isn't this kind of think ebay's inherant problem.. I believe the current version is to sell New unopend boxes of things like Lego for 75% retail and then when the auction ends just order the goods on a stolen card direct from the manufacturer at 100% retail for direct delivery to the buyer. The ebay seller does a runner with the cash and the buyer gets the 'new' goods direct from the manufacturer, ehich should set alarm bells ringing. however most leave good feedback for the 'new' goods, and a short while later plod knocks on the 'buyers' door and they get a free 'new' set of braclets for using stolen cards...
The sooner the banks integrate card usage with a seperate authorisation process the better. perhaps via email on a mobile app. [your card has been used here, click to authorise.]
if not authorised by the end of the day an dispatched parcels are stopped.
just too many typos...
I have realigned keyboard.
That's too much to ask for
I still ask my bank from time to time if they have a "security token" option for their personal Intenet banking, and they keep saying that no, they only have such a thing for business Internet banking. I don't want to pay the business Internet banking fees, and their business token is also a bit dumb: you press a button and get a code, no PIN to protect the token, no means to use the token to authenticate a transaction. Barclays have what I want, but they turned me down for a basic account on grounds of not having any credit score whatsoever (what does credit have to do with a basic account without overdraft or cheque facilities, I don't know).
On the other hand, people would find the system too complicated and/or would resent carrying "yet another security token" with them.
I hear some banks in Europe send a text message with a code that you have to put in their website. PayPal does this for the UK (I use this feature). I also hear that people buy Nokia 1100 mobile phones with dodgy firmware to intercept such messages, but as of today no one verified this claim (yet the prices did skyrocket).
If I ever had a vote in banking security issues, I would vote for a "paranoid" option like the one suggested by the parent, where I confirm every debit card transaction using my mobile phone in some way. Lock my screen with a code or custom gesture, PIN-protect my SIM, and even if you steal both my card and my phone you can't steal my money.
Shame that if they have enough details to get your card to work it's quite likely they've also hacked your email (most people have stupid passwords) or stolen your phone (many people are lazy to get them blocked and don't use PIN codes)... very few of these systems are flawless sadly. "Verified By Visa" etc could be good, if they made it less easy to change the password (mother's maiden name, DOB and post code or something basic is often all that is needed). Making it a 12 digit or more alpha numeric code or something... or requiring a Barclays style code from the card/PIN readers, that's more feasible for online shopping when you're at home, it works for iBanking after all.
Photos on the card or biometrics such as fingerprints, retinal scans or voice print maybe helpful... but they are not very practical for card-holder-not-present transactions such as online shopping.
Overall though it seems less costly just to take the hit of fraud than it does to make it more than mildly tricky to perform.
Verified by visa
is a complete waste of time.. and too easy to scam. afterall the verified box only appears after you have keyed in your card number... so it offers no protection of the number at all. and I never remeber the stupid codes for it, so have to reset it every time... which is far too easy!
and if the scammer is operating a man in the middle style scam then you dont see vbyv you see an identical passthrough so they can take you vbyv password too.
The authentication process must be independant of whichever website that you might be using and email or mobile app as suggested above is the best way to do that.
Re: If Only
do you work for the banks? can't be arsed today?
Saying it wont work because people have stupid passwords, is just the kind of excuse for not bothering that the banks would use. fact is for anyone who does not have a comprimised email acount this would actuallly work! so even in a very pessimistic case thats a 50% improvement. whats more it would actually be reasuring for the customers, providing a useful record of transactions, (I know I'd like that), and alerting them more quickly when a fraud occurs, which by providing a useful alert to the card company, could prevent the fraud before the card company has to pay for it. and hence reducing costs and saving us all some cash.
As for the compromised email accounts, well yes fraud will still occur, but greatly reduced on what it is now, so whats so bad about that?
DHS now helping to promote file sharing. Do the RIAA and MPAA know about this?
I too thought of the file sharing program first. I was a little nervous that I would have to find another way to ste...er.. download...my movies.
It's operation Ebay...
that is watchin what you download...
so be careful... IPFilter.dat.. cough.
If they had done this at Cambridge U they could have claimed it was for their thesis
Messrs VO and VAN might have been just doing studies for thesis work, just as their counterpart at Cambridge was studying weaknesses in card payment security.
Funny how an affidavit is released - part of a larger investigation, Operation eMule, which is presumably continuing - when ordinarily this sort of publicity occurs AFTER charges are laid.
Something fishy here.
Why the DHS?
I get that the students are crooks. That I understand, but what I don't understand is the scope of the DHS to be the people going after this kind of crime. WTF has this got to do with Homeland Security?. Sounds like feature creep in the DHS allowing them to extend their remit into becoming some kind of global policing?!.
For example, in the past departments such as the FBI would have liaised with their colleagues in Interpol to pursue these kinds of international crimes, but now it seems, the DHS looks like its become some kind of global version of the FBI?! ... I hadn't realised the scope of the DHS had become so wide.
DHS was cobbled together out of I don't know how many other
existing departments with no real authority to rationalize their structure to their purported function. They're sort of a Consolidated Amalgamated Conglomerated mega-LLC, Inc. beastie.
What exactly is the global angle here?
DHS are in the US, the FBI is in the US. How does this have anything to do with any other country?
The Department of homeland security is kind of like the umbrella organization.
The other orgs still exist, but they are supposed to make sure the dots are connected and
that the various pieces talk to each other.
The global angle.
Presumably that has to do with organized crime based in other countries.
The crime is committed in one country and the proceeds end up in another.
Think the Nigerian scams for a good example.
20 years should help
20 years in prison should help their education.
PinSentry fundamental flaw
A poster recommended :"Barclays style code from the card/PIN readers" unfortunately there is a fundamental flaw (not technical) with the use of these. I can't say more publicly.