[HN Gopher] Detect breaches with Canary credit cards
___________________________________________________________________
Detect breaches with Canary credit cards
Author : samwillis
Score : 276 points
Date : 2023-01-22 11:57 UTC (11 hours ago)
(HTM) web link (blog.thinkst.com)
(TXT) w3m dump (blog.thinkst.com)
| madsbuch wrote:
| Very neat!
|
| I can definitely see that adding a couple of these to ones
| password manager would be hugely valuable!
| jay-barronville wrote:
| True, but if your password vault becomes compromised, you have
| significantly bigger problems than credit cards being
| compromised.
| philsnow wrote:
| In that case you're almost completely screwed... but you
| would want to know sooner rather than later, right?
| teilo wrote:
| I use Privacy.com, which basically turns every card I use with
| them into a canary. The first time you charge on one of their
| virtual cards, they become merchant-locked. No other merchant can
| charge to that number, and if someone tries, I get an alert.
|
| I have uncovered flaws in online merchants this way, and notified
| them. They were usually grateful, especially so since the
| fraudulent charges failed.
| worble wrote:
| It's also frankly absurd that no such service exists for
| European customers. I've been looking the past few days for
| someone who does something like this and it's just not
| available, for what I can only assume are regulatory reasons.
| delusional wrote:
| Its my understandingn that Visa does offer the service to
| banks, they just haven't implemented it. There is to my
| knowledge no regulatory red tape, it's just not seem as
| profitable.
|
| The banks here in Denmark har just less competitive and more
| entrenched than in the US
| vlabakje90 wrote:
| Revolut has single use credit cards as part of their
| offering. You can either choose to create a new one for each
| transaction (disposable card) or a virtual credit card that
| you can use more than once but discard if something happens
| to it.
|
| Because both types are virtual prepaid type cards, some
| services (e.g. car rental) will not accept such cards.
| jddj wrote:
| (Transfer)wise offers virtuals too, though not prepaid
| namibj wrote:
| Capped to 3 virtuals, though.
| sschueller wrote:
| What's absurd is that this is something I have to pay for or
| find a particular issuer of a visa/mastercard. It should be
| free and included with every visa and mastercard. They should
| demand that every issuer of their cards needs to offer
| virtual cards and 3d secure. If they don't then their fees
| should be significantly higher.
| derefr wrote:
| My understanding was that privacy.com is just a "detached
| service" implementation of something that many European banks
| offer natively as a feature of having a credit card (or even
| just a chequing account) with them; and that privacy.com was
| only viable as a business because, for some reason, American
| banks are (or were at the time) totally unwilling to build
| anything like this, so people were willing to settle for a
| (strictly worse from a "privacy" perspective) third-party-
| MITM-proxy card if it meant having this feature.
|
| I'd suggest, rather than looking for a "detached service"
| that does this, look at what (probably larger) European banks
| besides than your own offer their customers built-in.
| davchana wrote:
| My Indian Bank, HDFC offers this since 2008, virtual cards
| with custom amount, one time use. On creation, the amount
| equal to limit gets set aside. If merchant charges less
| than max limit, the excess comes back.
|
| Thier at-time debit cards were good only for domestic
| transactions, but this virtual was good for international,
| & used to come up as Visa Prepaid. I used it for
| registering domains & amazon international shopping.
| LelouBil wrote:
| I know my french bank offers a service like this, it is an
| extra though.
| quickthrower2 wrote:
| Credit card shouldn't need to be shared with all and sundry.
| The concept is very old fashioned. We wouldn't share out side
| project github keys like this!
| notafraudster wrote:
| I had heard of this service before and assumed it costed money,
| but thanks to your comment checked it out, and apparently they
| have a free tier allowing you to create 10 cards per month.
| Cool!
| davchana wrote:
| The only downside which stops me from using privacy.com us
| that I will lose the chance to earn points or Cashback, as
| privacy charges directly to your checking account
| (understandably).
| NavinF wrote:
| Worth mentioning that several banks offer virtual credit card
| numbers as a built-in feature so you don't need a separate
| service: https://www.doctorofcredit.com/list-of-banks-which-
| offer-vir...
|
| I've only used this for the sketchiest of vendors though.
| Chargebacks are pretty easy for the once-a-decade event where I
| get billed for something incorrectly.
| rich_sasha wrote:
| I find it crazy that making a payment requires giving your full
| details. Using a credit card is less writing a cheque, more
| handing over a chequebook and saying "help yourself".
|
| I dream of a payment system where payment generates some token,
| which the intended recipient can redeem, perhaps bearer ones for
| casual transactions, with support for periodic payments, revoking
| existing tokens or placing per-token limits.
|
| One day perhaps...
| legutierr wrote:
| This is part of the reason that a lot of people are excited
| about stablecoins and blockchain payments.
| acdha wrote:
| It's a common marketing point but people aren't using
| blockchains because they cost more, take longer, and have no
| fraud protection. If someone steals my credit card, I'll
| likely lose nothing other than some mild inconvenience
| updating numbers - and I don't even need to do that with the
| modern systems like Apple Pay which use unique per-merchant
| identifiers.
|
| That makes quite the contrast with the large sums routinely
| and irrecoverably stolen from blockchain users. If you want
| people to buy your random hashes, spend your time unbreaking
| the system instead of marketing it.
| legutierr wrote:
| > If someone steals my credit card, I'll likely lose
| nothing other than some mild inconvenience updating numbers
|
| You might not lose money when someone steals your credit
| card, but someone does: either your bank or the merchant
| will suffer a fraud loss.
|
| Consumer fraud protections with regards to credit cards are
| necessary because credit cards are fundamentally insecure
| technology and would be unusable if issuers didn't take on
| so much of the fraud risk themselves.
|
| > and I don't even need to do that with the modern systems
| like Apple Pay which use unique per-merchant identifiers.
|
| Apple Pay is a big improvement over standard credit card
| technology. It's also closed and proprietary, and requires
| special equipment to use, on both the merchant side and the
| consumer side.
|
| > spend your time unbreaking the system instead of
| marketing it.
|
| Are you criticizing me for writing this comment on HN
| because I am not at this very moment writing code? In your
| mind, people can't even talk about a project they may be
| interested in or working on until the project is finished?
|
| > If you want people to buy your random hashes
|
| Are you sure you are not confusing stablecoins and
| cryptocurrencies? These are very different things.
| Stablecoins are transferrable sovereign currency
| obligations the balances of which are recorded on a
| blockchain. Stablecoin tech can be used to allow consumers
| and merchants to interact with any type of monetary account
| as might otherwise be embodied by a debit or credit card,
| with similar business terms.
|
| > That makes quite the contrast with the large sums
| routinely and irrecoverably stolen from blockchain users.
|
| No doubt blockchain security needs to be substantially
| improved. It will happen, though!
| europeanguy wrote:
| How about this?
|
| https://en.wikipedia.org/wiki/GNU_Taler
| adrr wrote:
| A check contains your full account number that anyone can go
| and print a check with.
|
| The new credit cards which chips generate a unique token for
| each merchant account. This is also how Apple pay works.
| bruce343434 wrote:
| iDeal is really nice and everywhere in the Netherlands. Giving
| out credit card details to websites is crazy to me.
| (https://www.ideal.nl/en/)
| marcosdumay wrote:
| Most countries have something like this already.
| duckmysick wrote:
| Here's a list of some of them in Europe: https://en.wikipedia
| .org/wiki/European_Mobile_Payment_System...
| europeanguy wrote:
| Well, that was a rabbithole. I learned that (BME - Bolsa y
| Mercados Espanoles - Spanish stock market) is owned by a
| Swiss company. It blows my mind that countries sell off
| such important infrastructure, even if in this case to a
| friendly country.
| mkinsella wrote:
| Use Privacy.com for that!
| zenosmosis wrote:
| I second this. In a year's worth of using Privacy.com, I've
| been very pleased with the service.
|
| I like how you can set a budget for a particular card, as
| well.
| [deleted]
| welder wrote:
| I use Stripe so this isn't much use to me, but looking at their
| other canary tokens I could see the AWS key canary being useful.
|
| https://docs.canarytokens.org/guide/
| europeanguy wrote:
| This idea has an obvious problem. It's a lot of hard work. How
| many people are going to be diligent in planting canaries etc?
| And if you are, can you be diligent for the next 1, 2, 3 decades?
| That's a lot of time spent on this.
|
| You know what would be better? If every bank provided as a
| service/feature the ability to create single-use (and single-
| merchant!) debit cards. Revolut can do it, why can't huge banks
| do it as well? (BTW if you know one that does, let me know.)
| b3morales wrote:
| Capital One does still have these:
| https://www.capitalone.com/digital/eno/ though caveat the
| feature is only available via a browser plugin, I assume
| because they want to be able to scrape your shopping
| habits/history in the process.
| bentcorner wrote:
| Capital One can generate single/repeat use virtual cards,
| although it's for number-only transactions (online only?). I
| don't know if there's way to use them for tap/swipe
| transactions.
| codetrotter wrote:
| > Revolut can do it, why can't huge banks do it as well?
|
| FWIW, I use Revolut and am a fan of their service. However, the
| one time I tried to use the single-use feature it just didn't
| work for some reason. So I had to enter my "permanent" card
| details instead in order to proceed with payment.
| neilv wrote:
| > _Mix it in with your store of saved card data or on payment
| gateways. An attacker who plans to test the cards (as they
| normally do when obtaining them) or attackers who try to use them
| will immediately advertise their presence, and your response team
| can spring into action._
|
| Spring into action, to shut the barn door after the cows already
| got out?
|
| Getting alerted is good, but it's unfortunate that infosec
| practice still has so much band-aids, theatre, and reacting after
| that doesn't work.
| viraptor wrote:
| It's not a replacement for any prevention you apply first. It's
| not a band-aid. It's one more layer of what you can do and it
| is valuable to know when you were breached.
|
| It's basically an answer to: do you want to know that things
| went bad shortly after they did, or months later?
| neilv wrote:
| I didn't like the connotation of "spring into action". That
| sounded like sitting on butts before.
| jameshart wrote:
| > Some places we recommend putting these include: Databases where
| you store customer payment information
|
| _alarm klaxon sounds_
|
| Why do you have a database containing customer payment
| information?
| hn92726819 wrote:
| Do you think companies avoid storing this data? There's no
| reason for them not to _, so they do it. Look at the target
| hack for an example of real word credit card info stored.
|
| Also, tons of companies have one-click payment options (ever
| order something from Chipoltle or Dominos app?)
|
| Edit: _ It should be disincentivised, but look at any
| "punishment" for a data leak and it's cheaper for them to just
| lose the data
| jameshart wrote:
| PCI-DSS compliance auditing is not cheap. There's the
| incentive right there.
|
| Individual retailers have no need to store actual cardholder
| information. All the payment platforms provide ways to
| persist cardholder information, in a way that allows it to be
| reused but never read.
| philsnow wrote:
| > All the payment platforms provide ways to persist
| cardholder information, in a way that allows it to be
| reused but never read.
|
| This is usually called tokenization, if you want to search
| for it.
| loeg wrote:
| Reducing friction in repeated transactions? Someone needs to
| store it.
| jameshart wrote:
| Unless you're an actual payment platform, that someone should
| not be you.
| NavinF wrote:
| There's a tradeoff. Card numbers in your db are a lot
| easier to move between payment platforms than tokenized
| card numbers. So many merchants get screwed by payment
| platforms that lock them out right in the middle of a large
| sale because the sudden increase in transactions looks like
| fraud. You gotta look out for number one.
| croes wrote:
| Shopping sites?
| boramalper wrote:
| I wonder if the BIN/IIN (Bank/Issuer Identification Number[0]) of
| canary cards give it away. For this to work against sophisticated
| attackers, I'd expect a canary card to be indistinguishable from
| a regular one, though I still love the ingenuity of it.
|
| edit: They mention this in the article, I missed it.
|
| [0]
| https://en.wikipedia.org/wiki/Payment_card_number#Issuer_ide...
| veleek wrote:
| The blog post specifically calls out BINs and their limitations
| and some things they are doing to improve it.
| boramalper wrote:
| I only skimmed the article, you are absolutely right. Sorry!
| [deleted]
| myself248 wrote:
| The fact that the Payment Card Industry association hasn't been
| pushing this for decades, and it's up to some random infosec
| nerds to invent it, is yet more evidence that our entire payment
| infrastructure is fundamentally flawed.
| kibwen wrote:
| I wouldn't say this is much of a solution to the problem,
| though. There's no guarantee that anyone will attempt to use
| your canary card before they use your actual card. For one-time
| purchases, a better approach is to generate ephemeral cards
| that can only be used for a short amount of time, where it
| doesn't matter if the card gets leaked. And plenty of credit
| cards do offer this service.
| acdha wrote:
| Think about it at the population level: nobody is impervious
| to theft but it lowers the window for an attacker to quietly
| steal money considerably and forces them to slow down their
| activity trying to avoid canaries.
|
| To use a physical security analogy, real world bank robbery
| is a fool's game now because of many measures which do not
| perfectly prevent theft but effectively reduce the profits &
| odds of avoiding capture. If attackers can't get enough money
| to be worth the risk & effort far fewer people are going to
| try even though it's still possible.
| kibwen wrote:
| I'd say this is still putting the burden on the wrong
| party, though. For this to serve as a useful deterrent in
| general, canaries need to be quite common. Rather than
| hoping that thousands of customers will choose to use a
| canary and monitor individually, any company that stores
| credit cards should instead contract with an outside
| auditor, whereby any time a user stores a real credit card
| in the system, the auditor generates a canary and stores
| that in the database as well. This way it happens
| transparently in the backend, without having to ask users
| to do it, and immediately turns any credential leak into a
| minefield where you have a 50% chance of getting only one
| card before a canary goes off.
| acdha wrote:
| I don't think those options are mutually exclusive:
| merchants should definitely be doing it but note also
| that many of the scenarios are things where you might
| want to verify your personal data storage or deal with
| internal business security.
| pelasaco wrote:
| Well to be honest Honey Tokens is being used since beginning of
| the 2000s, https://en.wikipedia.org/wiki/Honeytoken. I
| personally implemented them in a Bank, 20 years ago, generating
| some fake credit cards number (and other information) and
| having them being monitored in AV, IDS, IPS, Antifraud
| solutions like browser extensions, google search and etc.. So
| maybe we can say that I'm a random infosec nerd, but i guess,
| I'm not the only one, just that people and companies preferred
| to make it in silence, to actually catch the bad guys out
| there. We actually were able to catch internal people selling
| data and we could understand some ways data used to flow and
| work pretty tight with the Police to intercept and bust
| criminal groups.
| 411111111111111 wrote:
| Yeah, trust self important HN commentators like myself248 to
| imply incompetence throughout an entire industry while being
| completely ignorant about said industry.
| pelasaco wrote:
| people normally imagine that finance and specially banks,
| are just COBOL, mainframe and legacy, and even though it is
| part of their BAU, there are lot of innovation there,
| specially in the infosec/antifraud segments.
| myself248 wrote:
| How would the operator of an ecommerce website have gotten
| their hands on these things to seed their data with them? Is
| this something they would've known to ask for?
| [deleted]
| 29athrowaway wrote:
| Or canary admin accounts (marked in the db as admin but with
| exceptions at the app level so that they are effectively not
| admins).
| sneak wrote:
| Wouldn't the attacker only charge these after charging
| dozens/hundreds of legitimate customer cards too?
|
| Seems to me this is the wrong solution to the problem this is
| trying to solve.
| acdha wrote:
| It's mitigation, not a perfect prevention, but those are
| extremely useful for security: if the attacker trips a warning
| after hundreds of charges are approved that still allows the
| bank to take action before the number is in the thousands of
| cards and makes it possible to retroactively revoke the
| transactions which were just approved. In the common case where
| someone is making purchases using stolen cards that allows
| goods never to leave the warehouse, and if the attacker slows
| their usage rate to avoid that they're getting much less
| profit.
| sergioisidoro wrote:
| The responsibilities don't end when the breach happens. And
| while the cat is out of the bag, knowing it has happened is
| also important to contact customers, fulfil legal disclosure
| with regulators (eg. GDPR), and for triggering investigations
| and forensics.
| azeemba wrote:
| Usually they test the set of cards with small charges. This
| allows them to sell pre-tested cards at higher value.
|
| So if you can find out that one of your canary cards have been
| tested, you can have some confidence that your whole set has
| been compromised.
| [deleted]
| lobstersammich wrote:
| Does anyone have a good alternative to Privacy.com where your
| virtual credit card transaction data isn't sold to Wall Street?
| If you're unfamiliar with what a "virtual [credit] card" is
| here's the page from Privacy.com's website:
| https://privacy.com/virtual-card I use the Privacy app on my
| mobile phone to create virtual cards (primarily for work
| subscriptions). Pro-tip: since each Privacy card can have its own
| name put a tag such as `[WORK_RECURRING]` into the card name and
| then you can search your email inbox for `[WORK_RECURRING]`,
| quickly and easily finding all of the transactions / charges that
| you may want to submit to your workplace for reimbursement.
|
| Privacy is owned / created by Lithic, but if you look at Lithic's
| investors you'll see that the plurality of the company's
| investors are in the private equity or VC space: Bessemer
| Ventures, Tusk Partner Ventures, Index Ventures, etc. You can see
| the Privacy.com / Privacy mobile app's funders here:
| https://www.crunchbase.com/organization/lithic-pay
|
| Thus, I have no doubt that my transactions on cleverly-named
| Privacy app are being gifted or sold to Wall Street so that hedge
| funds can squeeze out a few addition drops of 'signal' from
| consumer purchase pattern data that would otherwise remain dark.
| (I'd imagine that many folks use the Privacy app to buy things
| that they'd rather not have show up on their regular credit card
| bills: 'adult websites', marijuana or tobacco products, etc.
|
| So, two questions:
|
| (1) Does anyone have a privacy-respecting alternative to
| Privacy.com's virtual credit cards?
|
| (2) Does anyone know of a recent blog post where these virtual
| credit card services are compared / contrasted by
|
| - the services that they offer, - the cost: free, paid, etc., -
| the terms of service: how your data is re-sold / who your data is
| transmitted to
| ok_dad wrote:
| I would bet that all of your electronic transactions end up in
| some pool of data, no matter what you try. I believe only cash
| at a swap meet while wearing dark sunglasses and a hat is
| _really_ private.
| asciimike wrote:
| > (1) Does anyone have a privacy-respecting alternative to
| Privacy.com's virtual credit cards?
|
| Capital One offers virtual cards through Eno
| (https://www.capitalone.com/digital/eno/virtual-card-numbers/)
| that are merchant locked. They make it somewhat cumbersome to
| use, but I've really enjoyed using them.
|
| It doesn't block wall street knowing about what you're buying,
| but at least it's likely got one (or more) fewer middlemen
| looking at all your transactions.
| nubinetwork wrote:
| Dupe of https://news.ycombinator.com/item?id=34469471
| [deleted]
| 1970-01-01 wrote:
| Very interesting tool. I'm going to write the canary CC onto a
| physical card and swipe it first when shopping. If I ever see it
| randomly accessed, I'll know my 2nd card (actual payment card) is
| burnt.
|
| >Credit Card Rate-Limiting currently in place. Please try again
| later.
|
| Maybe tomorrow.
| [deleted]
| rsync wrote:
| Hmmm ... I like the idea but my hunch was that disposable card
| numbers would fail at POS because the network knows that card
| should never have been issued physically?
|
| If you run this experiment, would you do a tell HN ?
| DueDilligence wrote:
| .. lets see .. a penny for the peep show [canary token] or a
| dollar for the lap dance [privacy.com]. No argument here - lap
| dance it is.
| [deleted]
| brightball wrote:
| I'm really glad to see this project.
|
| I used to do this all the time by hand when I was actively
| dealing with phishing sites. I'd submit credentials to the site
| and watch for it on our account login page to identify the
| perpetrator.
| posix_compliant wrote:
| I'm dying to know how they implemented this. In order to have
| Visa or MasterCard process this transaction, they'd need to have
| a bank partner to issue the credit credit card with an issuer
| processor. There's usually a large cost to keeping open credit
| cards on file, even if there's no line of credit.
| jhfdbkofdchk wrote:
| Only Amex at the moment.
| [deleted]
| edarchis wrote:
| I've been trying to use this technique to alert banks (in Belgium
| where I live) of online fraud for a while but failed.
|
| We are getting lots of phishing by text, email and hacked IMs.
| They use a bunch of redirections to get you to "login to your
| bank" with our security devices. In reality, they'll use MITM it
| and transfer money to some mules.
|
| If we could have people fill in some canary bank account that
| would trigger a fraud alert at the banks, we could stop those
| payments a lot more easily.
|
| The banks don't really seem to care because the payments are
| signed with the card and PIN of the owner, so they refuse to
| refund it. No loss to the bank, no action. :(
| ipython wrote:
| Oooo. This is fantastic. I'll start using this with scam callers.
| Do they also give you the info on the entity that _made_ the
| charge?
| remram wrote:
| Those are free? Wouldn't those cost them something to create or
| operate?
| detaro wrote:
| The Canarytokens service is clearly more or less an advertising
| expense for them. People that know and use it are more likely
| to buy their commercial offerings.
| whstl wrote:
| This is a late-2000s story but: I once worked for a small-time
| credit card emitter and the only money leaving us was the money
| from the transactions themselves.
|
| It was quite interesting, AFAIK we had a range of CC numbers
| that we could use, and we had to "answer" to an API call (a
| "lower-level webhook", it wasn't HTTP) that provided all the
| user data for verification, and we had to authorize in a
| maximum amount of time (hard real-time). The verification
| happened entirely on our side, so it was even possible to reuse
| numbers by changing the CVV or expiration date, for example. At
| least that was how it was explained to me, someone could chime
| in and correct some mistakes here! :)
|
| This feature later enabled some banks to allow the customer to
| change their "credit limit" as much as they wanted, or to
| block/unblock the card using a toggle in the app. But "real
| time confirmation" wasn't possible because of the hard-real-
| time constraint we had. I remember we had to reply very fast at
| the time, and could get punished if we had too many timeouts.
|
| This might not be the reality on every country or region, but
| by giving everyone a dummy credit card in those conditions, the
| costs would be only of servers + personnel.
|
| Of course, a partnership with zero dollars worth of
| transactions would make zero sense to the partnering bank, so
| they would obviously complain. But this here seems to be a
| special case where there's a previous agreement.
| DerekBickerton wrote:
| This is tangential, but still related: a few years ago I could
| buy disposable VISA cards which were these vouchers you bought in
| a store and were preloaded with a fixed amount. They didn't even
| have to be in your legal name.
|
| I put the numbers on e-crime forums for people to snap up, and it
| was funny watching what kinds of transactions were being made.
| Most people were using it to buy cryptocurrency.
|
| Most of the transactions were vague though and didn't mention the
| merchant in question, but with a bit of digging I discovered they
| were so called 'Discreet Billing' companies which are largely
| used for adult websites and used to mask the fact you were buying
| porn to people casually glancing at your CC statement.
| [deleted]
| voakbasda wrote:
| I have wanted something like this to give to scammers, to help
| aid in their detection and capture. This is part of that puzzle.
|
| Now if only law enforcement would give a shit and do something
| about all of the rampant fraud. Sadly, I do not believe that will
| ever happen.
| ISL wrote:
| I'm also interested in knowing which law-enforcement divisions
| are actively interested in taking on fraud cases -- if the
| community finds it, which divisions and prosecutors are fired
| up about chasing down online fraud?
|
| Seems like a great way for an ambitious team to make a popular
| difference in the world.
| lazide wrote:
| Near as I can tell, a lot of the fraud is exploitation of the
| known and not yet solved 'remote jurisdiction' issue.
|
| When someone is far away, and in a different jurisdiction, it's
| hard to track them down and do anything to them.
|
| Not likely to get better anytime soon, unfortunately.
| myself248 wrote:
| I thought bounty hunters were supposed to solve that. They
| ignore our laws, we ignore theirs.
|
| This leads to a hell of a dystopia, but spammers have left me
| no choice but to contemplate dystopias.
| lazide wrote:
| Bounty hunters are not really a thing in the way you're
| thinking - they can't just go to Japan, investigate
| someone, arrest them and bring back someone from there for
| instance. They're for returning someone already arrested
| who jumped bail somewhere. And they typically don't work
| internationally, as their legality is dubious even within a
| specific jurisdiction.
|
| For something major, it's generally already possible to
| investigate and get someone extradited already, for
| instance, when the cultural gaps aren't too large and the
| cultures have a common agreement on what a 'major crime' is
| and looks like. Murder, for instance.
|
| The issue is the bar for 'major enough' gets higher and
| higher the more jurisdictions/cultures you cross, and it is
| super easy now to scam across a large enough gap there that
| no one is going to arrest or participate in investigating
| all but the largest and most blatant scams.
|
| Good luck getting someone arrested in Russia, Nigeria,
| China, etc. for wire fraud, for example.
| [deleted]
| derefr wrote:
| You wouldn't send a bounty hunter to Japan. You'd hire a
| Japanese bounty hunter who operates in Japan. Or, more
| specifically, you'd _put up a bounty_ for someone's
| arrest in Japan, and one or more Japanese bounty hunters
| would "take on" the bounty.
|
| Also, the goal of hiring a bounty hunter, presumably,
| wouldn't be to get them arrested for things that are
| crimes in some other country, but rather to get them
| arrested for things that are crimes in _their own_
| country (or in whatever country they happen to be hiding
| it.)
| lazide wrote:
| This isn't Star Wars or the Wild West btw.
|
| Bounties in the US are issued by the court. You can't
| issue one as a private person.
|
| For it to be legal for a bounty hunter to do anything,
| they need to comply with some laws while doing it.
| Otherwise, it's false arrest and/or kidnapping.
|
| Which I'm sure with some work, and a lot of money, some
| folks would be willing to do for you. However, I doubt it
| would go well for anyone, and certainly wouldn't result
| in the person being taken going to jail if all they did
| was scam someone.
|
| Targeted International kidnapping (human trafficking?) is
| one of the 'quite serious' things likely to get whoever
| initiated it tracked down and thrown in jail though.
|
| Near as I can tell, only the Philippines has a similar
| system.
|
| It gets a lot of press and there are a lot of legends
| around it, but it isn't what you think.
|
| The formal system for having someone arrested and sent to
| another county is extradition, and it works rather
| differently. It's slow, expensive, and rarely used
| outside of serious crimes.
|
| Having someone arrested, tried, and penalized in another
| country for committing a crime against you somewhere else
| is also not easy.
|
| 1) often the courts in the attackers country will say
| they have no jurisdiction to try them, as the crimes were
| committed elsewhere. This can also happen if you try it
| in the victims country.
|
| 2) you run across all sorts of 'meh, don't care' issues
| when the attacker is bringing in good money locally and
| the victims are seen as 'not here/not anyone we care
| about'
|
| 3) good luck collecting evidence, making a case, getting
| them arrested, etc. in a foreign county, speaking a
| foreign language, with a legal system that you don't
| understand. It's hard enough doing it when it's local.
|
| 4) if the local legal system is known for corruption,
| good luck figuring out which buttons to push. The
| attacker almost certainly is already familiar with them.
|
| Not impossible. But the costs can easily be > $100k,
| sometimes in the millions.
|
| Hence the 'serious enough' bar too.
| marcus0x62 wrote:
| What would the Japanese bounty hunter arrest the person
| in Japan for and on who's authority?
| derefr wrote:
| And even if you can both track them down and hand evidence of
| wrongdoing on a silver platter to law enforcement in their
| jurisdiction, often the places these criminals operate out of
| were selected specifically because their justice system is
| corrupt and easily bribed. Often, these fraudsters can even
| talk local politicians into seeing their (cover) businesses
| as "important local industries, employing local citizens,
| generating taxable income, and making charitable donations."
|
| This is the strategy used by the harder-to-kill scam call-
| centres in India; certain cities in India (I believe
| Hyderabad?) have been repeatedly handed damning evidence of
| criminal acts by scammers operating there, but it gets swept
| under the rug every time. When a big-enough stink is made
| that it makes their own local news, they just give the
| criminals a slap on the wrist or lest (e.g. an arrest on low
| bail that they easily afford to pay, with the case then being
| dropped before it ever goes to trial, as soon as it's out of
| the news.)
| nebula8804 wrote:
| The US has the power to really cause damage to India (and
| well any other country). They can cause a stink on the UN
| front and if that does not work, escalate financially like
| they do to countries like Iran. Its just not that important
| for the extremely old and corrupt leadership at the top to
| care about though. I suspect once someone from the internet
| generation takes the presidency, there will be some chance
| of something changing.
| ocal5 wrote:
| Looks neat and thanks for sharing idea. Aren't professionnal
| going to just discard all numbers associated with this "bank",
| then ?
| lights0123 wrote:
| > Savvy attackers may start looking for patterns in the bank
| identification numbers (BINs) that we issue, and proactively
| deleting or excluding them from their dumps. For this reason we
| are in discussions with a number of banks to onboard their BINs
| to the system too, further mixing in legitimate cards with
| tokens.
|
| > It's a compelling argument: "Would you like attackers to
| first remove your bank's cards from dumps they steal?"
| ocal5 wrote:
| win - win : )
| philsnow wrote:
| I've thought about something similar for spam calls: I can
| play whack-a-mole blocking individual numbers, but it won't
| scale fast enough and scammers will always get to me. I can
| rely on iphone's "scam likely" notification and just not
| answer those, which helps.
|
| If the latter (and whatever similar feature android has) were
| somehow perfect, scammers would have a bad time. But.. if
| they convinced (paid) some (more-)legitimate companies to
| have their outgoing calls show up as the same number as the
| scammers use, people would eventually learn that they have to
| pick up scam calls or else miss calls from their
| bank/pharmacy/whatever.
| detaro wrote:
| Many canaries are avoidable if you pay perfect attention - but
| people slip up, and even if they don't, paying perfect
| attention does increase the cost for the attacker. (And e.g.
| throwing out all Amex corporate credit cards (one example of
| the "banks" they use) as you suggest does reduce the value of
| stolen data too)
| lazide wrote:
| Also, attackers who are so diligent could often make more
| money not doing criminal things.
| xeromal wrote:
| That sounds like a feature rather than a bug.
___________________________________________________________________
(page generated 2023-01-22 23:00 UTC)