RANT: Credit card Fraud

[Mystic Eye]

For what it matters here are the IP's I've tracked this guy using:

80.88.146.161
192.116.107.63
192.116.121.165
81.199.83.38
213.255.199.4

Since he always seems to use an amount over $1000 I just changed my checkout system to prevent anything over that amount from completing... he has tried to hack some more- but nothing has gone through in 2 days, so I think I'm "winning". But now I'm off to GenCon and who knows what he'll try or think of while I'm gone. I'm going to have to find internet access...

James

Hey James,

Not sure if this will help or if it is even worth looking at ot valid but that 192. IP address you listed is the router gateway IP for Linksys DSL/ cable routers. They all start 192.1XX as far as I know.

I hate hackers and thieves!!!! They always have some stupid justification for what they do too which makes me even more angry.

 

[Drawmack]

James,
Not that it helps much but there are meassures you can take with most cvs services. To stop this kind of abuse. You could also put trackers in that only allow the same IP to complete a sale x times per day and only every y minutes.

He is using an ip spoofer, you could grab a program that will catch most spoofer and if someone is running one you can stop them from using your store.

You can also track IP v CC# and if two come in flag the order so it needs your approval before being sent to the cvs.

Basically you can catch a lot if instead of going directly to cvs you go order form --> your program (if your program passes) --> cvs.

 

[rpghost]

Yeah, I've been building up the security on our checkout system. Since we do our own SSL connection now I can have control over some things. Like I could block repated IP's ordering too many times. THat's a very good idea. But he always uses a different credit card number, which is why I believe it's a program doing the random generation of card numbers and somehow validating them.

For the most part he's been "stopped" but they can be creative and I fully expect he'll find some other way to abuse us/me... so I just hope that's not while I'm at GenCon.

What a load of fun. Not.

James

 

[thundershot]

Huh, this is all I could find..

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL



Chris

 

[AerosAtar]

RIPE NCC is an upstream provider to ISPs and large corporations, at least according to their website. All three of the non-internal (192.xxx.xxx.xxx) IP addresses trace back to an unidentified node of their network in Lagos, Nigeria, so I am almost certain they are spoofs. (Not to mention the fact that all three trace back via different, and very circitous, routes.) ISPs never use 192.xxx.xxx.xxx addresses for their clients.

Unfortunately, this means that you cannot even contact the person's ISP and get him off your back that way (ISPs tend to take hacking and fraud *very* seriously)...

I wish I had a suggestion, but it looks like folks here have already made more than I could think of. Tighten your security, keep logging those IPs and hope he slips up...

[Deletes long rant about the differences in attitude between Europe and the US before posting.] No point in offending anyone.

 

[Blacksad]

Re: Re: Re: RANT: Credit card Fraud

You don't have a choice. They take it out of your account. Besides, if I prevented it, they'd cancel the merchants account and I'd loose 75% of my business. Not an option.

They have you over a barrel and know it. They are like vampires just leaching away at my life.

Since I have to deal with 100's of orders a day with RPGShop/RPGMall/RPGNow there is no way to manually verify them all. RPGShop in fact does require us to see an ID and the CARD before an order is approved- boy do I get crap from customers about that. RPGNow (since it's electronic product only they can't fence the stuff) doesn't require this and has this and until recently hasn't had much fraud. But the addition of the TSR products and our growth is changing that.

James

Banks are company too.

Given the steady number of transaction (possibly with money changing for foreign orders), you are a good client.

You should really try to consult other banks (and possibly foreign ones, if it is legal), and try to transfer your account (or just reduce your account to zero in the old bank, and to not use it at all after).

 

[Drawmack]

Like I could block repated IP's ordering too many times. THat's a very good idea.

Thank You

But he always uses a different credit card number, which is why I believe it's a program doing the random generation of card numbers and somehow validating them.

This is very possible Credit Card Number (all of them) are generated with an algorithm so you can have any program use that algorithm to generate "valid" card numbers. Here is the perl code to reverse engineer a number and see if it's a valid cc number:

[color=white]
sub ValidCardNumber($)
{
  my($number) = shift(@_);
  my($temp, $total, $i);
  for($i=(length($number)-1);$i>0;$i--)
  {
    if(($i%2) == (length($number)%2)) {$total += substr($number,$i,1);}
    else
    {
      $temp = (substr($number,$i,1) * 2);
      if($temp >= 10) {$total += ($temp%10) + 1;}
      else {$total += $temp;}
    }
  }
  
  if(($total%10) == 0) {return 1;}
  else {return 0;}
}
[/color]

I wrote that and I was able to do that because the algorithm is freely published. However, it would be just as easy to write a cc# generator that works the other way to.

If you can't tell I have programmed A LOT of web stores. Here are some of the security measures that I take with them.

1) You must register in order to purchase something.
2) You must use a registered card in order to purchase. i.e. a card whose information you have stored in our database outside of ordering program.
3) You can only have three registered cards. Use that up and need another one you've got to call and talk to a person to get the cards taken out of the database.
4) A customer can only place 1 order every 10 minutes.
5) An IP cannot use more then 3 different cards in the same day. (of course this is unnecessary if you use #1 & 2)
6) An ip detectable as spoofed (i.e. 192....) is not allowed to access the store.

I can honestly say that I have never had one of my stores abused in the manner that you are speaking of by using these methods. I use all of them that can be used together on every store. Sure it takes time, but it beats a script kiddie hacking me.

For the most part he's been "stopped" but they can be creative and I fully expect he'll find some other way to abuse us/me... so I just hope that's not while I'm at GenCon.

I would be more then happy to offer my services to you to keep an eye on things while he's away. I know you don't know me but I am a professional web developer. If you're interested contact me off the boards at tomender@ptd.net

 

[Malak]

Europe Better?

Don't bet on it.

In my real job at eAbsinthe.com we get burnt every now and again on credit card fraud, and we're just as out of pocket...

I can't see any difference being this side of the pond. The credit card companies just lump the whole matter plus expenses on the shoulders of the mechant, then make a big deal to the public about how they will not lose money on a fruadulent transaction on thier card -- damn right they won't!

 

[Ralts Bloodthorne]

OK, you've had advise from the professionals, let me throw down my 411 on some things.
In this advice, I am not affillated with anything but me, Timothy Willard, and I doubt anyone else would approve.


Number One: Hire a counter hacker. Some of them will work for D&D swag, others only for cash. That will help. Have him counterstrike with viruses, tear the hackers precious system down. A favorite is to kill the fans and disable the temperature montiors. Or just delete the bastard son of a misbred donkey's drives.

Number Two: Get in contact with some guys that cruise the net that are available for hire. merc.net is down, so you might have to do some looking. Contract yourself out some muscle nearby the hacker, and have his arm broken. Do this two or three times, to two or six hackers, and your site gets left alone. I'm not talking a crack, I'm talking a greenstick fracture and broken thumbs, with maybe a splitting maul taken to his equipment. Even if it is a student in JR or SR HS, your hacker can adjust things and get him flunked, academic probation, etc.

Number Three: Contact your government representitive to change the laws. You're getting screwed, in a quasi-legal manner, get ahold of a lawyer, and your government representitive, and find out what sledgehammers you can get ahold of to bring to bear against your corporate opponents.

Number Four: Keep on the FBI/Interpol. Keep bugging them until they move on the case. If you just complain and don't follow it up, they ignore your complaint. Overseas and US Laws are cracking down harder and harder.

Number Five: Beef up security and make "Orders Must Be Validated" code in your online ordering. Let the consumer know that it is to prevent credit card fraud. To increase consumer confidence, have a page that lists the ones that got through, and the ones that were stopped.

Number Six: Some people only understand physical violence, and direct action. They hold the law in contempt, and the rules of society in disregard, and think themselves beyond such petty things as laws and getting touched. They feel that the law cannot touch them, and the internet makes them invulnerable. Have thier legs or arms busted. Eventually, hackers would rather try busting into Interpol than hitting your site. Do this through cutouts, intermediates and controls. It might take some tavern talk to understand how to do this, but people out there know how to do it, and how to handle it.

 

[Blacksad]

don't you want to put some smiley Warlord Ralts?