossible to fool, there is nothing deeper than ring0 on a usual PC where malware can hide stuff from. I always wondered why other AV vendors don't do it like GMER, it can detect all rootkits. But when a AV can detect everything, who will pay 30$ a year for signature updates...
the statement about GMER is not true. I've seen GMER miss MANY rootkits/etc. As far as catching and removing rootkits that other most av's tend to misss i've had by far the most success with combofix(which includes a GMER scan). Nothing will catch 0day rootkits 100% of the time, once a system is compromised it's best to format and start from scratch (or restore from backup if you're positive it's clean, but make sure you replace the mbr too). Theres just no other way to be completely certain. I lost track of the times that I thought I got everything on a windows machine, then google for something like malwarebytes as a test only to be redirected.
Let's play 33 bits on this guy, my guess is that he's German, Austrian or Swiss based on the settings for his IRC client, that should knock about 6 bits off, 27 to go.
oh I was doing that while reading the AMA. the giveaway is being the 4th customer of a bank that provides HBCI:
> My bank had around 20,000 customers using smsTAN and 3 (I was the 4th lol) using HBCI.
He is German, of college age and an early customer at one of 2 or 3 banks that provide HBCI. Consider him nailed.
I also bet he has published security related work under his real name at some point, especially since he has been applying for jobs. Most people in the security industry applying for legit work who don't have qualifications pad out their resumes with online research (or speaking at conferences, etc.).
"Protip against driveby infections (the ones in the browsers): Disable addons in your browser and only activate the ones you need. Chromium and Chrome for example let you disable all additional content like flash, html5, pdf and java in the options, you will see a grey box instead of the content and can manually run it using right-click -> Run. Chrome options -> Content options -> Plug-Ins -> Disable all or Click-to-play. Chrome also allows you to whitelist sites you trust, like youtube. This will make you immune to driveby infections regardless of the version of your java or adobe reader, because you will only be able to click and run content, that is VISIBLE on the site. Malicious content is ALWAYS hidden in a 0pixel iframe! This also stops the nasty flash advertisements implying you can't aim precise enough to win an iPad3."
This is one thing I've been trying to convince people to do for ages but, for some reason, that one extra click turns so many people off. The extra minute or two I probably spend a day clicking on plugins to activate them will pale in comparison to how much time I'll have to spend recovering from being infected.
I've actually stopped using Firefox because it re-enables plugins that I've disabled (maybe it's more accurate to say it allows 3rd-party software updates to re-enable them).
$40 per day is weak. Less than California minimum wage. And the risks are considerable. Reminds of the work of Sudhir Venkatesh who found that average wage for drug dealing grunt is about $3.30/hr - not far from what we're seeing here, though at least bot herder doesn't risk being shot. He is right that this thing has no future for him.
I don't understand how these people sleep at night. The whole notion I didn't make the game I just play the ball is just hilarious.
Furthermore those guys don't understand that eventually they're hurting the web. All that will bring stricter legislation and governments will start enforcing rules like IP identification for just about anyone out there.
I can understand organized crime exploiting the cyberspace. But for individuals its just plain stupid.
They are just like petty criminals in real life, you've seen what surveillance and legislation does in real life... virtually nothing. The smarter ones go into the cracks and the shadows (Tor) which just leaves us folk being monitored for no reason, but we're okay with it because "it's helping to stop crime"
There is also the addition that you are just interacting with a computer, a keyboard, a mouse and a screen. I bet if you asked this guy if he would go out and mug someone he'd say no, because he'd be face to face with the person... he'd see the upset and pain he's caused.
Not saying it's right, but there is certainly a bit of psychology involved here, gaining from the computer doesn't seem like a crime to those not in charge of their own compass.
This is a big part of a lot of the talks I give about my criminal past. It's not like you wake up one day and decide to start committing fraud. It's a gradual, slippery slope. Humans can, will, and need to rationalize everything they do. As you slide down the slope the rationalization becomes, well, less rational. But you don't see it that way. If you did you wouldn't be able to do it.
It was quite interesting to me how he rationalised his behaviour; Yes, it's a bad thing to do, but at the same time the world is full of bad actors, unscrupulous politicians and out of control corrupt financial institutions, so really I'm just acting in accordance with the established order.
I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.
yea, the world is a weird place. seeing a lot of angry ethical reactions on reddit, i can't help but think: on one side, there are people like this guy in the comments who left marketing a health product due to false claims, or me refusing to code for certain clients based on "personal" ethical judgments and on the other side there are these "crackers" who steal the credit cards of random people and who even hate them.
one thing i want to believe, you can't build a future on crime, or can you?
I'm pretty sure that just by having done that IAmA alone, that guy has already done greater good to humanity than 99% of all human beings on this planet ever will.
Questioning his subjective opinions on morals sounds a bit of a waste of energy after this.
Magnetic stripes are the most hilarious thing ever, but still work almost everywhere on the globe.
I am amazed that magnetic stripes are still the norm for credit cards in the US. Europe has managed to move all but completely to chip-based cards, but the US hasn't.
Does the cost of fraud due to magnetic stripes outweigh the cost to upgrade the entire US system, or is the market just too fragmented to coordinate such a transition?
There's so many legal ways this guy could make just as much money with his skills. I never understood why someone is willing to put his freedom at risk when that is the case.
I guess he's just lazy or thinks he's incapable of making as much as easily legally, maybe he likes the thrill and challenge of it all, maybe he thinks he's invincible and there's zero chance of him getting caught. Either way he's very foolish for continuing to do this especially if he has no endgame in sight.
The fact that this guy even posted an AMA shows that it's either entirely fake (doesn't seem it), or he's way too cocky. I suspect some trouble may be coming his way soon. He seems to think that he's infallible and that he won't catch a charge for running a botnet.
It's fascinating to know all this stuff from his perspective but the moral attacks by others in the comments truly suck. What is the point of AMA if all they do is attack the one sharing information.
Great post. I forwarded it on to my family and friends in order to give them some awareness of the people who're looking at them from the other side of the internet. Rather than sending more strident "think before clicking" warnings, this post is a great way to get them to think like an attacker so that they can avoid the attacks better.
Now, what has to be done not to get hacked ends up being answered as; AVs won't help, macs won't help, linux won't help, and use ipad? are we heading towards a world where average users will end up in managed computing behind walls, and only some hackers and crackers will use open computing? is computing doomed to be a the black and white world of tyrannic rule vs. mob rule?
The thing that's scary is how easy it is for these people to get away with what they're doing. I wonder how much money is lost every year and how many hackers you never hear about going to jail for this stuff. I'm pretty sure this is the motivation to do a lot of this stuff. The risk/reward level is completely slanted.
I see a LOT of stories on HN and other Tech sites about these kinds of attacks. Unfortunately, I rarely, if ever, hear about hackers getting arrested for this sort of activity.
[+] [-] citricsquid|14 years ago|reply
> Try to use "Verified-By-Visa" and "Mastercard-Securecode" as rarely as possible. If only your CVV2 code is getting sniffed, you are not liable for any damage, because the code is physicly printed and could have been stolen while you payed with your card at a store. Same applies if someone cloned your CC reading the magnetic stripe or sniffing RFID. Only losing your VBV or MCSC password can cause serious trouble.
Does anyone know if this (using verified-by-visa, mastercard-securecode remove any payment protection if you get key-logged etc) is correct?
[+] [-] mey|14 years ago|reply
If you are purchasing stuff online, I advise using a credit card and CVV. Federal law (in the US) limits your damages to $50 total in the event of Fraud. (Not true of debit cards, or 3DSecure).
http://en.wikipedia.org/wiki/3-D_Secure
[+] [-] jacquesm|14 years ago|reply
The idea is that this absolutely crack proof scheme requires you to authenticate yourself to your bank in a fairly complex three way handshake.
In the old (read pre-VBV) days the card companies and issuing banks would saddle the merchants with any charges that were disputed using the chargeback mechanmism.
Verified-by-Visa removes this safeguard by adding an additional layer of authentication which supposedly has the same strength as you being on-premise and signing on the dotted line to authorize your purchase. This will effectively remove a lot of the excuses that you might have had such as 'it wasn't me', 'I wasn't there' and 'I never meant to buy this', which were the most common excuses consumers would come up with after using a service for anywhere up to 6 months and then yanking back all 6 months worth of payments and saddling the merchants with the loss of income, pay-outs to affiliates already made and additional charge-back fees on top of that.
So even if the goal was a fairly noble one it looks as though the whole idea is predicated on one tiny little detail, which is that VBV is supposedly hack-proof, but in fact this is highly dependent on both your bank and the security of their implementation. Neither of those are as ironclad as they should be to remove all doubt.
But of course the banks/card companies are not willing to end up holding the bag if there is trouble so it falls to the consumer to prove that they really were not involved in the transaction and that is very hard.
On the positive side in this whole debate: Even if a consumer is defrauded there is always someone who benefits and following the money usually leads to the perp. That's why it is hard to order stuff online with credit cards that were not issued in the country that the person using them is from, that's why it is hard to spend your money on three different continents with the same credit card within a single day and so on.
Lots and lots of money goes in to early warning fraud detection (before the fraud happens) and this nips a very large percentage of potential fraud in the bud.
[+] [-] henrikschroder|14 years ago|reply
Yes. It's the whole point of the system, to remove even more risk from the CC companies and banks, and put it on you.
[+] [-] leif|14 years ago|reply
[+] [-] huhtenberg|14 years ago|reply
In Canada it pops up a browser window that prompts for various personal information and its URL points at ... drumroll ... https://secureserver.net. If that's not by the book appearance of a phishing site, I don't know what is.
[+] [-] njs12345|14 years ago|reply
[+] [-] epoxyhockey|14 years ago|reply
[+] [-] chris24|14 years ago|reply
[+] [-] coffeejunk|14 years ago|reply
[+] [-] Zarathust|14 years ago|reply
[+] [-] K2h|14 years ago|reply
[polymorphism code - to hide virus signature]
Randomness is your friend, make your own crypter and make it so fucking random on every compile, that AV reverse engineers kill themselfs (HINT: randomize the crypters sourcecode using perl scripts)
[polymorphism code - to hide virus signature]
I started coding about a year ago, hacking old malware sourcecodes and reading russian boards. Most botnet operators are dumb as fuck, who don't even care about their traces, the ones you see on TV, catched by Microsoft and Brian Krebs. If you have more knowledge you can automatize nearly everything, like creating scripts that rewrite your sourcecode for your crypters so your malware gets undetected again, saving you hard work.
[finding infections on a computer]
Use GMER (http://www.gmer.net/) every now and then when your spider sense is tingling. Srsly, you can't fool GMER, it scans from the deepest possible point in your system, at ring0 and is impossible to fool, there is nothing deeper than ring0 on a usual PC where malware can hide stuff from. I always wondered why other AV vendors don't do it like GMER, it can detect all rootkits. But when a AV can detect everything, who will pay 30$ a year for signature updates...
[+] [-] rosstafarian|14 years ago|reply
[+] [-] jacquesm|14 years ago|reply
[+] [-] nikcub|14 years ago|reply
> My bank had around 20,000 customers using smsTAN and 3 (I was the 4th lol) using HBCI.
He is German, of college age and an early customer at one of 2 or 3 banks that provide HBCI. Consider him nailed.
I also bet he has published security related work under his real name at some point, especially since he has been applying for jobs. Most people in the security industry applying for legit work who don't have qualifications pad out their resumes with online research (or speaking at conferences, etc.).
[+] [-] zmj|14 years ago|reply
Interesting idiom. I hadn't heard it before, but the usage makes sense.
[+] [-] andiw|14 years ago|reply
[+] [-] Quarrelsome|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] Nican|14 years ago|reply
[+] [-] reidmain|14 years ago|reply
This is one thing I've been trying to convince people to do for ages but, for some reason, that one extra click turns so many people off. The extra minute or two I probably spend a day clicking on plugins to activate them will pale in comparison to how much time I'll have to spend recovering from being infected.
[+] [-] sage_joch|14 years ago|reply
[+] [-] tuananh|14 years ago|reply
* 30% of victims are Americans.
* 80% have an antivirus installed.
* An average income of $40 per day (bitcoin only). May vary up to $1,000.
[+] [-] smsm42|14 years ago|reply
[+] [-] computator|14 years ago|reply
If he has root-level control of the systems, why doesn't he install the needed drivers himself?
Somebody already asked him this question on reddit, but he didn't answer.
Does anyone have any idea why he wouldn't/couldn't/shouldn't install drivers himself?
[+] [-] rntksi|14 years ago|reply
People obviously think they're safe when they have an AV solution installed...
[+] [-] elorant|14 years ago|reply
Furthermore those guys don't understand that eventually they're hurting the web. All that will bring stricter legislation and governments will start enforcing rules like IP identification for just about anyone out there.
I can understand organized crime exploiting the cyberspace. But for individuals its just plain stupid.
[+] [-] Monotoko|14 years ago|reply
There is also the addition that you are just interacting with a computer, a keyboard, a mouse and a screen. I bet if you asked this guy if he would go out and mug someone he'd say no, because he'd be face to face with the person... he'd see the upset and pain he's caused.
Not saying it's right, but there is certainly a bit of psychology involved here, gaining from the computer doesn't seem like a crime to those not in charge of their own compass.
[+] [-] driverdan|14 years ago|reply
[+] [-] sakai|14 years ago|reply
[+] [-] etherael|14 years ago|reply
I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.
[+] [-] diminish|14 years ago|reply
one thing i want to believe, you can't build a future on crime, or can you?
[+] [-] vibrunazo|14 years ago|reply
Questioning his subjective opinions on morals sounds a bit of a waste of energy after this.
[+] [-] JWhiteaker|14 years ago|reply
I am amazed that magnetic stripes are still the norm for credit cards in the US. Europe has managed to move all but completely to chip-based cards, but the US hasn't.
Does the cost of fraud due to magnetic stripes outweigh the cost to upgrade the entire US system, or is the market just too fragmented to coordinate such a transition?
[+] [-] mikek|14 years ago|reply
> a US credit card costs 2$ on the black market and a UK starts at 60$, americans are all in debt.
[+] [-] andr3w321|14 years ago|reply
I guess he's just lazy or thinks he's incapable of making as much as easily legally, maybe he likes the thrill and challenge of it all, maybe he thinks he's invincible and there's zero chance of him getting caught. Either way he's very foolish for continuing to do this especially if he has no endgame in sight.
[+] [-] mikemarotti|14 years ago|reply
[+] [-] option_greek|14 years ago|reply
[+] [-] CoffeeDregs|14 years ago|reply
[+] [-] slig|14 years ago|reply
[+] [-] 16s|14 years ago|reply
[+] [-] diminish|14 years ago|reply
[+] [-] pestaa|14 years ago|reply
[+] [-] hippo_crete|14 years ago|reply
Then when asked about his future, he says he plans to work for an AV company!
WTF?!
He can see what's wrong, but he can't do what's right.
And that, my friends, is the problem.
[+] [-] darksaga|14 years ago|reply
I see a LOT of stories on HN and other Tech sites about these kinds of attacks. Unfortunately, I rarely, if ever, hear about hackers getting arrested for this sort of activity.
[+] [-] skeptical|14 years ago|reply
[deleted]