What is Digg?114 Comments
- rocketrye12, on 10/12/2007, -5/+101"would you like a smiley with that?"
- Cglass, on 10/12/2007, -7/+76Dude I'm sorry, the boss just told me to send over of aim, chill out it's so fast there's no way anyone saw it.
- Crossmenjeff, on 10/12/2007, -5/+68His first mistake was him buying Magic: The Gathering Cards.
- msgyrd, on 10/12/2007, -4/+66Ned Flanders, is that you?
- breakaway, on 10/12/2007, -5/+52"Then I would possibly have had them charged with fraud."
Only in the USA. - gamerzworld, on 10/12/2007, -5/+50Here is a copy of the IM session........................................
Main HQ: yea lolz, we need to send you a card swiper lolz
Clerk: yea lolz
Clerk: we have a customer with a credit card
Main HQ: ok, just type the info over the chat...
Clerk: ok here is the information lolz
Clerk: [Information]
Main HQ: how much money should we charge?
Clerk: the price of the product is 10.00 but let's charge a couple of thousand in extra expenses.
Main HQ: ok lolz
Main HQ: ok lolz it went through
Clerk: great! lolz! were rich! stupid n00b gave us his credit card numbers!
Main HQ: yea lolz - osc1882, on 10/12/2007, -0/+38As soon as I saw the AOL screen the words would have been " aw hell no! "
Your using this to send my Info? I'm no longer buying here. - serra, on 10/12/2007, -4/+40How would people get the information and how easy would it be to get it? Are there people out there scanning all of these little stores lines for info like this? It wouldn't personally bother me to have someone do this same thing to me, really. Hell, anyone from anywhere could steal your information, without it even being internet related.
I work for Amazon.com in customer service and have people give their full credit card info to me all the time to place online orders for them, just to show what people will give to anyone, especially if they aren't "internet saavy". One of our customers called in and let us know that someone had stole his card info while he was at a restaurant, the waiter that took his card to go take care of the bill also wrote down all of the information and then used it to buy stuff with.
So when people start screaming "Omgz It's not encrypted!" I start to wonder about their other activities that involve their credit cards. Basically, I think that there is more of a chance of some crooked waiter or online customer service person stealing card info than someone out there doing whatever they have to do to intercept messages on messenger (or anywhere else online).
You can digg me down all you want, but I think that if you educate people like me on this, and people see the replies- that maybe you can convince some of us otherwise on exactly how dangerous something like this could be. - Takteek, on 10/12/2007, -8/+42What?! No duggmirror link?! Fine I'll type it myself
http://duggmirror.com/security/Credit_Card_Information_Sent_Over_AOL_Instant_Messenger_w_pic_of_receipt/ - sabster, on 10/12/2007, -7/+33i wouldnt be surprised if aol secretly saw that information being sent and added you to their spam list
- daverp, on 10/12/2007, -1/+27"I have no remorse for the clerk or the store, which is why I waited to share." ???
He had "no remorse" and still waited 2 years to post. - TimDub, on 10/12/2007, -7/+32Even if it were encrypted, I would still cancel my card. Right after I told this clerk, and his manager, and everyone else in the store, just how incredibly ***** careless that is. Then I would possibly have had them charged with fraud.
Can anyone tell me what and where this store is, so that I may avoid it and all affiliates? - spvaland, on 10/12/2007, -4/+28They must have been out of Yu-Gi-Oh! cards.
- epiccollision, on 10/12/2007, -2/+21which the article clearly answers...RTFA!!!!
- jonester, on 10/12/2007, -5/+23Wow... what advanced technology... my business uses a swiping machine... we better get up with times.
- eridius, on 10/12/2007, -1/+16The difference here is when you give your card to someone, you know you did that. They can be held accountable later. But if you send your information unencrypted over the 'net, persons completely unknown to you could be listening in and take it, at which point you have nobody to hold accountable for stealing your information.
- Dot.Com.CEO, on 10/12/2007, -0/+14"It's a word us people who speak the English language correctly use."
Please allow me imbibe your comment with much needed flair and, in the meantime, correct its many style and grammar errors:
It's a word that we, people who correctly use the English language, use.
And no, it's not. - NeedleGuy, on 10/12/2007, -0/+14"I have no remorse for the clerk or the store, which is why I waited to share."
huh? - david76, on 10/12/2007, -1/+12This reminds me of when we bought our Christmas tree this year. We paid with a credit card and so the cashier proceeds to call in the credit card information to their central office. Not a big deal. Then, after getting the authorization code from VISA she proceeds to write down all of the card information on a slip. Then she flips the card over and writes down the CVV number. I looked at her and said "Uh, you're not supposed to write down the CVV number, and certainly never with the card information." She just said "Well, that's what I was told to do." I was going to explain further, but figured she probably wouldn't understand my explanation of how you don't need the address or CVV information after you do a pre-authorization. I just asked her to make a note on the receipt to have it destroyed when they did the final authorization.
- browwiw, on 10/12/2007, -0/+9On the flip side, the manager at the comic book I frequent is always complaining about how the store owner upgrades the credit card machine every few months to stay up with the latest security tech. Every three months he has to learn how to operate a new machine.
- Domza, on 10/12/2007, -1/+10he might mean "resentment"
- boberto, on 10/12/2007, -0/+7"When I called the bank, the guy on the phone was laughing hilariously."
This guy has a knack for using the wrong words. (Hysterically) - mrthebunny, on 10/12/2007, -0/+7My guess is that he used the incorrect word in the article. He seems to know the manager. What he really wanted to mean, I guess, is that he has no resentment against them...
- zlintux, on 10/12/2007, -2/+8Fraud wasn't committed ... how did they defraud?
Depending on the state, they may have broken laws with regards to requiring payment information to be encrypted and the like. The proper course of action would be to talk to them about it, and, if you felt that to be unproductive, contact your state's attorney general. - fjc8, on 10/12/2007, -0/+6I wonder how much this transaction complies with with the credit card companies' merchant guidelines/rules.
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/rules_for_visa_merchants.pdf
http://www.mastercard.com/us/wce/PDF/10071_MasterCard_Merchant_Rules.pdf - mikeod, on 10/12/2007, -0/+6Flagging as lame. This guy made it up. Who the hell waits two years to post something like this? I call shenanigans.
- LiquidPenguin, on 10/12/2007, -0/+6@david76
Recording Credit Card information with address and the CVV is outright illegal. The law also applies to specific combinations of checks and drivers licenses along with your CC. I'm not certain, but I believe it's on a state per state basis. There are some exceptions to this. For instnace, some areas of the law allows companies to record only as much information as required to complete the transaction. There's also a stipulation that allows a merchant to record your address _if_ it is already imprinted on your CC (most CC don't do this anymore (AFAIK). For instance, if I walk into a store and pay with a credit card information for merchandise I'm bringing home that minute, the store is not allowed to obtain or record my address. However, if I walk into that same store to buy merchandise and want it delivered to my home, then they are allowed to record my address. The same rules apply to online stores and over the phone transactions.
In essence, for a basic CC transaction, the CC has all the information required to complete that transaction, nothing more.
If you wish to read up more on it. http://www.google.com/search?hl=en&lr=&q=California+Civil+Code+1747.8
That's specific to California, I don't know how the law is applied in other states. So you might want to look in to it. If the merchant was here in CA, you can rake their asses over hot coals. - geowrian, on 10/12/2007, -2/+8"If there's no signature, you just have to call the credit card company when you receive your statement and tell them that there are charges that you did not authorize."
That's only for type 1 (POS) transactions...the ones where you need to physically see or swipe the card. Type 2 transactions, like over-the-phone and Internet transactions do not require a signature (obviously). If anybody got the guy's CC information, they could easily do any type 2 transactions. You can dispute it with the credit card company or company that charged it and usually win, but that's no guarantee. Legally, YOU need to prove that you didn't authorize the charge, they don't need to prove that you did. If they deny your dispute, then you're screwed and kiss your good credit rating goodbye. - awhiteflame, on 10/12/2007, -7/+12Not if it's under $50 or something like that. No signature is required for those purchases anymore.
- inactive, on 10/12/2007, -1/+6@serra Packet sniffing only requires having a computer on the same network with the NIC configured a specific way to record the contents of all TCP/IP packets that go over it. Save the logs and you can go over them at your leisure.
- hayseed, on 10/12/2007, -2/+7Pic of the people involved in this story: http://cbg.nohomers.net/bio.htm
- takeda, on 10/12/2007, -0/+4Heh I was at one company, and I asked for a folder to keep all my papers together. When I get home I noticed there was a somebody's credit card number and expiration date written on it :)))
I guess somebody used it while getting information over the phone.
People are so careless.... - inactive, on 10/12/2007, -0/+4it is worse, because if all the channels are encrypted, if something screws up, you know excatly who to blame.
if the guy sent it over unencrypted AIM, hundreds of hackers could have _known_ about the store's practice early in advance and be sitting there sniffing for it.
Unencrypted sniffing is easy. God help them if they were using it over wireless too. I had a friend who set up this box in my dorm that would sniff everything on wireless and display any unencrypted JPEG data that was picked up. Wonderful watching what people were looking at. - epiccollision, on 10/12/2007, -0/+3and can you tell them how different propiertary encryption schemes don't have to show up as HTTPS....
- digitarius, on 10/12/2007, -0/+3He didn't "continue" the transaction if you RTFA. The information had already been sent when the clerk let him see the history window.
- xanderjobe, on 10/12/2007, -2/+5Jesus H. Christ... I think that I would have raised hell when the clerk showed me the monitor, but then the hand written receipt.
scams FTW! - serra, on 10/12/2007, -1/+4@eridius: True, but still, the end effect is the same. You can cancel the card, you won't have to pay the charges. Just because you don't have anyone to hang for it, doesn't mean that you will be damaged by it. Yeah, it sucks that you don't know who the guy is so you can stop him, but still- you can get out of the charges incurred and the guy will eventually get caught anyway. But yeah, I agree it would be nice to know who did it so they could go to prison.
The point is, the danger of info going out unencrypted, not about what will happen to the person who did it or who the person was. - fittysix, on 10/12/2007, -0/+3It is entirely possible that this was some sort of VPN internal webpage.
- twistymcgee, on 10/12/2007, -0/+3What I don't understand is why we have PIN numbers for bank cards but not credit cards. Credit cards should all require a pin number. The other number on the card doesn't really solve the problem because it's on the card. A PIN number like that of a bank card is something undocumented that only you know (as long as you don't give it out to someone else that is). Currently, just having the card number is enough to make purchases.
- inactive, on 10/12/2007, -0/+3Buying magic cards you deserve something like this.
- inactive, on 10/12/2007, -0/+3YES, I think they are sniffing next to the shop. Especially if they know the shop does that. If I were a crook, the first time I saw an AIM screen, I wouldn't be saying anything, I'd just quietly leave and then packet sniff.
It's a ***** common problem these days. - Foma, on 10/12/2007, -0/+3However those things might be accomplished, the haystack would definitely get a lot smaller by someone knowing that this particular store does this for every credit card transaction. Judging by the anecdote, it sounded like it was a common occurrence to show customers the computer screen, which means that the AIM screen names involved are easily visible.
- Kevin108, on 10/12/2007, -0/+2A grown man walks into a store and buys Magic: The Gathering cards. What did he do next, go home and watch Pokemon while getting ready for his POGs tournament? This guy is a ***** loser!
- shutupanddie, on 10/12/2007, -2/+4It doesn't even have to be used by someone else, they're already in violation of a newish consumer protection act. Can't remember the exact bill though. I think it may be the Bankruptcy and Consumer Protection Act.
I'm fairly sure it violates their card processor regulations as well. Not that Visa really has the balls to do anything about it. - GreatBug, on 10/12/2007, -0/+2aimencrypt is nearly worthless. Using the files provided by aimencrypt is like locking your door with a key that anybody can pick up for free at the corner store.
Generating your own encryption keys is not difficult, and will actually provide feasibly uncrackable encryption - serra, on 10/12/2007, -0/+2@iamshades: Yes, I am aware of the other scams, such as phishing. But I'm talking about how exactly do these people know where to look to get the info over instant messenger or something such as that? I know that most real sites like the major online retailers and paypal are encrypted, but let's just talk about instant messenger and unencrypted email.
How do the people know where to look? What do they have to do to see that specific information? Basically, out of all the info out there, how would they know to look in that certain spot for that specific info? I don't know how that crap works, since I'm not a scammer, but am curious as to how they would find it. I would say it would be like finding a needle in a haystack... and not in the MythBusters kind of way either! - sitharmy, on 10/12/2007, -0/+2My favorite part was that the receipt wasn't even written on blank paper, it's the back of a tournament flyer (look closely)
- cynicist, on 10/12/2007, -0/+2@ superpotential
Its called Driftnet, and yes its very fun :D
http://www.ex-parrot.com/~chris/driftnet/ - mspencer712, on 10/12/2007, -0/+2I work for a credit card processing company. We help merchants process cards and get paid for their sales -- we don't create cards for customers to use.
If the merchant is doing this -- sending full card details over an unencrypted TCP connection via the public Internet -- they are in violation of Visa/Mastercard regulations. The merchant could be fined, but at the very least, the merchant's processor should be warned so they can educate their merchant.
If the cardholder AND the cardholder's issuing bank really want to press the issue, the bank could send a 'secret shopper' to the merchant and confirm they are doing this. They could then file a compliance case against the merchant. That would notify the processor about what the merchant is doing, and probably cause either the processor or the merchant to have to pay a fine and/or have a site security audit done.
(There are 'levels' of merchants, as defined by a merchant's annual transaction volume. Really huge merchants are 'level 1', do a massive volume of sales each year, so if they have a security problem it's a big deal. So they are required to complete regular security audits, and if they are cited for noncompliance the fines are pretty big. Small merchants -- pretty much any mom-and-pop -- are 'level 4'. Their processor decides whether or not we need to make them perform a site security audit and certify that they are compliant. If a merchant is found to be noncompliant, as this one allegedly is, then things change and they have to have a security audit done and must show compliance.)
For Visa, the regulatory requirements that apply here (Visa CISP, Cardholder Information Security Program) can be found at: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
For Mastercard, the regulatory requirements that apply in this situation (Mastercard SDP, Site Data Protection) can be found at: http://www.mastercard.com/us/sdp/index.html
---OK, now I'm taking my company hat off. This is just me talking now. The following comments are my own opinion, and may or may not be the opinion of my employer.
Just because we have a hand-written receipt doesn't mean this story really happened. Many merchants use small electronic credit card terminals, and these terminals sometimes break. Many merchants also don't bother to buy one of those manual card imprinters ("knuckle-busters") to use in case their system can't print receipts. So this seems like an understandably-sloppy hand-written receipt. It seems plausible to me that this merchant really didn't do this instant-messaging thing, but they did write a hand receipt.
Also, if the merchant was using something like Trillian's "secure IM" AND if they have chat logging turned off, then there's probably no security risk at all. They would even be PCI-compliant in that case, if Trillian's secure-IM works the way I think it does. Note that this isn't official, and I've never seen any kind of instant messaging, secure or not, mentioned anywhere. - joshduck, on 10/12/2007, -0/+2I visited the brick-and-mortar shop front of a eBay store I'd bought from.They looked to have their stuff together until I noticed the receptionist had a piece of paper next to her desk with CC numbers/expiries etc. written down. It was a big list too, and obviously how they handled all phone payments. I was left alone in the front room for large periods of time while waiting for my order, and it would have been trivial to take or even photograph the list.
-
Show 51 - 100 of 115 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is