Re: Dear Linkedin,
On 6/8/12 16:05 , Alec Muffett wrote: Does anybody have a good URL explaining that idea? It's been kicking around for many years. I've never seen a convincing writeup. I've tried to do that in another mail - it's in the realms of philosophy more than strategy; like if you're a really security-aware person and take great care you can probably stretch the useful life of a password out to _years_ - but how typical are *you* in that instance? I have a slide in a presentation I give about oncea year that goes something like: How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself? ● Entropy in language. – A typical english sentence has 1.2 bits of entropy per character, you need 107 characters to get a statistically random md5 hash. – Using totally random english characters you need 28 characters. – Using a random distribution of all 95 printable ascii characters you need 20 characters. ● Observation, good passwords are hard to come by. Does your bank request/require that you change the PIN on your ATM card every few months? ATM cards are not passwords, they are a coarse form of two-factor authentication - You have the card, you have the PIN. You have to possess both in order to transact - at least in in theory. Compare that with the secrecy surrounding the CVV - the last three digits on the number on the back of the card which you are not meant to tell anyone and which _will_ be different if your card is lost/stolen and reissued. Now _that_ is a password. Security is a tradeoff. I think there are two cases for passwords. I'll call them important and junk. I'm willing to store the junk ones in a file or piece of paper that I'm careful with. I have to memorize the important ones. You know, that's not bad. I am pro-paper for long passwords. I am even-more pro password safes. I'm only smart enough to memorize a few good passwords. If I change them every few months, they will be less good, or fewer of them. It's harder as we get old. Use technology to aid with the heavy lifting. :-) -a
RE: Dear Linkedin,
On 6/10/12, Joel jaeggli joe...@bogus.com wrote: How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself? ? Entropy in language. A typical english sentence has 1.2 bits of entropy per character, you need 107 characters to get a statistically random md5 hash. Using totally random english characters you need 28 characters. Using a random distribution of all 95 printable ascii characters you need 20 characters. ? Observation, good passwords are hard to come by. I don't disagree, except regarding dictionary attacks. If the attack isn't random then math based on random events doesn't apply. In the case of a purely dictionary attack if you choose a non-dictionary word and you are 100.000% safe. :) John John Souvestre - New Orleans LA - (504) 454-0899
Re: CVV numbers
On Jun 9, 2012, at 1:36 PM, Jay Ashworth wrote: - Original Message - From: Owen DeLong o...@delong.com How does having the CVV number prove the card is in my possession? I have memorized the CVV in addition to the 16 digits of the cards I commonly use and routinely enter them into online ordering without retrieving the card. What prevents a fraudster from writing the CVV down along with the other card data? Nothing, but lots of fraud scenarios don't involve a bad actor taking physical posession of your card: magstripe skimmers and charge-slip carbons being only 2 off-hand examples. Clearly, the percentage of fraud it blocks is more than the amount it costs. The skimmers can use CVV1 and bypass the CVV2 protection in most cases (though that requires them to gen up a fake or fraudulent card and do card present transactions which does add risk for them). I haven't seen a charge slip carbon in so long that I find it hard to believe these would remain a significant factor today. It costs almost nothing, so a few fraudulent transactions blocked is probably enough. That doesn't change the fact that I believe there have to be more effective methods that wouldn't cost much more. Owen
Re: Dear Linkedin,
- Original Message - From: Barry Shein b...@world.std.com A friend would print in block letters in the sig area of his credit cards ASK FOR PHOTO ID. He said that almost always cashiers et al would give a cursory glance like they were checking his signature and say thank you and hand him back his card. This seems like an altogether excellent time to haul out *this* old chestnut: http://www.zug.com/pranks/credit/ FWIW, My cards have always said SEE ID, and I get about a 40% or so hit rate on that. It's been odd recently, cause I sometimes forget, and the privacy reflex kicks in and makes me want to say Why?? :-) If your card is not signed, your card is invalid and should not be accepted by any merchant. http://www.mastercard.com/us/merchant/pdf/MerchantAcceptanceGuide_Manual.pdf Page 8-2; Unsigned Credit Cards. VISA has similar requirements. Writing SEE ID in the signature panel primarily makes your card invalid *unless* your signature is also present. One of the design goals of the V/MC system is that a cardholder is not supposed to need anything other than their card and the ability to sign. The comparison of the signature provided to the card signature is supposed to be one of the primary ways to validate a cardholder, but of course these days, most vendors are lazy and don't. In fact, one of my favorite abusive merchant practices, trying to require ID, is expressly prohibited: http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf Page 5-14, sec. 5.8.4, Additional Cardholder Identification. They're allowed to ask, you're allowed to refuse, and absent a good reason, they're not allowed to refuse your transaction. Now, if your signature doesn't match or something else is particularly fishy, yes, then they should require it, but they cannot require it by default for all transactions they process. That and a minimum charge are among the two most common merchant violations I see. For MasterCard violations, report them! http://www.mastercard.us/support/merchant-violations.html ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Our first inbound email via IPv6
Livingood, Jason jason_living...@cable.comcast.com writes: In preparation for the World IPv6 Launch, inbound (SMTP) email to the comcast.net domain was IPv6-enabled today, June 5, 2012, at 9:34 UTC. Roughly one minute later, at 9:35:30 UTC we received our first inbound email over IPv6 from 2001:4ba0:fff4:1c::2. That first bit of mail was spam, and was caught by our Cloudmark messaging anti-abuse platform (the sender attempted a range of standard spam tactics in subsequent connections). ... rim shot: i suggest that the e-mail industry consider a two-level approach to rejecting ipv6 spam based on source address. for more information see: http://www.circleid.com/posts/20110607_two_stage_filtering_for_ipv6_electronic_mail/ paul
Re: Our first inbound email via IPv6
the key question to me is when will my normal dns rbwls support ipv6? in exim-speak !dnslists = list.dnswl.org dnslists = dialups.mail-abuse.org \ : rbl-plus.mail-abuse.org \ : dnsbl.sorbs.net \ : zen.spamhaus.org and this time let's skip the usual round of telling me the worth of each element of my selection. randy
Re: Dear Linkedin,
On Sun, 10 Jun 2012, Joe Greco wrote: One of the design goals of the V/MC system is that a cardholder is not supposed to need anything other than their card and the ability to sign. This seems to be different across the world. Here in Sweden, they don't really look at your signature on the card, they look at the name on the card, name on the ID and the signature of the ID (which is pretty much required if you don't have PIN). The comparison of the signature provided to the card signature is supposed to be one of the primary ways to validate a cardholder, but of course these days, most vendors are lazy and don't. I've seen people verify the signature in France and in some asian countries. I don't travel much these days, so I don't know the situation in other countries. then they should require it, but they cannot require it by default for all transactions they process. That and a minimum charge are among the two most common merchant violations I see. For MasterCard violations, report them! http://www.mastercard.us/support/merchant-violations.html Is that policy worldwide or just for the US? -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Our first inbound email via IPv6
On Sun, 10 Jun 2012, Randy Bush wrote: the key question to me is when will my normal dns rbwls support ipv6? in exim-speak and this time let's skip the usual round of telling me the worth of each element of my selection. My thoughts on this is that unless ISPs start to announce what one customer is, this is pretty hard. It's a problem in IPv4, but even more so in IPv6. Wouldn't it help a lot if there was a way to publish that in this /42, there is one customer per /56, and in this other /42, there is one customer per /48? How can that be done via DNS (if that is still a favourable mechanism to distribute information like this)? Whois is not a good way... -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Our first inbound email via IPv6
the key question to me is when will my normal dns rbwls support ipv6? in exim-speak My thoughts on this is that unless ISPs start to announce what one customer is, this is pretty hard. It's a problem in IPv4, but even more so in IPv6. i have assiduously avoided gaining serious anti-spam fu. but it seems to me that ipv6 does not create/enable significantly more spam-bots. randy
Re: Dear Linkedin,
On 6/10/12 00:25 , John Souvestre wrote: On 6/10/12, Joel jaeggli joe...@bogus.com wrote: How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself? ? Entropy in language. A typical english sentence has 1.2 bits of entropy per character, you need 107 characters to get a statistically random md5 hash. Using totally random english characters you need 28 characters. Using a random distribution of all 95 printable ascii characters you need 20 characters. ? Observation, good passwords are hard to come by. I don't disagree, except regarding dictionary attacks. If the attack isn't random then math based on random events doesn't apply. In the case of a purely dictionary attack if you choose a non-dictionary word and you are 100.000% safe. :) the search space for 6 8 10 character passwords is entirely too small... John John Souvestre - New Orleans LA - (504) 454-0899
Re: Dear Linkedin,
On Sun, 10 Jun 2012 08:24:41 -0700, Joel jaeggli said: I don't disagree, except regarding dictionary attacks. If the attack isn't random then math based on random events doesn't apply. In the case of a purely dictionary attack if you choose a non-dictionary word and you are 100.000% safe. :) the search space for 6 8 10 character passwords is entirely too small... Saw this over on Full-Disclosure. I'd love to know what inspired the HashCat software to *try* those 2 40-character passwords that broke... Subject: [Full-disclosure] Some stats about broken Linkedin passwds From: Georgi Guninski gunin...@guninski.com Date: Sun, 10 Jun 2012 17:55:10 +0300 To: full-disclos...@lists.grok.org.uk Stumbled upon this: http://pastebin.com/5pjjgbMt === LinkedIn Leaked hashes password statistics (@StefanVenken) Based on the leaked 6.5 Million hashes, 1.354.946 were recovered within a few hours time with HashCat / Jtr and publicly found wordlists on a customer grade laptop. This report was created with pipal from @Digininja Ironically they broke some 40 chars pwd. Another list that contains seemingly non-dictionary pwds is at: http://pastebin.com/JmtNxcnB pgp9iBpow5T0z.pgp Description: PGP signature
Re: Dear Linkedin,
On 6/10/12, Joe Greco jgr...@ns.sol.net wrote: [snip] That and a minimum charge are among the two most common merchant For MasterCard violations, report them! In the US, Credit card processing networks were forbidden from prohibiting merchants from establishing certain minimum charges to use a CC, merchants may also charge an extra fee to use a CC; see, the Dodd-Frank Wall Street Reform and Consumer Protection act Of 2010; S 1075 page 693. (3) LIMITATION ON RESTRICTIONS ON SETTING TRANSACTION MINIMUMS OR MAXIMUMS. (A) IN GENERAL.—A payment card network shall not, directly or through any agent, processor, or licensed member of the network, by contract, requirement, condition, penalty, or otherwise, inhibit the ability (i) of any person to set a minimum dollar value for the acceptance by that person of credit cards, to the extent that (I) such minimum dollar value does not differentiate between issuers or between payment card networks; and (II) such minimum dollar value does not exceed $10.00 … violations I see. For MasterCard violations, report them! http://www.mastercard.us/support/merchant-violations.html ... JG -- -JH
Re: CVV numbers
On June 9, 2012 at 16:25 mysi...@gmail.com (Jimmy Hess) wrote: I bet there is at least one small retailer out there who takes phone orders and gathers CVV2, and at least one POS software developer out there who is unaware of, has ignored, or has... Yes, but there are also penalties, including loss of merchant account and, I believe, fines, in the contract. In other words CVV2 is a weak physical proof mechanism that only works if all parties involved obey the rules perfectly without error, Not at all, even if someone does store CVV2s in violation of their contract they would ALSO have to be revealed to an evildoer to cause any harm. And even then the evildoer has to leap any other security barriers. Probabilities, all about probabilities, and percentages. You're making the best the enemy of the good. We aren't dealing with military secrets here where one leak can undo all tactical advantage. We're dealing with fraudulent credit card charges where some amount of loss is considered acceptable and one just tries to minimize those losses. The goal is cost/benefit analysis, minimize losses while allowing the overall system to function as friction-free as possible, and doing that within a reasonable cost framework of around 1%-3% per transaction. No different than router bugs etc, if one packet in a billion (whatever) is dropped purely due to a software bug that may be acceptable for a $10K router if the other alternative is to hand-verify every line of code making the router cost $100K. I think this all may be more operationally relevant than some might protest, some here seem to have funny ideas about cost-benefits and security which maybe can at least be shaken loose a bit. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Dear Linkedin,
I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely discount for cash! but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract. I remember my father buying a car and pulling out a credit card asking if they accepted them? The dealer said sure no problem so he said fine then take another 3% (whatever) off I'll pay cash/check. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Dear Linkedin,
A merchant can offer a cash discount. --John On 6/10/2012 11:16 AM, Barry Shein wrote: I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely discount for cash! but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract. I remember my father buying a car and pulling out a credit card asking if they accepted them? The dealer said sure no problem so he said fine then take another 3% (whatever) off I'll pay cash/check.
Re: Dear Linkedin,
On 06/10/2012 11:22 AM, John T. Yocum wrote: A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Mike --John On 6/10/2012 11:16 AM, Barry Shein wrote: I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely discount for cash! but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract. I remember my father buying a car and pulling out a credit card asking if they accepted them? The dealer said sure no problem so he said fine then take another 3% (whatever) off I'll pay cash/check.
OT: Credit card policies (was Re: Dear Linkedin,)
- Original Message - From: Michael Thomas m...@mtcc.com On 06/10/2012 11:22 AM, John T. Yocum wrote: A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981. Even Further Off-Topic, isn't debit supposed to be cash? Why do I pay the Credit price for it? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: OT: Credit card policies (was Re: Dear Linkedin,)
On 06/10/2012 11:33 AM, Jay Ashworth wrote: - Original Message - From: Michael Thomasm...@mtcc.com On 06/10/2012 11:22 AM, John T. Yocum wrote: A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981. Even Further Off-Topic, isn't debit supposed to be cash? Why do I pay the Credit price for it? I dunno, maybe they're an exception? Maybe it had something to do with competing with the old oil company credit cards? MIke
Re: Dear Linkedin,
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Sun Jun 10 13:18:06 2012 From: Barry Shein b...@world.std.com Date: Sun, 10 Jun 2012 14:16:10 -0400 To: Mikael Abrahamsson swm...@swm.pp.se Subject: Re: Dear Linkedin, Cc: NANOG nanog@nanog.org, Joe Greco jgr...@ns.sol.net I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely discount for cash! but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract. The 'true explanation' is even simpler -- your impression is incorrect. grin In the U.S., Visa/Mastercard/Amex/Discover/Diners Club contracts all expressly forbid charging extra for a card transaction. Using language that applies only to a 'premium' or 'surcharge' applied to card transactions. They do *NOT* forbid giving a discount for cash payment. They do not state it =is= acceptable -- they are simply silent on the subject, which means that it is not proscribed. The logic: The card purchaser must be allowed to buy at the 'advertised' price. Prohibiting discounts gets into a 'restraint of trade' issue. Gas stations that offer a 'discount for cash' do not give that discount even for 'house brand' cards -- which do not have any fees that are payable to the issuer.
Re: Dear Linkedin,
- Original Message - From: Robert Bonomi bon...@mail.r-bonomi.com Gas stations that offer a 'discount for cash' do not give that discount even for 'house brand' cards -- which do not have any fees that are payable to the issuer. In fact, that's not true. Several chains, notably including Shell, have at one time or another advertised that their house card (not a house-branded credit card, but an actually gas charge card) took the cash price. Cheers -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Dear Linkedin,
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Sun Jun 10 13:26:36 2012 Date: Sun, 10 Jun 2012 11:25:35 -0700 From: Michael Thomas m...@mtcc.com To: John T. Yocum john.yo...@fluidhosting.com Subject: Re: Dear Linkedin, Cc: nanog@nanog.org On 06/10/2012 11:22 AM, John T. Yocum wrote: A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. You believe incorrectly. :) Merchants have NOT, per Visa/Mastercard/Amex/Discover/Diners Club contracts in the U.S., been prohibited from offering discounts for cash transactions for more than 20 years -- based on my direct kowledge of such contracts as a card-processing merchand.. TTBOMK, merchants were -never- so prohibited by such a contract. There are 'restraint of trade' issues involved if a contract attempts to place restrictions on transactions that do not involve all the parties to the contract. Forbidding surcharges on transactions paid for by the issuer's card -is-, on the other hand, fair game for the contract under which the issuer agrees to pay for certain purchases. Recently-enacted (2010) U.S. law *does* explicitly permit -- overriding any contract terms to the contrary -- setting a 'minimum purchase amount' for credit card transactions, as long as that amount does not exceed US$10.
Re: OT: Credit card policies (was Re: Dear Linkedin,)
On 10-Jun-12 13:33, Jay Ashworth wrote: From: Michael Thomas m...@mtcc.com On 06/10/2012 11:22 AM, John T. Yocum wrote: A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981. Merchants have always been allowed to offer a cash discount. The ban is (was?) on surcharges for card purchases. In practical terms, this means that if you post only one price, it must be the card price, not the (possibly lower) cash price. Even Further Off-Topic, isn't debit supposed to be cash? Why do I pay the Credit price for it? The credit price is subject to the merchant's discount rate, regardless of the nature of the particular card used. The cash price is the part of the credit price left after the discount rate is applied. Say gas is $4/gal and the merchant's discount rate is 4%. That means the merchant only gets paid $3.84/gal for card purchases. If the merchant charges cash customers $3.84/gal, which is legal, they get paid the same amount of money. However, it is illegal for the merchant to post /only /a price of $3.84/gal and then charge card users $4/gal to cover the card discount; that's an illegal surcharge. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
Re: OT: Credit card policies (was Re: Dear Linkedin,)
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Sun Jun 10 13:34:06 2012 Date: Sun, 10 Jun 2012 14:33:03 -0400 (EDT) From: Jay Ashworth j...@baylink.com To: NANOG nanog@nanog.org Subject: OT: Credit card policies (was Re: Dear Linkedin,) - Original Message - From: Michael Thomas m...@mtcc.com On 06/10/2012 11:22 AM, John T. Yocum wrote: A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981. Even Further Off-Topic, isn't debit supposed to be cash? Why do I pay the Credit price for it? It is, and *ISN'T*, 'cash'. Unlike cash (and like a credit card), it is simply an instruction to a third party to pay the retailer a specified amount. And as such, is subject to the terms of the contract between -those- parties as to how payment is made an what charges are imposed. Unlike a credit card, the money _is_ immediately dedecuted from your bank account. Like a credit card, it is the third-party clearinghouse that gets the mone from you, and passes it on to the retailer. AFTER extracting their charges for the service they provide. You pay the 'credit' price, because the card issuer, and the clearinghouse operations _charge_ the merchant the same amount for those transactions as for 'credit' ones. Thus the merchant does not receive any of the benefits of a 'cash' transaction, so there is no 'discount' to pass on to the buyer. At one point, VISA, charged -more- for debit transactions than credit ones. Despite the fact that there was -zero- risk to them on the debit transaction. VISA got sued over the matter, since (at that time) it was impossible to tell whether the card number presented was debit or credit. Thus the merchant could not determine, in advance, what their 'cost' for the transaction was. As a result of the lawsuit, the cost differential between credit and debit transactions was eliminated.
Re: OT: Credit card policies (was Re: Dear Linkedin,)
On 10-Jun-12 14:01, Robert Bonomi wrote: From: Jay Ashworth j...@baylink.com Even Further Off-Topic, isn't debit supposed to be cash? Why do I pay the Credit price for it? It is, and *ISN'T*, 'cash'. Unlike cash (and like a credit card), it is simply an instruction to a third party to pay the retailer a specified amount. And as such, is subject to the terms of the contract between -those- parties as to how payment is made an what charges are imposed. Unlike a credit card, the money _is_ immediately dedecuted from your bank account. All of the above is completely irrelevant to the merchant. Like a credit card, it is the third-party clearinghouse that gets the mone from you, and passes it on to the retailer. AFTER extracting their charges for the service they provide. FWIW, this is known as the discount rate. You pay the 'credit' price, because the card issuer, and the clearinghouse operations _charge_ the merchant the same amount for those transactions as for 'credit' ones. Thus the merchant does not receive any of the benefits of a 'cash' transaction, so there is no 'discount' to pass on to the buyer. The merchant's discount rate varies between card types. That's why many merchants don't accept AmEx, DC, CB and Nexus: their discount rates are higher than Visa and MC. For a low-margin business, the difference in rates can make the difference between profit and loss on a given sale. At one point, VISA, charged -more- for debit transactions than credit ones. Despite the fact that there was -zero- risk to them on the debit transaction. Wrong. Even debit cards present a risk of chargeback due to fraud. However, the fraud rates are lower due to the us of PINs, so the discount rate is also lower. VISA got sued over the matter, since (at that time) it was impossible to tell whether the card number presented was debit or credit. It's still impossible to tell, which is why most card terminals ask whether the card is credit or debit. If you press the credit button, even if the card is a debit card, it is processed as a credit card--with the credit card discount rate. That's why Visa's advertising and contests promote customers using signature (i.e. credit) transactions: Visa gets more money that way (at the cost of their merchants). As a result of the lawsuit, the cost differential between credit and debit transactions was eliminated. ... except it's still there, though perhaps in the other direction. The discount rate for debit transactions is lower, but a PIN must be used to get that rate. The exact rates vary between card networks, card processors and even merchants, but a few years ago the numbers I heard were 4% for credit (i.e. signature) transactions and 1% for debit (i.e. PIN) transactions. That is why those nifty PIN terminals appeared everywhere virtually overnight: saving 3% on every debit transaction easily paid for all those new terminals. S -- Stephen Sprunk God does not play dice. --Albert Einstein CCIE #3723 God is an inveterate gambler, and He throws the K5SSSdice at every possible opportunity. --Stephen Hawking smime.p7s Description: S/MIME Cryptographic Signature
Re: Dear Linkedin,
The credit card companies should pull their heads out of their asses about this. It is much better from an anti-fraud perspective for a stolen card not to contain a specimen signature for the thief to learn to forge. It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer. I've never had my card refused because I wrote SEE ID on the signature panel in lieu of my signature. I have been frequently asked for my ID and make a point of thanking the merchant for their diligence in each of those cases. I've only had one merchant get a little persnickety about the lack of a signature technically invalidating the card. I basically explained why I did it that way and informed them that they could cancel the transaction if they didn't like my methods. They chose not to cancel the transaction. (Which was a rather significant sale in a relatively small shop) Owen Sent from my iPad On Jun 10, 2012, at 3:58 AM, Joe Greco jgr...@ns.sol.net wrote: - Original Message - From: Barry Shein b...@world.std.com A friend would print in block letters in the sig area of his credit cards ASK FOR PHOTO ID. He said that almost always cashiers et al would give a cursory glance like they were checking his signature and say thank you and hand him back his card. This seems like an altogether excellent time to haul out *this* old chestnut: http://www.zug.com/pranks/credit/ FWIW, My cards have always said SEE ID, and I get about a 40% or so hit rate on that. It's been odd recently, cause I sometimes forget, and the privacy reflex kicks in and makes me want to say Why?? :-) If your card is not signed, your card is invalid and should not be accepted by any merchant. http://www.mastercard.com/us/merchant/pdf/MerchantAcceptanceGuide_Manual.pdf Page 8-2; Unsigned Credit Cards. VISA has similar requirements. Writing SEE ID in the signature panel primarily makes your card invalid *unless* your signature is also present. One of the design goals of the V/MC system is that a cardholder is not supposed to need anything other than their card and the ability to sign. The comparison of the signature provided to the card signature is supposed to be one of the primary ways to validate a cardholder, but of course these days, most vendors are lazy and don't. In fact, one of my favorite abusive merchant practices, trying to require ID, is expressly prohibited: http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf Page 5-14, sec. 5.8.4, Additional Cardholder Identification. They're allowed to ask, you're allowed to refuse, and absent a good reason, they're not allowed to refuse your transaction. Now, if your signature doesn't match or something else is particularly fishy, yes, then they should require it, but they cannot require it by default for all transactions they process. That and a minimum charge are among the two most common merchant violations I see. For MasterCard violations, report them! http://www.mastercard.us/support/merchant-violations.html ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: OT: Credit card policies (was Re: Dear Linkedin,)
On 6/10/12 12:23 , Stephen Sprunk wrote: On 10-Jun-12 14:01, Robert Bonomi wrote: From: Jay Ashworth j...@baylink.com All of the above is completely irrelevant to the merchant. Given that the thread now spans nine conversations threads and at least 122 messages and is buried in the finer details of merchant handling of gas cards I think it can stop now. Thanks from all of us. Joel
Re: Dear Linkedin,
The agreements often prohibit minimums and cash discounts/card fees. However, the Dodd-Frank act trumps the agreements as law contract. Owen Sent from my iPad On Jun 10, 2012, at 11:16 AM, Barry Shein b...@world.std.com wrote: I was under the impression (I should dig out my contract) that merchant contracts also forbid charging more for a charge than for cash or conversely discount for cash! but I see so many violations of that particularly at gas stations I wonder if that's negotiable in the contract. I remember my father buying a car and pulling out a credit card asking if they accepted them? The dealer said sure no problem so he said fine then take another 3% (whatever) off I'll pay cash/check. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Dear Linkedin,
It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer. In the late 1990s I had a Visa card from (I think) Citibank that had my picture embossed on the front of the card. I'm surprised this didn't catch on with more card issuers. I see that Bank of America offers this free of charge to their Visa clients, as do some US based credit unions. That card was never lost or stolen, so I don't know if the photo verification would fail as spectacularly as signatures do. --lyndon
Re: Dear Linkedin,
That and a minimum charge are among the two most common merchant violations I see. For MasterCard violations, report them! http://www.mastercard.us/support/merchant-violations.html Is that policy worldwide or just for the US? http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf Despite the /us/ in the URL, the guide has sections for geographic world regions, so it seems safe to conclude it's worldwide. I have not followed all the geographic subsections to discover what regional variations may exist; I leave that exercise for anyone who finds it of interest. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Dear Linkedin,
The credit card companies should pull their heads out of their asses about t= his. It is much better from an anti-fraud perspective for a stolen card not to co= ntain a specimen signature for the thief to learn to forge. It is far preferable for the merchant to request ID and verify that the sign= ature matches the ID _AND_ the picture in the ID matches the customer. So, what ID do you consider to be acceptable? Especially when traveling, you've just opened up a can of worms. As a merchant, do you know what a Canadian driver's license is supposed to look like, for example? The reality is that forging signatures is not particularly easy, and since merchants generally don't check ANYWAYS, the whole issue is kind of nebulous. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Dear Linkedin,
On Sun, 10 Jun 2012, Lyndon Nerenberg wrote: In the late 1990s I had a Visa card from (I think) Citibank that had my picture embossed on the front of the card. I'm surprised this didn't catch on with more card issuers. I see that Bank of America offers this free of charge to their Visa clients, as do some US based credit unions. That card was never lost or stolen, so I don't know if the photo verification would fail as spectacularly as signatures do. That's obviously only going to be of use in cases where the card is physically stolen and used in-person. I don't have the numbers, but I strongly suspect that sort of credit card fraud is a small minority, with the majority being CNP transactions. I've personally had several instances of one of my card numbers being used fraudulently (for everything from online casino gambling to tractor parts to hotel charges in countries I've never been to), but never via the card having physically been stolen. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: CVV numbers
Something else rarely considered in these discussions is that the cost of handling cash is upwards of 4%, particularly for larger operations like supermarkets. Someone has to be paid to count it, wrap it (or the bank will charge you to do that), often you have a security service pick it up to bring it to the bank which costs money, and of course there's theft of all sorts possible, cash is cash, counterfeit bills, etc. I guess it's a sunk cost so hard to factor into any single transaction, but it does add up or did back when most sales were cash. Until the early 90s (or thereabouts) it was illegal by state law to take credit cards at supermarkets in Massachusetts for example tho checks w/ id were ok, pain the neck, I remember it well. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: OT: Credit card policies (was Re: Dear Linkedin,)
On June 10, 2012 at 14:33 j...@baylink.com (Jay Ashworth) wrote: - Original Message - From: Michael Thomas m...@mtcc.com On 06/10/2012 11:22 AM, John T. Yocum wrote: A merchant can offer a cash discount. I believe that the law just recently changed on that account. I believe that what Barry says was the old reality. Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981. Even Further Off-Topic, isn't debit supposed to be cash? Why do I pay the Credit price for it? I think part of the problem is there's no uniform answer to these observations. I remember news reports with videos of cash/credit signs at gas stations saying these were illegal (well, violated their contracts) but no one was enforcing it, an urge to get attorneys-general in on the act since non-uniform contract enforcement could be a violation of some sort of commercial laws or grounds for a civil suit if an injured party has standing. Or maybe some gas companies had the leverage to get exceptions written into their contracts, etc. They're just contracts, they can say anything as long as it's legal. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Our first inbound email via IPv6
Randy Bush ra...@psg.com writes: ... i have assiduously avoided gaining serious anti-spam fu. but it seems to me that ipv6 does not create/enable significantly more spam-bots. the malware will generally have complete control over the bottom 64 bits of an ipv6 address. there's no reason to expect to ever receive more than one spam message from any single ipv6 source. so, we'll all be blackholing /64's. moreover, there are going to be more native endpoints in ipv6 than there were in ipv4, since the NAT incentives are very different in the larger address pool. so, we'll all need network operators to whitelist the parts of their address spaces that they plan to send e-mail from, so that we can avoid having to blackhole things one /64 at a time. as before: for more information see: http://www.circleid.com/posts/20110607_two_stage_filtering_for_ipv6_electronic_mail/ paul
Re: Dear Linkedin,
A few years ago I had a checkbook stolen. The genius bank branch decided it was sufficient to just print new checks starting at a much higher number and put it in the system rather than cancel the account number. I protested but hey so long as they were responsible for any fraud*. Then thousands of dollars of cashed checks began appearing. What was amusing was they each had info like my driver's license number and date of birth carefully hand-printed on them. EXCEPT, it wasn't *my* driver's license # or date of birth, it was all just kinda random. Which led us to believe (when talking to bank security) that they just have friends who work as cashiers, these were all at places like Wal-Mart, big retail stores, who just accept the bad checks for a cut. I agree it's all a matter of percentages but it says something about putting photos on credit cards etc. I had something similar happen with business checks (a small vendor was burglarized), similar result and conclusion: The crooks were working with bank tellers or other insiders, they even knew the magic amounts at each branch beyond which more security checks kick in, again, according to the bank security people I was clearing this up with. * I sort of regretted that because they managed to burn up quite a few hours of my time when it all went bad. They've got you at that point, show up here, show up now, fill out all these affidavits, etc or we won't cover the fraud. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: ROVER routing security - its not enumeration
Doug Montgomery dougm.tl...@gmail.com writes: ... I think we debate the superficial here, and without sufficient imagination. The enumerations vs query issue is a NOOP as far as I am concerned.With a little imagination, one could envision building a box that takes a feed of prefixes observed, builds an aged cache of prefixes of interest, queries for their SRO records, re queries for those records before their TTLs expire, and maintains a white list of SRO valid prefix/origin pairs that it downloads to the router. this sounds like a steady state system. how would you initially populate it, given for example a newly installed core router having no routing table yet? if the answer is, rsync from somewhere, then i propose, rsync from RPKI. if the answer is, turn off security during bootup, then i claim, bad idea. ... Point being, with a little imagination I think one could build components with either approach with similar black box behavior. i don't think so. and i'm still waiting for a network operator to say what they think the merits of ROVER might be in comparison to the RPKI approach. (noting, arguments from non-operators should and do carry less weight.) -- Paul Vixie KI6YSY
Re: CVV numbers
On Sun, Jun 10, 2012 at 8:02 AM, Owen DeLong o...@delong.com wrote: The skimmers can use CVV1 and bypass the CVV2 protection in most cases (though that requires them to gen up a fake or fraudulent card and do card present transactions which does add risk for them). Not so much for them, but the sacrificial mules that go to the (physical) stores (and the mules, at best, know the location to meet their handler, who is not even the person/group responsible for the acquisition of the numbers, but just another middle person). It costs almost nothing, so a few fraudulent transactions blocked is probably enough. That doesn't change the fact that I believe there have to be more effective methods that wouldn't cost much more. One of the CC industry think tanks (the think tank part of first data; to be honest, I am not sure that part still exists) has proposed various alternatives over the years (including a true non-traceable cash type of CC alternative that was sort of appealing), but the priority of the banks continues to be to insure convenience (with minimal losses for the banks), and almost all the of the alternative involved some sort of additional inconvenience to the customer. If you can come up with a good alternative, there are many many millions to be made. I am not smart enough to be able to come up with a clearly better alternative (other than a personal optimization to remember all the CC numbers, including the CVV2, as you stated you do). Gary
Re: Dear Linkedin,
On Sun, Jun 10, 2012 at 04:34:55PM -0400, valdis.kletni...@vt.edu wrote: On Sun, 10 Jun 2012 12:29:46 -0700, Owen DeLong said: It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer. Maybe from the anti-fraud standpoint, but not necessarily from the merchant's viewpoint. It's only better if nobody's standing in line. If matching the ID and signature and picture reduces fraud from 4% to 3%, but increases the time to serve the customer by 5%, you're losing money due to fewer sales/hour. For the most part, fraud in a card present transaction isn't eaten by the merchant. But the same reasoning still applies. The card issuers don't want you have to show ID, becuase you might decide it's too much trouble, and just use some other method to pay. Eliminating fraud isn't an objective of card issuers. Making money is. Fraud reduction is only done when the savings from the reduced fraud exceeds both the cost of the fraud preventing measure and any revenue that is lost because of inconveniencing customers. And, sometimes, they'll choose to accept a higher rate of fraud if it will generate enough revenue to offset it ... consider how many places you can now avoid signing for small dollar purchases. The cost of accepting the additional fraud was considered worth it in comparison to the revenue generated from getting people to use their cards for small transactions. -- Brett
Re: OT: Credit card policies (was Re: Dear Linkedin,)
Stephen Sprunk step...@sprunk.org opined: On 10-Jun-12 14:01, Robert Bonomi wrote: From: Jay Ashworth j...@baylink.com Even Further Off-Topic, isn't debit supposed to be cash? Why do I pay the Credit price for it? It is, and *ISN'T*, 'cash'. Unlike cash (and like a credit card), it is simply an instruction to a third party to pay the retailer a specified amount. And as such, is subject to the terms of the contract between -those- parties as to how payment is made an what charges are imposed. Unlike a credit card, the money _is_ immediately dedecuted from your bank account. All of the above is completely irrelevant to the merchant. False to fact. The fact that it is an order for (deferred) third-party payment, vs 'cash in hand', is *very* relevant to the merchant. For starters, the purchase amount becomes a 'debt' owed to the merchant by the third party. There are massive legal ramifications to that distinction alone. Like a credit card, it is the third-party clearinghouse that gets the mone from you, and passes it on to the retailer. AFTER extracting their charges for the service they provide. FWIW, this is known as the discount rate. Not exactly. There are typically three components to the total charge that the merchant pays on a given transaction. One is a charge based on a percentage of the transaction amount -- that _percentage_ figure is known as the discount rate, distinct from the dollar-amount deducted for that purpose. Over and above the 'percentage' amount, there are 'per transaction' charges - which are essentially independant of the size of the transation. On 'small' transactions, the 'per transaction' charges tend to swamp the 'percntage' charge. You pay the 'credit' price, because the card issuer, and the clearinghouse operations _charge_ the merchant the same amount for those transactions as for 'credit' ones. Thus the merchant does not receive any of the benefits of a 'cash' transaction, so there is no 'discount' to pass on to the buyer. The merchant's discount rate varies between card types. That's why many merchants don't accept AmEx, DC, CB and Nexus: their discount rates are higher than Visa and MC. For a low-margin business, the difference in rates can make the difference between profit and loss on a given sale. At one point, VISA, charged -more- for debit transactions than credit ones. Despite the fact that there was -zero- risk to them on the debit transaction. Wrong. Even debit cards present a risk of chargeback due to fraud. *SNICKER* According to the law, 'debit' cards (processed through the CC network) do -not- have any of the protections with regard to limit-of-liability that credit cards do. The account owner can assert 'fraud', but VISA is _not_ required to refund them any of the monies involved. For the 'debit' type transaction, VISA has the money in hand -before- they pay out to the merchant, the risk of them not getting the money is zero. Legally, the risk of having to return the money after an allegation of fraud is also zero, given that the merchant has followed the letter of the contract in processing the card. And, if the merchant has not don so, then VISA charges back the full amount to the merchant -- with the net risk to VISA being zero. The other kind of 'debit' items -- ATM transactions do not involve VISA at all, only the issuing bank. For these, With the proper PIN presented, 'fraud' charges are (sometimes) eaten by the bank involved as a 'customer relations' measure. Generally, the presentation of the proper PIN is taken as 'proof' that an authorized user did perform the transaction, *until* such time as the bank is notified that the card or PIN has been lost/stolen or otherwise compromised. However, the fraud rates are lower due to the us of PINs, so the discount rate is also lower. Sorry, but that is utter fiction. PIN-based payments are processed as ATM (Automatic Teller Machine) network transactions -- they are *NOT* 'debit' transactions via credit-card clearing- house network. VISA got sued over the matter, since (at that time) it was impossible to tell whether the card number presented was debit or credit. It's still impossible to tell, which is why most card terminals ask whether the card is credit or debit. Incorrect. (this is mostly a terminology issue -- what has become 'common usage' is muddy at best and often misunderstood) The terminal has no 'need to know' whether it is a bank-issued credit or bank-issued debit card. It does NOT ask that -- contrary to what the buttons appear to imply. wry grin Terminals ask because many cards today are 'multi-function' -- they can act as a bank-issued credit (or debit, but not both) card _and_ as an ATM card. The _labels_ on the terminals are technically inaccurate, the proper labels should be 'Credit/Debit' and 'ATM'. There are -four- types of cards in existance in the
Re: Dear Linkedin,
On Jun 10, 2012, at 12:25 PM, Joe Greco wrote: The credit card companies should pull their heads out of their asses about t= his. It is much better from an anti-fraud perspective for a stolen card not to co= ntain a specimen signature for the thief to learn to forge. It is far preferable for the merchant to request ID and verify that the sign= ature matches the ID _AND_ the picture in the ID matches the customer. So, what ID do you consider to be acceptable? Especially when traveling, you've just opened up a can of worms. As a merchant, do you know what a Canadian driver's license is supposed to look like, for example? From someone who supplies an out-of-country drivers license, I'd request to see their passport. From someone who supplies an out-of-state drivers license, I'd probably accept it, but the risks there are somewhat reduced at least. Mostly, I'd accept any domestic government issued photo ID and/or any passport. Generally when someone asks for my ID, I use my passport. The reality is that forging signatures is not particularly easy, and since merchants generally don't check ANYWAYS, the whole issue is kind of nebulous. Sure. However, if you provide the forger a specimen of your signature on the card, you're just asking for trouble IMHO. If the merchant is going to go to the trouble of checking the signature, the extra step of matching that against ID that matches the cardholder name instead of just matching it to the back of the card is a negligible additional inconvenience while providing an additional layer of protection. Owen
Re: Dear Linkedin,
In such a circumstance I use the following: Close this account. Either send me a check for the remaining balance or deposit into my newly created account at your institution. Whichever you prefer. Owen On Jun 10, 2012, at 2:45 PM, Barry Shein wrote: A few years ago I had a checkbook stolen. The genius bank branch decided it was sufficient to just print new checks starting at a much higher number and put it in the system rather than cancel the account number. I protested but hey so long as they were responsible for any fraud*. Then thousands of dollars of cashed checks began appearing. What was amusing was they each had info like my driver's license number and date of birth carefully hand-printed on them. EXCEPT, it wasn't *my* driver's license # or date of birth, it was all just kinda random. Which led us to believe (when talking to bank security) that they just have friends who work as cashiers, these were all at places like Wal-Mart, big retail stores, who just accept the bad checks for a cut. I agree it's all a matter of percentages but it says something about putting photos on credit cards etc. I had something similar happen with business checks (a small vendor was burglarized), similar result and conclusion: The crooks were working with bank tellers or other insiders, they even knew the magic amounts at each branch beyond which more security checks kick in, again, according to the bank security people I was clearing this up with. * I sort of regretted that because they managed to burn up quite a few hours of my time when it all went bad. They've got you at that point, show up here, show up now, fill out all these affidavits, etc or we won't cover the fraud. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Dear Linkedin,
On Jun 10, 2012, at 3:06 PM, Brett Frankenberger wrote: On Sun, Jun 10, 2012 at 04:34:55PM -0400, valdis.kletni...@vt.edu wrote: On Sun, 10 Jun 2012 12:29:46 -0700, Owen DeLong said: It is far preferable for the merchant to request ID and verify that the signature matches the ID _AND_ the picture in the ID matches the customer. Maybe from the anti-fraud standpoint, but not necessarily from the merchant's viewpoint. It's only better if nobody's standing in line. If matching the ID and signature and picture reduces fraud from 4% to 3%, but increases the time to serve the customer by 5%, you're losing money due to fewer sales/hour. For the most part, fraud in a card present transaction isn't eaten by the merchant. But the same reasoning still applies. The card issuers don't want you have to show ID, becuase you might decide it's too much trouble, and just use some other method to pay. Eliminating fraud isn't an objective of card issuers. Making money is. Fraud reduction is only done when the savings from the reduced fraud exceeds both the cost of the fraud preventing measure and any revenue that is lost because of inconveniencing customers. And, sometimes, they'll choose to accept a higher rate of fraud if it will generate enough revenue to offset it ... consider how many places you can now avoid signing for small dollar purchases. The cost of accepting the additional fraud was considered worth it in comparison to the revenue generated from getting people to use their cards for small transactions. -- Brett Right, but eliminating fraud should be an objective of consumers because ultimately, we are the ones paying for it regardless of who eats it on the actual transaction. If the merchant eats it, the merchant has to make up for it with increased prices. If the card processing company eats it, they have to use high discount rates or other fees to cover it. If the card issuing company eats it, they have to use fees and/or interest rates to make up for it. If the bank eats it, they have to make up for it in other fees, reduced services, reduced interest on accounts, increased interest rates, etc. Ultimately, no matter who eats it, it gets passed along to the consumer. So, any card company that starts getting their merchants to decline transactions based on my anti-fraud efforts will find that I consider their product too risky and will use an alternate form of payment. Owen
Re: Dear Linkedin,
- Original Message - From: Brett Frankenberger rbf+na...@panix.com But the same reasoning still applies. The card issuers don't want you have to show ID, becuase you might decide it's too much trouble, and just use some other method to pay. Except for Amex, who have always *stringently* required this; I've even seen customer-facing advertising pointing it out. They have to do something to get merchants to take their card with the higher discount rate. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Dear Linkedin,
On Sun, Jun 10, 2012 at 03:47:20PM -0700, Owen DeLong wrote: On Jun 10, 2012, at 3:06 PM, Brett Frankenberger wrote: Eliminating fraud isn't an objective of card issuers. Making money is. Fraud reduction is only done when the savings from the reduced fraud exceeds both the cost of the fraud preventing measure and any revenue that is lost because of inconveniencing customers. And, sometimes, they'll choose to accept a higher rate of fraud if it will generate enough revenue to offset it ... consider how many places you can now avoid signing for small dollar purchases. The cost of accepting the additional fraud was considered worth it in comparison to the revenue generated from getting people to use their cards for small transactions. Right, but eliminating fraud should be an objective of consumers because ultimately, we are the ones paying for it regardless of who eats it on the actual transaction. That assumes that minimizing cost is an objective of consumers. In general, it's not. Maximizing utility is. For some, minimizing cost is a major part of that. For me, I routinely trade money for convenience. And I'll gladly pay a percentage point or two more in exchange for all my credit transactions being handled more quickly. I'm far from the only one. Credit card companies keep making it easier to use their card, because they've found it more profitable to do so. There doesn't seem to be a market for a card that is harder to use, but saves consumers a little money through reduced fraud. -- Brett
Timeframe for LinkedIn Attack?
Hey, I'm curious if anyone has heard of a possible timeframe for the LinkedIn attack? I use different email aliases on most websites I sign up for. (So I can identify where a spammer got my email address from and so I can just remove the alias if I get spammed a lot). I've been testing some scripts I wrote to parse through my email logs recently, and noticed a few interesting log entries from back in May. I have accounts on Last.fm and on LinkedIn (using email aliases). I received a spam message on the email alias I use for LinkedIn on May 10. I also received four spam messages on the email alias I use for Last.fm on May 10. The LinkedIn related message came in at 20:22 UTC. The four Last.fm messages came in between 21:26 and 21:51 UTC. All of these messages were rejected because the IP the connection came from was listed on Spamhaus’s XBL (they came from 5 different IP's). I don't think this necessarily proves anything beyond a shadow of a doubt - but it seems really suspicious to me, given that I've never seen any other spam directed to these address before or after May 10, and that the email addresses for both of these sites that were compromised were spammed for the first time on the same day. (And none of the other 100+ email aliases I have received spam for the first time on that day). This would suggest to me that LinkedIn and Last.fm may have been compromised at least a month ago. Has anyone else seen anything that would confirm or refute this? Oliver - Oliver Garraux Check out my blog: www.GetSimpliciti.com/blog Follow me on Twitter: twitter.com/olivergarraux
rate limiting (Re: Open DNS Resolver reflection attack Mitigation)
Joe Maimon jmai...@ttec.com writes: Is there any publicly available rate limiting for BIND? How about host-based IDS that can be used to trigger rtbh or iptables? Google and Level3 manage to run open resolvers, why cant I? rate limiting on recursive servers is complicated by the lack of caching in most stub resolvers and applications. this makes it hard to tell by pure automation when a request flow is a spoof-source attack and when not. for most of us this isn't a problem since we'll put access control lists on our recursive name servers, only allowing queries from on-campus or on-net. for intentionally open resolvers, i expect there's a lot of monitoring and hand tuning, and that many deliberately low-grade attacks get by. noting that there are at least 15 million open recursive servers (most in low-quality CPE boxes front-ending cable or DSL links), an attacker has a long menu of places to send a small number of queries (to each) so that any rate limiting done by any one of the open recursive servers would not defend any victims against spoofed-source. spoofed-source is becoming wildly more popular. that's probably where to fix this. also the 15 million open recursives would be good to see fixed. at the moment most attacks are using authority servers, where it's far easier to automatically tell attack flows from non-attack flows. -- Paul Vixie KI6YSY
Re: Timeframe for LinkedIn Attack?
From: Oliver Garraux oli...@g.garraux.net Hey, I'm curious if anyone has heard of a possible timeframe for the LinkedIn attack? According to the reports in this group, the attack occured June 4, and was detected on the 4th or 5th.
Re: Dear Linkedin,
Don't know if someone already posted this but there forcing people the reset there passwords, but it let's you reset it to the same password as before... How many people are going to use the same pass? I'd say a good portion, LinkedIn needs some new isec employees On Jun 10, 2012, at 6:11 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Brett Frankenberger rbf+na...@panix.com But the same reasoning still applies. The card issuers don't want you have to show ID, becuase you might decide it's too much trouble, and just use some other method to pay. Except for Amex, who have always *stringently* required this; I've even seen customer-facing advertising pointing it out. They have to do something to get merchants to take their card with the higher discount rate. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Dear Linkedin,
Eliminating fraud isn't an objective of card issuers. Making money is. Fraud reduction is only done when the savings from the reduced fraud exceeds both the cost of the fraud preventing measure and any revenue that is lost because of inconveniencing customers. Right, but eliminating fraud should be an objective of consumers because ultimately, we are the ones paying for it regardless of who eats it on the actual transaction. This applies just as well to fraud-prevention measures, a cost is a cost is a cost, your perceived morality of the cost makes no difference, money is fungible! Which means, money doesn't care! You'd have to make up the cost of all that fraud-prevention in the same way. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Dear Linkedin,
- Original Message - From: Barry Shein b...@world.std.com This applies just as well to fraud-prevention measures, a cost is a cost is a cost, your perceived morality of the cost makes no difference, money is fungible! Which means, money doesn't care! You'd have to make up the cost of all that fraud-prevention in the same way. The money doesn't care... but the customers sure the hell do. Alas, getting the corporation in the middle to eat it out of profit -- I'm not clear why we're at a place where no one even considers that possibility, but we very clearly are; I'm sure the corporations are thrilled -- is next to impossible. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Dear Linkedin,
On June 10, 2012 at 19:47 apishd...@gmail.com (Ameen Pishdadi) wrote: Don't know if someone already posted this but there forcing people the reset there passwords, but it let's you reset it to the same password as before... How many people are going to use the same pass? I'd say a good portion, LinkedIn needs some new isec employees It's only Linkedin not bank accounts -- not that most people's bank accounts are much to worry about either :-) But what's dumb is that what they're asking for with that policy is a big headache for themselves when accounts get messed up, whatever pranksterism or nefarious deed, I dunno, spamming from someone's cracked acct is a good example, and Linkedin's staff has to deal with each and every one. Maybe they lack imagination as to what they might be getting themselves into. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Password Safes
On 08/06/12 2:01 PM, Lyndon Nerenberg wrote: the Android client lets me pull up passwords on my phone when I'm on one of the systems that doesn't have a native 1Password client, or when I am on the road. Does the Android client know how to automagically login to 11 different Android Apps with your 1Password saved passwords? Does the iDevice client know how to automagically login to 1001 different Apple Apps with your 1Password-saved passwords? Because if it doesn't do this automagically, it's not going to work for most people. jc