other postings and recent info from comp.risks: http://www.garlic.com/~lynn/aadsm9.htm#carnivore3 Shades of FV's Nathaniel Borenstein: Carnivore's "Magic Lantern" http://www.garlic.com/~lynn/2002.html#19 Buffer overflow http://www.garlic.com/~lynn/2002.html#20 Younger recruits versus experienced veterans ( was Re: The demise of compa http://www.garlic.com/~lynn/2002.html#35 Buffer overflow http://www.garlic.com/~lynn/2002.html#37 Buffer overflow http://www.garlic.com/~lynn/2002.html#39 Buffer overflow
======================================================== Date: Mon, 07 Jan 2002 20:07:25 -0500 From: David Farber <[EMAIL PROTECTED]> Subject: Credit-card cloners' $1B scam Homemade machines costing about $50 are being used to read credit-card mag-stripes, without having to steal the cards. The information is then e-mailed abroad, where cloned cards are fabricated. This has become a billion-dollar-a-year enterprise. [PGN-ed from Monty Solomon's e-mail to Dave's IP, subtitled Terrorists, mobsters in on hacking racket, by William Sherman, *NY Daily News* http://www.nydailynews.com/today/News_and_Views/City_Beat/a-137421.asp] [The gadget was first demonstrated in maybe 1960s at Caltech as part of a demo on how poor the mag-striped credit cards were. In spite of that, they won. Dave] ------------------------------ Date: Sat, 29 Dec 2001 09:59:00 -0600 From: Tim Christman <[EMAIL PROTECTED]> Subject: Mag-stripes on retail gift cards Here's a link to an article on MSNBC that I found interesting -- http://www.msnbc.com/news/598102.asp?0dm=C216T&cp1=1 Many retailers are replacing paper gift certificates with small plastic cards containing magnetic stripes, similar to credit cards. Ideally, the purchase of a gift card would result in a database being updated to reflect the balance associated with the card's unique account number. Some retailers are using sequential account numbers and have no provisions to protect against a thief using a mag-stripe reader/writer to re-program a stolen card or small denomination card so that it matches the account number of a larger valued card purchased by someone else. Many retailers even provide a convenient 1-800 number so that the thief, knowing many valid account numbers, can "shop" for a card of significantly greater value. The RISK: A form of fraud, difficult to trace, involving a minimal investment in equipment by the thief. Also note that the thief only requires the ability to query the back-end database (through the toll-free number), not the ability to manipulate the records. Perhaps more ominously, the risk is angry family members who find a zero balance on their gift cards! Solutions: One retailer, mentioned in the article, uses optical bar-coding which can't be re-encoded without defacing the card. Another follows a technique used by many credit card companies -- extra check digits are included in the mag-stripe that are not visible on the face of the card. It seems astounding that this isn't being done by all. ------------------------------ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]