Macy’s breach is a game-changing Magecart attack

Discussion in 'malware problems & news' started by ronjor, Dec 20, 2019.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    170,195
    Location:
    Texas
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    Solution: don't pay with creditcards when online shopping. I seriously don't understand why these companies don't adapt other more secure systems. In Holland we use a system called iDEAL, works like a charm and it's much more secure. Basically, when paying you are redirected to your online bank. No need to fill in any creditcard info. I believe this is also the case when you're using PayPal.

    https://en.wikipedia.org/wiki/IDEAL
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    I'll pass on this concept. Attacker via MITM redirects to fake bank site and you're dead meat. Per Wikipedia:

    Also no charge back protection with this service.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    No correct, no charge back. But it's not about that, I was suggesting that creditcard companies could use such a system. And how on earth would hackers perform a MITM attack? They should then have control over the PC or over the webserver. I have been using this system for 14 years, I never had a problem. Just make sure you buy stuff from a reputable webshop.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    Again, thanks but no thanks:
    BTW - both Visa and MasterCard I believe have 2FA options. Also I believe Visa has an option where you don't even use your actual card no./info but where a one time use number is issued. It really doesn't matter with my bank issued card since it has 100% fraud protection.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    I believe you're still missing the point. It's not about the "no charge back" issue! This is something related to online banks in Holland. If creditcard companies switched to such a payment system you would obviously still get 100% fraud protection. I'm talking about protection against website skimming. And if they already have 2FA and virtual account numbers, then why is this still an issue?
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    BTW, I was thinking about this, and MITM wouldn't work with this iDeal system. Because it's secured by a hardware token. You can only pay if you physically own the creditcard. So if you want to pay for stuff and you get redirected to a fake site, the 2FA codes wouldn't work. Because those codes are only known by the 2FA software running on the online bank's webserver and the harware token that you own.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,392
    Location:
    U.S.A. (South)
    Holland keeps their thinking cap on with full reason. Not so USA for us. Because just like Bill Gates sold the US gov. his O/S as the cream of the crop in convenience (wheres the security?) and would digitally automate services etc. Of course our gullible government is like a kid in a candy shop. Oh it's so modern and innovative for us-NOT.
     
  9. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Yes, US credit card "technology" is still pretty much stuck in the 1990s, it seems. That's the previous century. I mean, modernizing and securing these things should be embraced and implemented with both arms and it's not. What extra powers do the large banks have that we don't know about? :cautious:
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    Again, I don't see the issue here with use of major bank issued credit cards in the U.S. As long as the issuing bank offers 100% fraud protection; i.e. $0 liability, the security issue/s are a moot point. I never had an issue with my bank issued Visa card. Once or twice in 10 years, unauthorized charges occurred. They were all reversed although I did have to fill out an affidavit attesting the charges were fraudulent. In recent years, I have had zip fraudulent charges. They were all detected at the bank level prior to posting and the bank issued me a new card automatically.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    This is cool and all, but this doesn't solve the problem with website skimming. Apparently, criminals can still abuse this stuff.

    With iDEAL there is nothing to skim. You just shop via let's say Amazon, Best Buy or Walmart, fill in your name and address and you get redirected to your bank. You put your creditcard in the card-reader (hardware token) fill in the code you get to see on your screen, and the card reader generates another code that you need tot type on the website, and the deal is done. No more website-skimming.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    And to that, I say so what?

    As I see it, this IDEAL system is set up to minimize the financial loss by fraud incurred by merchants and the card issuing bank by requiring the card holder to perform additional validation steps which I consider to be a nuisance. Again, I don't have to worry about this since my bank issued credit card has zero fraud liability protection. Appears this concept is an alien one to European credit card issuing banks.

    -EDIT- I do see merit in this IDEAL validation process if one was using a debit versus a credit card. For starters, many banks do not offer the same consumer protections for debit cards as that offered for credit cards.

    On the other hand, one would have to be insane to use a debit card for an online purchase since the card is directly link to your checking account.
     
    Last edited: Dec 26, 2019
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,392
    Location:
    U.S.A. (South)
    Insane? Not at all. But for the tech savy customer a most definite non starter. However with the tidal wave trend of debits being handled by a fair percentage of card holders constrained maybe perhaps to that payment method, you know as well as I do plenty of peeps will throw the dice!

    Yet still offers a somewhat more reasonable higher degree of protections against such things. Debit cards I agree should also be offered the same coverages that bank issued cards Visa/MC etc provide.

    I feel there's much more territory to be explored and securely implemented, and intelligently, in order to not only stave off attempts but render them all but useless. But that's years down the pipeline with the current pace of card protection technologies.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    It's probably people with the same attitude like you that work at these creditcard companies LOL. It's a matter of at best 2 minutes extra for performing the 2FA stuff! To me it would be a nuisance if I would keep having to making sure that criminals don't shop on my behalf. No matter if I can get the money back, I just don't like the idea! And I don't see how it makes a difference whether debit or creditcards are being used to pay for stuff. Like I said, if you buy stuff at reputable webshops, you won't have any problems, you won't loose any money.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    Here's two links that state the differences. Note that these apply to laws and procedures in the U.S.. One needs to check the same for their resident country:

    https://www.investopedia.com/articles/personal-finance/050214/credit-vs-debit-cards-which-better.asp
    https://www.nerdwallet.com/blog/credit-cards/credit-card-vs-debit-card-safer-online-purchases/

    The NerdWallet article sums it up best:
    Addtionally in the case where debit card fraud has resulted in your linked checking account being cleaned out, expect a major hassle with your bank if the loss is sizable. You might eventually get all your funds replaced by the bank, but it might take months till the matter is resolved. In the meantime, checks are bouncing, direct deposits are failing, etc., etc., since the account is frozen.

    Most financial security experts recommend that if you must use a debit card, open another checking account with the card linked to that account. Transfer funds to this account as needed maintaining the minimum balance possible in the debit card account. Another alternative is a prepaid debit card although many of those charge a one-time usage fee.

    -EDIT- @mood also just posted another article about debit cards: https://www.wilderssecurity.com/thr...the-least-secure-way-to-pay-for-goods.424533/
     
    Last edited: Dec 26, 2019
  16. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    462
    Experienced something like this first hand in Canada. Bought something with Interac Online Payment from a reputable retailer. The site glitched. The payment never went thru and it told me it didn't go thru. I did it a second time but with a credit card this time. No problem. Until I discovered that the Interac Online Payment had been subtracted from my bank account! I had to escalate several levels before they came to their senses. They first wanted me to do all the work with the retailer and be my own investigator without any access to any information. Never again will I buy online with anything EXCEPT credit card.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    I should also add that Visa and I assume MasterCard offer supposedly zero liability debit cards. With these the "devil is in the detail": https://usa.visa.com/support/consumer/debit-cards.html . Additionally and so noted in the linked article, the card issuing bank can modify these terms as they see fit. Visa corporate policy states all misappropriate funds should be replaced with 5 days. Also overall, fraud activity time reporting for debit cards is critical. Most will disallow any reimbursement activity unless reported with 60 days.
     
    Last edited: Dec 27, 2019
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    Yes exactly, I always have a minimum balance. I have never had any problems with my debitcard. But this debit vs creditcard discussion isn't relevant when it comes to solving the website-skimming problem. The point is that creditcard companies can switch to this iDEAL system, while still providing 100% fraud protection. We need to fix this stupid way of online payment processing.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    The web site skimming issue is just that; a web site security issue that needs to be resolved by the web site owner. Use a good security solution that is proactive in detection of web sire malware and/or blocking access to compromised web sites.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    That's another way to solve the problem. But apparently it's either hard to block this stuff, or not all webshops can or want to invest in these security systems. Creditcard companies could easily solve this by using a system like iDEAL. But perhaps there are ulterior motives for not wanting to do this, who knows.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    The biggest reason is cost. Remember that the credit card issuers charge merchants a per transaction fee + authorization fee. Now add to that the cost of using IDEAL:
    https://www.ideal.nl/en/businesses/frequently-asked-questions/

    Now it is possible IDEAL use would eliminate the card issuer authorization fee but the transaction fee would remain.

    Also I suspect that IDEAL's authorization fees are higher than those charged by the card issuers.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    @Rasheed187 , one final comment about this IDEAL system you think so highly of.

    It was created not to protect consumers; i.e. cardholders, but to protect merchants primarily, and card issuing banks secondarily against revenue loss. When an IDEAL transaction is successfully completed, the merchant is protected not only against fraudulent card use charge backs, but all charge backs from the card issuing bank for any reason. All transaction resolution must be performed between the card holder and the merchant with the card issuing bank totally out of the resolution loop.

    In regards to the elaborate security mechanisms IDEAL employs, those are in place to thwart any legal actions that might be initiated over transaction resolution and possibly to satisfy any Dutch legislative concerns.

    Bottom line - use a major credit card w/ zero or minimum liability with full charge back rights for online purchases.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    Yes, but what you fail to understand is that it's about the tech behind it. You keep talking about stuff that's not tech related. I'm sure it's all true what you said, but we're trying to solve the website skimming problem. A system like iDEAL would solve it.

    Like I said, if companies like American Express, Visa and Mastercard adopted such a system, then other rules would apply, so you would still get 100% fraud protection in case you get scammed or something. And if they have already beefed up security with 2FA and virtual account numbers then why are criminals still skimming websites and even brick and mortar stores?
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,634
    Location:
    U.S.A.
    They already have it w/o the hassle involved with the IDEAL implementation:

    https://usa.visa.com/pay-with-visa/featured-technologies/verified-by-visa.html
    https://usa.visa.com/visa-everywhere/security/future-of-digital-payment-security.html
    https://www.mastercard.us/en-us/merchants/safety-security/identity-check.html

    Additionally, my bank offers this for its Visa card holders:
     
    Last edited: Dec 29, 2019
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    I'm sorry but I'm not impressed at first sight. It seems a bit vague to me. And I don't see how this would solve the problem of website skimming. For strong security, you need a system like iDEAL that will always forces you to enter your PIN and/or 2FA code generated by software or hardware token. It depends on whether you're using your PC or smartphone. There is no hassle involved and both consumers and online webshops don't have to worry about website skimming anymore.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.