Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
MageCart Launches Customizable Campaign
Newest First  |  Oldest First  |  Threaded View
OSUJJONES
OSUJJONES,
User Rank: Apprentice
7/2/2019 | 12:20:49 PM
Re: Card Validation
www.SourceDefense.com has come up with a unique way to solve this problem by taking away DOM access to the supply chain.  By doing this you can no longer insert anything on to the browser which elimitates the Magecart attack at the browser level which is the flaw and how these attacks happen.  V.I.C.E. is the name of the technology and is worth looking into if you are concerned about Magecart or really anyone having access to your customers data at the browser both credit card as well as privacy information.   
tdsan
tdsan,
User Rank: Ninja
6/30/2019 | 2:39:56 PM
Re: Card Validation
I do apologize if I was not clear, I was saying from a hypothetical standpoint, if we put together a DB that is populated from the various banks and credit card agencies, we could stop the fraud at the very beginning. The dark we was presented only to provide insight that this can be done, we could even use their model as a way of creating something that spans multiple banking organizations (across the globe).

Todd
RyanSepe
RyanSepe,
User Rank: Ninja
6/30/2019 | 10:31:41 AM
Re: Card Validation
Ah ok so your reference was to the dark web. Makes sense. For this to become more operational a DB to pull directly from the Dark Web stolen credit cards would need to be created. This has its own inherent risks.

Would be a nice lot of information to thave though.
tdsan
tdsan,
User Rank: Ninja
6/30/2019 | 8:17:25 AM
Re: Card Validation
Currently, a legal DB does not exist (most are found illegally), this was more of a hypothetical (this was more a question to the group); if something like this did exist, then we could query this data to help identify fraud before accepting the stolen credit card application (cutting them off at the pass).

However, there are databases on the web with stolen credit cards, this is part of the dark web:

https://miro.medium.com/max/700/1*TGI_cGlmblJk4UemaYFqYA.png

RyanSepe
RyanSepe,
User Rank: Ninja
6/30/2019 | 7:46:45 AM
Re: Card Validation
Database of Stolen cards. Just curious, does this actually exist? I hadn't heard of an agnostic list of confirmed stolen credit cards.

Regardless, if it does exist it would be a race condition from when the card was stolen and when it was added to the database. If the malformed checkout form was sent before the DB add then there would be no checks against it.
tdsan
tdsan,
User Rank: Ninja
6/29/2019 | 9:26:43 AM
Card Validation
One of the campaign's unique qualities, according to Fortinet's report, is that the software injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form. This means the skimmer can be brought into the customer experience much earlier.
  • Wouldn't it be prudent to check if the card has been stolen by querying a database of stolen cards submitted by the bank or card processing companies? This would reduce the use of stolen cards and mitigate this fraudulent activity.
  • Also, if a fake card form is submitted, shouldn't that form be held up during the approval process before it goes to the next step or remain external to the organization until the form's information has been verified (text or phone call)?

Just curious.

Todd


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.