Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
MageCart Launches Customizable Campaign
Newest First  |  Oldest First  |  Threaded View
OSUJJONES
100%
0%
OSUJJONES,
User Rank: Apprentice
7/2/2019 | 12:20:49 PM
Re: Card Validation
www.SourceDefense.com has come up with a unique way to solve this problem by taking away DOM access to the supply chain.  By doing this you can no longer insert anything on to the browser which elimitates the Magecart attack at the browser level which is the flaw and how these attacks happen.  V.I.C.E. is the name of the technology and is worth looking into if you are concerned about Magecart or really anyone having access to your customers data at the browser both credit card as well as privacy information.   
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 2:39:56 PM
Re: Card Validation
I do apologize if I was not clear, I was saying from a hypothetical standpoint, if we put together a DB that is populated from the various banks and credit card agencies, we could stop the fraud at the very beginning. The dark we was presented only to provide insight that this can be done, we could even use their model as a way of creating something that spans multiple banking organizations (across the globe).

Todd
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 10:31:41 AM
Re: Card Validation
Ah ok so your reference was to the dark web. Makes sense. For this to become more operational a DB to pull directly from the Dark Web stolen credit cards would need to be created. This has its own inherent risks.

Would be a nice lot of information to thave though.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 8:17:25 AM
Re: Card Validation
Currently, a legal DB does not exist (most are found illegally), this was more of a hypothetical (this was more a question to the group); if something like this did exist, then we could query this data to help identify fraud before accepting the stolen credit card application (cutting them off at the pass).

However, there are databases on the web with stolen credit cards, this is part of the dark web:

https://miro.medium.com/max/700/1*TGI_cGlmblJk4UemaYFqYA.png

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 7:46:45 AM
Re: Card Validation
Database of Stolen cards. Just curious, does this actually exist? I hadn't heard of an agnostic list of confirmed stolen credit cards.

Regardless, if it does exist it would be a race condition from when the card was stolen and when it was added to the database. If the malformed checkout form was sent before the DB add then there would be no checks against it.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/29/2019 | 9:26:43 AM
Card Validation
One of the campaign's unique qualities, according to Fortinet's report, is that the software injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form. This means the skimmer can be brought into the customer experience much earlier.
  • Wouldn't it be prudent to check if the card has been stolen by querying a database of stolen cards submitted by the bank or card processing companies? This would reduce the use of stolen cards and mitigate this fraudulent activity.
  • Also, if a fake card form is submitted, shouldn't that form be held up during the approval process before it goes to the next step or remain external to the organization until the form's information has been verified (text or phone call)?

Just curious.

Todd


COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
CVE-2020-13695
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.