[HN Gopher] Detect breaches with Canary credit cards ___________________________________________________________________ Detect breaches with Canary credit cards Author : samwillis Score : 276 points Date : 2023-01-22 11:57 UTC (11 hours ago) (HTM) web link (blog.thinkst.com) (TXT) w3m dump (blog.thinkst.com) | madsbuch wrote: | Very neat! | | I can definitely see that adding a couple of these to ones | password manager would be hugely valuable! | jay-barronville wrote: | True, but if your password vault becomes compromised, you have | significantly bigger problems than credit cards being | compromised. | philsnow wrote: | In that case you're almost completely screwed... but you | would want to know sooner rather than later, right? | teilo wrote: | I use Privacy.com, which basically turns every card I use with | them into a canary. The first time you charge on one of their | virtual cards, they become merchant-locked. No other merchant can | charge to that number, and if someone tries, I get an alert. | | I have uncovered flaws in online merchants this way, and notified | them. They were usually grateful, especially so since the | fraudulent charges failed. | worble wrote: | It's also frankly absurd that no such service exists for | European customers. I've been looking the past few days for | someone who does something like this and it's just not | available, for what I can only assume are regulatory reasons. | delusional wrote: | Its my understandingn that Visa does offer the service to | banks, they just haven't implemented it. There is to my | knowledge no regulatory red tape, it's just not seem as | profitable. | | The banks here in Denmark har just less competitive and more | entrenched than in the US | vlabakje90 wrote: | Revolut has single use credit cards as part of their | offering. You can either choose to create a new one for each | transaction (disposable card) or a virtual credit card that | you can use more than once but discard if something happens | to it. | | Because both types are virtual prepaid type cards, some | services (e.g. car rental) will not accept such cards. | jddj wrote: | (Transfer)wise offers virtuals too, though not prepaid | namibj wrote: | Capped to 3 virtuals, though. | sschueller wrote: | What's absurd is that this is something I have to pay for or | find a particular issuer of a visa/mastercard. It should be | free and included with every visa and mastercard. They should | demand that every issuer of their cards needs to offer | virtual cards and 3d secure. If they don't then their fees | should be significantly higher. | derefr wrote: | My understanding was that privacy.com is just a "detached | service" implementation of something that many European banks | offer natively as a feature of having a credit card (or even | just a chequing account) with them; and that privacy.com was | only viable as a business because, for some reason, American | banks are (or were at the time) totally unwilling to build | anything like this, so people were willing to settle for a | (strictly worse from a "privacy" perspective) third-party- | MITM-proxy card if it meant having this feature. | | I'd suggest, rather than looking for a "detached service" | that does this, look at what (probably larger) European banks | besides than your own offer their customers built-in. | davchana wrote: | My Indian Bank, HDFC offers this since 2008, virtual cards | with custom amount, one time use. On creation, the amount | equal to limit gets set aside. If merchant charges less | than max limit, the excess comes back. | | Thier at-time debit cards were good only for domestic | transactions, but this virtual was good for international, | & used to come up as Visa Prepaid. I used it for | registering domains & amazon international shopping. | LelouBil wrote: | I know my french bank offers a service like this, it is an | extra though. | quickthrower2 wrote: | Credit card shouldn't need to be shared with all and sundry. | The concept is very old fashioned. We wouldn't share out side | project github keys like this! | notafraudster wrote: | I had heard of this service before and assumed it costed money, | but thanks to your comment checked it out, and apparently they | have a free tier allowing you to create 10 cards per month. | Cool! | davchana wrote: | The only downside which stops me from using privacy.com us | that I will lose the chance to earn points or Cashback, as | privacy charges directly to your checking account | (understandably). | NavinF wrote: | Worth mentioning that several banks offer virtual credit card | numbers as a built-in feature so you don't need a separate | service: https://www.doctorofcredit.com/list-of-banks-which- | offer-vir... | | I've only used this for the sketchiest of vendors though. | Chargebacks are pretty easy for the once-a-decade event where I | get billed for something incorrectly. | rich_sasha wrote: | I find it crazy that making a payment requires giving your full | details. Using a credit card is less writing a cheque, more | handing over a chequebook and saying "help yourself". | | I dream of a payment system where payment generates some token, | which the intended recipient can redeem, perhaps bearer ones for | casual transactions, with support for periodic payments, revoking | existing tokens or placing per-token limits. | | One day perhaps... | legutierr wrote: | This is part of the reason that a lot of people are excited | about stablecoins and blockchain payments. | acdha wrote: | It's a common marketing point but people aren't using | blockchains because they cost more, take longer, and have no | fraud protection. If someone steals my credit card, I'll | likely lose nothing other than some mild inconvenience | updating numbers - and I don't even need to do that with the | modern systems like Apple Pay which use unique per-merchant | identifiers. | | That makes quite the contrast with the large sums routinely | and irrecoverably stolen from blockchain users. If you want | people to buy your random hashes, spend your time unbreaking | the system instead of marketing it. | legutierr wrote: | > If someone steals my credit card, I'll likely lose | nothing other than some mild inconvenience updating numbers | | You might not lose money when someone steals your credit | card, but someone does: either your bank or the merchant | will suffer a fraud loss. | | Consumer fraud protections with regards to credit cards are | necessary because credit cards are fundamentally insecure | technology and would be unusable if issuers didn't take on | so much of the fraud risk themselves. | | > and I don't even need to do that with the modern systems | like Apple Pay which use unique per-merchant identifiers. | | Apple Pay is a big improvement over standard credit card | technology. It's also closed and proprietary, and requires | special equipment to use, on both the merchant side and the | consumer side. | | > spend your time unbreaking the system instead of | marketing it. | | Are you criticizing me for writing this comment on HN | because I am not at this very moment writing code? In your | mind, people can't even talk about a project they may be | interested in or working on until the project is finished? | | > If you want people to buy your random hashes | | Are you sure you are not confusing stablecoins and | cryptocurrencies? These are very different things. | Stablecoins are transferrable sovereign currency | obligations the balances of which are recorded on a | blockchain. Stablecoin tech can be used to allow consumers | and merchants to interact with any type of monetary account | as might otherwise be embodied by a debit or credit card, | with similar business terms. | | > That makes quite the contrast with the large sums | routinely and irrecoverably stolen from blockchain users. | | No doubt blockchain security needs to be substantially | improved. It will happen, though! | europeanguy wrote: | How about this? | | https://en.wikipedia.org/wiki/GNU_Taler | adrr wrote: | A check contains your full account number that anyone can go | and print a check with. | | The new credit cards which chips generate a unique token for | each merchant account. This is also how Apple pay works. | bruce343434 wrote: | iDeal is really nice and everywhere in the Netherlands. Giving | out credit card details to websites is crazy to me. | (https://www.ideal.nl/en/) | marcosdumay wrote: | Most countries have something like this already. | duckmysick wrote: | Here's a list of some of them in Europe: https://en.wikipedia | .org/wiki/European_Mobile_Payment_System... | europeanguy wrote: | Well, that was a rabbithole. I learned that (BME - Bolsa y | Mercados Espanoles - Spanish stock market) is owned by a | Swiss company. It blows my mind that countries sell off | such important infrastructure, even if in this case to a | friendly country. | mkinsella wrote: | Use Privacy.com for that! | zenosmosis wrote: | I second this. In a year's worth of using Privacy.com, I've | been very pleased with the service. | | I like how you can set a budget for a particular card, as | well. | [deleted] | welder wrote: | I use Stripe so this isn't much use to me, but looking at their | other canary tokens I could see the AWS key canary being useful. | | https://docs.canarytokens.org/guide/ | europeanguy wrote: | This idea has an obvious problem. It's a lot of hard work. How | many people are going to be diligent in planting canaries etc? | And if you are, can you be diligent for the next 1, 2, 3 decades? | That's a lot of time spent on this. | | You know what would be better? If every bank provided as a | service/feature the ability to create single-use (and single- | merchant!) debit cards. Revolut can do it, why can't huge banks | do it as well? (BTW if you know one that does, let me know.) | b3morales wrote: | Capital One does still have these: | https://www.capitalone.com/digital/eno/ though caveat the | feature is only available via a browser plugin, I assume | because they want to be able to scrape your shopping | habits/history in the process. | bentcorner wrote: | Capital One can generate single/repeat use virtual cards, | although it's for number-only transactions (online only?). I | don't know if there's way to use them for tap/swipe | transactions. | codetrotter wrote: | > Revolut can do it, why can't huge banks do it as well? | | FWIW, I use Revolut and am a fan of their service. However, the | one time I tried to use the single-use feature it just didn't | work for some reason. So I had to enter my "permanent" card | details instead in order to proceed with payment. | neilv wrote: | > _Mix it in with your store of saved card data or on payment | gateways. An attacker who plans to test the cards (as they | normally do when obtaining them) or attackers who try to use them | will immediately advertise their presence, and your response team | can spring into action._ | | Spring into action, to shut the barn door after the cows already | got out? | | Getting alerted is good, but it's unfortunate that infosec | practice still has so much band-aids, theatre, and reacting after | that doesn't work. | viraptor wrote: | It's not a replacement for any prevention you apply first. It's | not a band-aid. It's one more layer of what you can do and it | is valuable to know when you were breached. | | It's basically an answer to: do you want to know that things | went bad shortly after they did, or months later? | neilv wrote: | I didn't like the connotation of "spring into action". That | sounded like sitting on butts before. | jameshart wrote: | > Some places we recommend putting these include: Databases where | you store customer payment information | | _alarm klaxon sounds_ | | Why do you have a database containing customer payment | information? | hn92726819 wrote: | Do you think companies avoid storing this data? There's no | reason for them not to _, so they do it. Look at the target | hack for an example of real word credit card info stored. | | Also, tons of companies have one-click payment options (ever | order something from Chipoltle or Dominos app?) | | Edit: _ It should be disincentivised, but look at any | "punishment" for a data leak and it's cheaper for them to just | lose the data | jameshart wrote: | PCI-DSS compliance auditing is not cheap. There's the | incentive right there. | | Individual retailers have no need to store actual cardholder | information. All the payment platforms provide ways to | persist cardholder information, in a way that allows it to be | reused but never read. | philsnow wrote: | > All the payment platforms provide ways to persist | cardholder information, in a way that allows it to be | reused but never read. | | This is usually called tokenization, if you want to search | for it. | loeg wrote: | Reducing friction in repeated transactions? Someone needs to | store it. | jameshart wrote: | Unless you're an actual payment platform, that someone should | not be you. | NavinF wrote: | There's a tradeoff. Card numbers in your db are a lot | easier to move between payment platforms than tokenized | card numbers. So many merchants get screwed by payment | platforms that lock them out right in the middle of a large | sale because the sudden increase in transactions looks like | fraud. You gotta look out for number one. | croes wrote: | Shopping sites? | boramalper wrote: | I wonder if the BIN/IIN (Bank/Issuer Identification Number[0]) of | canary cards give it away. For this to work against sophisticated | attackers, I'd expect a canary card to be indistinguishable from | a regular one, though I still love the ingenuity of it. | | edit: They mention this in the article, I missed it. | | [0] | https://en.wikipedia.org/wiki/Payment_card_number#Issuer_ide... | veleek wrote: | The blog post specifically calls out BINs and their limitations | and some things they are doing to improve it. | boramalper wrote: | I only skimmed the article, you are absolutely right. Sorry! | [deleted] | myself248 wrote: | The fact that the Payment Card Industry association hasn't been | pushing this for decades, and it's up to some random infosec | nerds to invent it, is yet more evidence that our entire payment | infrastructure is fundamentally flawed. | kibwen wrote: | I wouldn't say this is much of a solution to the problem, | though. There's no guarantee that anyone will attempt to use | your canary card before they use your actual card. For one-time | purchases, a better approach is to generate ephemeral cards | that can only be used for a short amount of time, where it | doesn't matter if the card gets leaked. And plenty of credit | cards do offer this service. | acdha wrote: | Think about it at the population level: nobody is impervious | to theft but it lowers the window for an attacker to quietly | steal money considerably and forces them to slow down their | activity trying to avoid canaries. | | To use a physical security analogy, real world bank robbery | is a fool's game now because of many measures which do not | perfectly prevent theft but effectively reduce the profits & | odds of avoiding capture. If attackers can't get enough money | to be worth the risk & effort far fewer people are going to | try even though it's still possible. | kibwen wrote: | I'd say this is still putting the burden on the wrong | party, though. For this to serve as a useful deterrent in | general, canaries need to be quite common. Rather than | hoping that thousands of customers will choose to use a | canary and monitor individually, any company that stores | credit cards should instead contract with an outside | auditor, whereby any time a user stores a real credit card | in the system, the auditor generates a canary and stores | that in the database as well. This way it happens | transparently in the backend, without having to ask users | to do it, and immediately turns any credential leak into a | minefield where you have a 50% chance of getting only one | card before a canary goes off. | acdha wrote: | I don't think those options are mutually exclusive: | merchants should definitely be doing it but note also | that many of the scenarios are things where you might | want to verify your personal data storage or deal with | internal business security. | pelasaco wrote: | Well to be honest Honey Tokens is being used since beginning of | the 2000s, https://en.wikipedia.org/wiki/Honeytoken. I | personally implemented them in a Bank, 20 years ago, generating | some fake credit cards number (and other information) and | having them being monitored in AV, IDS, IPS, Antifraud | solutions like browser extensions, google search and etc.. So | maybe we can say that I'm a random infosec nerd, but i guess, | I'm not the only one, just that people and companies preferred | to make it in silence, to actually catch the bad guys out | there. We actually were able to catch internal people selling | data and we could understand some ways data used to flow and | work pretty tight with the Police to intercept and bust | criminal groups. | 411111111111111 wrote: | Yeah, trust self important HN commentators like myself248 to | imply incompetence throughout an entire industry while being | completely ignorant about said industry. | pelasaco wrote: | people normally imagine that finance and specially banks, | are just COBOL, mainframe and legacy, and even though it is | part of their BAU, there are lot of innovation there, | specially in the infosec/antifraud segments. | myself248 wrote: | How would the operator of an ecommerce website have gotten | their hands on these things to seed their data with them? Is | this something they would've known to ask for? | [deleted] | 29athrowaway wrote: | Or canary admin accounts (marked in the db as admin but with | exceptions at the app level so that they are effectively not | admins). | sneak wrote: | Wouldn't the attacker only charge these after charging | dozens/hundreds of legitimate customer cards too? | | Seems to me this is the wrong solution to the problem this is | trying to solve. | acdha wrote: | It's mitigation, not a perfect prevention, but those are | extremely useful for security: if the attacker trips a warning | after hundreds of charges are approved that still allows the | bank to take action before the number is in the thousands of | cards and makes it possible to retroactively revoke the | transactions which were just approved. In the common case where | someone is making purchases using stolen cards that allows | goods never to leave the warehouse, and if the attacker slows | their usage rate to avoid that they're getting much less | profit. | sergioisidoro wrote: | The responsibilities don't end when the breach happens. And | while the cat is out of the bag, knowing it has happened is | also important to contact customers, fulfil legal disclosure | with regulators (eg. GDPR), and for triggering investigations | and forensics. | azeemba wrote: | Usually they test the set of cards with small charges. This | allows them to sell pre-tested cards at higher value. | | So if you can find out that one of your canary cards have been | tested, you can have some confidence that your whole set has | been compromised. | [deleted] | lobstersammich wrote: | Does anyone have a good alternative to Privacy.com where your | virtual credit card transaction data isn't sold to Wall Street? | If you're unfamiliar with what a "virtual [credit] card" is | here's the page from Privacy.com's website: | https://privacy.com/virtual-card I use the Privacy app on my | mobile phone to create virtual cards (primarily for work | subscriptions). Pro-tip: since each Privacy card can have its own | name put a tag such as `[WORK_RECURRING]` into the card name and | then you can search your email inbox for `[WORK_RECURRING]`, | quickly and easily finding all of the transactions / charges that | you may want to submit to your workplace for reimbursement. | | Privacy is owned / created by Lithic, but if you look at Lithic's | investors you'll see that the plurality of the company's | investors are in the private equity or VC space: Bessemer | Ventures, Tusk Partner Ventures, Index Ventures, etc. You can see | the Privacy.com / Privacy mobile app's funders here: | https://www.crunchbase.com/organization/lithic-pay | | Thus, I have no doubt that my transactions on cleverly-named | Privacy app are being gifted or sold to Wall Street so that hedge | funds can squeeze out a few addition drops of 'signal' from | consumer purchase pattern data that would otherwise remain dark. | (I'd imagine that many folks use the Privacy app to buy things | that they'd rather not have show up on their regular credit card | bills: 'adult websites', marijuana or tobacco products, etc. | | So, two questions: | | (1) Does anyone have a privacy-respecting alternative to | Privacy.com's virtual credit cards? | | (2) Does anyone know of a recent blog post where these virtual | credit card services are compared / contrasted by | | - the services that they offer, - the cost: free, paid, etc., - | the terms of service: how your data is re-sold / who your data is | transmitted to | ok_dad wrote: | I would bet that all of your electronic transactions end up in | some pool of data, no matter what you try. I believe only cash | at a swap meet while wearing dark sunglasses and a hat is | _really_ private. | asciimike wrote: | > (1) Does anyone have a privacy-respecting alternative to | Privacy.com's virtual credit cards? | | Capital One offers virtual cards through Eno | (https://www.capitalone.com/digital/eno/virtual-card-numbers/) | that are merchant locked. They make it somewhat cumbersome to | use, but I've really enjoyed using them. | | It doesn't block wall street knowing about what you're buying, | but at least it's likely got one (or more) fewer middlemen | looking at all your transactions. | nubinetwork wrote: | Dupe of https://news.ycombinator.com/item?id=34469471 | [deleted] | 1970-01-01 wrote: | Very interesting tool. I'm going to write the canary CC onto a | physical card and swipe it first when shopping. If I ever see it | randomly accessed, I'll know my 2nd card (actual payment card) is | burnt. | | >Credit Card Rate-Limiting currently in place. Please try again | later. | | Maybe tomorrow. | [deleted] | rsync wrote: | Hmmm ... I like the idea but my hunch was that disposable card | numbers would fail at POS because the network knows that card | should never have been issued physically? | | If you run this experiment, would you do a tell HN ? | DueDilligence wrote: | .. lets see .. a penny for the peep show [canary token] or a | dollar for the lap dance [privacy.com]. No argument here - lap | dance it is. | [deleted] | brightball wrote: | I'm really glad to see this project. | | I used to do this all the time by hand when I was actively | dealing with phishing sites. I'd submit credentials to the site | and watch for it on our account login page to identify the | perpetrator. | posix_compliant wrote: | I'm dying to know how they implemented this. In order to have | Visa or MasterCard process this transaction, they'd need to have | a bank partner to issue the credit credit card with an issuer | processor. There's usually a large cost to keeping open credit | cards on file, even if there's no line of credit. | jhfdbkofdchk wrote: | Only Amex at the moment. | [deleted] | edarchis wrote: | I've been trying to use this technique to alert banks (in Belgium | where I live) of online fraud for a while but failed. | | We are getting lots of phishing by text, email and hacked IMs. | They use a bunch of redirections to get you to "login to your | bank" with our security devices. In reality, they'll use MITM it | and transfer money to some mules. | | If we could have people fill in some canary bank account that | would trigger a fraud alert at the banks, we could stop those | payments a lot more easily. | | The banks don't really seem to care because the payments are | signed with the card and PIN of the owner, so they refuse to | refund it. No loss to the bank, no action. :( | ipython wrote: | Oooo. This is fantastic. I'll start using this with scam callers. | Do they also give you the info on the entity that _made_ the | charge? | remram wrote: | Those are free? Wouldn't those cost them something to create or | operate? | detaro wrote: | The Canarytokens service is clearly more or less an advertising | expense for them. People that know and use it are more likely | to buy their commercial offerings. | whstl wrote: | This is a late-2000s story but: I once worked for a small-time | credit card emitter and the only money leaving us was the money | from the transactions themselves. | | It was quite interesting, AFAIK we had a range of CC numbers | that we could use, and we had to "answer" to an API call (a | "lower-level webhook", it wasn't HTTP) that provided all the | user data for verification, and we had to authorize in a | maximum amount of time (hard real-time). The verification | happened entirely on our side, so it was even possible to reuse | numbers by changing the CVV or expiration date, for example. At | least that was how it was explained to me, someone could chime | in and correct some mistakes here! :) | | This feature later enabled some banks to allow the customer to | change their "credit limit" as much as they wanted, or to | block/unblock the card using a toggle in the app. But "real | time confirmation" wasn't possible because of the hard-real- | time constraint we had. I remember we had to reply very fast at | the time, and could get punished if we had too many timeouts. | | This might not be the reality on every country or region, but | by giving everyone a dummy credit card in those conditions, the | costs would be only of servers + personnel. | | Of course, a partnership with zero dollars worth of | transactions would make zero sense to the partnering bank, so | they would obviously complain. But this here seems to be a | special case where there's a previous agreement. | DerekBickerton wrote: | This is tangential, but still related: a few years ago I could | buy disposable VISA cards which were these vouchers you bought in | a store and were preloaded with a fixed amount. They didn't even | have to be in your legal name. | | I put the numbers on e-crime forums for people to snap up, and it | was funny watching what kinds of transactions were being made. | Most people were using it to buy cryptocurrency. | | Most of the transactions were vague though and didn't mention the | merchant in question, but with a bit of digging I discovered they | were so called 'Discreet Billing' companies which are largely | used for adult websites and used to mask the fact you were buying | porn to people casually glancing at your CC statement. | [deleted] | voakbasda wrote: | I have wanted something like this to give to scammers, to help | aid in their detection and capture. This is part of that puzzle. | | Now if only law enforcement would give a shit and do something | about all of the rampant fraud. Sadly, I do not believe that will | ever happen. | ISL wrote: | I'm also interested in knowing which law-enforcement divisions | are actively interested in taking on fraud cases -- if the | community finds it, which divisions and prosecutors are fired | up about chasing down online fraud? | | Seems like a great way for an ambitious team to make a popular | difference in the world. | lazide wrote: | Near as I can tell, a lot of the fraud is exploitation of the | known and not yet solved 'remote jurisdiction' issue. | | When someone is far away, and in a different jurisdiction, it's | hard to track them down and do anything to them. | | Not likely to get better anytime soon, unfortunately. | myself248 wrote: | I thought bounty hunters were supposed to solve that. They | ignore our laws, we ignore theirs. | | This leads to a hell of a dystopia, but spammers have left me | no choice but to contemplate dystopias. | lazide wrote: | Bounty hunters are not really a thing in the way you're | thinking - they can't just go to Japan, investigate | someone, arrest them and bring back someone from there for | instance. They're for returning someone already arrested | who jumped bail somewhere. And they typically don't work | internationally, as their legality is dubious even within a | specific jurisdiction. | | For something major, it's generally already possible to | investigate and get someone extradited already, for | instance, when the cultural gaps aren't too large and the | cultures have a common agreement on what a 'major crime' is | and looks like. Murder, for instance. | | The issue is the bar for 'major enough' gets higher and | higher the more jurisdictions/cultures you cross, and it is | super easy now to scam across a large enough gap there that | no one is going to arrest or participate in investigating | all but the largest and most blatant scams. | | Good luck getting someone arrested in Russia, Nigeria, | China, etc. for wire fraud, for example. | [deleted] | derefr wrote: | You wouldn't send a bounty hunter to Japan. You'd hire a | Japanese bounty hunter who operates in Japan. Or, more | specifically, you'd _put up a bounty_ for someone's | arrest in Japan, and one or more Japanese bounty hunters | would "take on" the bounty. | | Also, the goal of hiring a bounty hunter, presumably, | wouldn't be to get them arrested for things that are | crimes in some other country, but rather to get them | arrested for things that are crimes in _their own_ | country (or in whatever country they happen to be hiding | it.) | lazide wrote: | This isn't Star Wars or the Wild West btw. | | Bounties in the US are issued by the court. You can't | issue one as a private person. | | For it to be legal for a bounty hunter to do anything, | they need to comply with some laws while doing it. | Otherwise, it's false arrest and/or kidnapping. | | Which I'm sure with some work, and a lot of money, some | folks would be willing to do for you. However, I doubt it | would go well for anyone, and certainly wouldn't result | in the person being taken going to jail if all they did | was scam someone. | | Targeted International kidnapping (human trafficking?) is | one of the 'quite serious' things likely to get whoever | initiated it tracked down and thrown in jail though. | | Near as I can tell, only the Philippines has a similar | system. | | It gets a lot of press and there are a lot of legends | around it, but it isn't what you think. | | The formal system for having someone arrested and sent to | another county is extradition, and it works rather | differently. It's slow, expensive, and rarely used | outside of serious crimes. | | Having someone arrested, tried, and penalized in another | country for committing a crime against you somewhere else | is also not easy. | | 1) often the courts in the attackers country will say | they have no jurisdiction to try them, as the crimes were | committed elsewhere. This can also happen if you try it | in the victims country. | | 2) you run across all sorts of 'meh, don't care' issues | when the attacker is bringing in good money locally and | the victims are seen as 'not here/not anyone we care | about' | | 3) good luck collecting evidence, making a case, getting | them arrested, etc. in a foreign county, speaking a | foreign language, with a legal system that you don't | understand. It's hard enough doing it when it's local. | | 4) if the local legal system is known for corruption, | good luck figuring out which buttons to push. The | attacker almost certainly is already familiar with them. | | Not impossible. But the costs can easily be > $100k, | sometimes in the millions. | | Hence the 'serious enough' bar too. | marcus0x62 wrote: | What would the Japanese bounty hunter arrest the person | in Japan for and on who's authority? | derefr wrote: | And even if you can both track them down and hand evidence of | wrongdoing on a silver platter to law enforcement in their | jurisdiction, often the places these criminals operate out of | were selected specifically because their justice system is | corrupt and easily bribed. Often, these fraudsters can even | talk local politicians into seeing their (cover) businesses | as "important local industries, employing local citizens, | generating taxable income, and making charitable donations." | | This is the strategy used by the harder-to-kill scam call- | centres in India; certain cities in India (I believe | Hyderabad?) have been repeatedly handed damning evidence of | criminal acts by scammers operating there, but it gets swept | under the rug every time. When a big-enough stink is made | that it makes their own local news, they just give the | criminals a slap on the wrist or lest (e.g. an arrest on low | bail that they easily afford to pay, with the case then being | dropped before it ever goes to trial, as soon as it's out of | the news.) | nebula8804 wrote: | The US has the power to really cause damage to India (and | well any other country). They can cause a stink on the UN | front and if that does not work, escalate financially like | they do to countries like Iran. Its just not that important | for the extremely old and corrupt leadership at the top to | care about though. I suspect once someone from the internet | generation takes the presidency, there will be some chance | of something changing. | ocal5 wrote: | Looks neat and thanks for sharing idea. Aren't professionnal | going to just discard all numbers associated with this "bank", | then ? | lights0123 wrote: | > Savvy attackers may start looking for patterns in the bank | identification numbers (BINs) that we issue, and proactively | deleting or excluding them from their dumps. For this reason we | are in discussions with a number of banks to onboard their BINs | to the system too, further mixing in legitimate cards with | tokens. | | > It's a compelling argument: "Would you like attackers to | first remove your bank's cards from dumps they steal?" | ocal5 wrote: | win - win : ) | philsnow wrote: | I've thought about something similar for spam calls: I can | play whack-a-mole blocking individual numbers, but it won't | scale fast enough and scammers will always get to me. I can | rely on iphone's "scam likely" notification and just not | answer those, which helps. | | If the latter (and whatever similar feature android has) were | somehow perfect, scammers would have a bad time. But.. if | they convinced (paid) some (more-)legitimate companies to | have their outgoing calls show up as the same number as the | scammers use, people would eventually learn that they have to | pick up scam calls or else miss calls from their | bank/pharmacy/whatever. | detaro wrote: | Many canaries are avoidable if you pay perfect attention - but | people slip up, and even if they don't, paying perfect | attention does increase the cost for the attacker. (And e.g. | throwing out all Amex corporate credit cards (one example of | the "banks" they use) as you suggest does reduce the value of | stolen data too) | lazide wrote: | Also, attackers who are so diligent could often make more | money not doing criminal things. | xeromal wrote: | That sounds like a feature rather than a bug. ___________________________________________________________________ (page generated 2023-01-22 23:00 UTC)