bloomberg on supermicro: sky is falling

David Hubbard dhubbard at dino.hostasaurus.com
Wed Oct 10 14:58:08 UTC 2018


They actually profit from fraud; and my theory is that that's why issuers have mostly ceased allowing consumers to generate one time use card numbers via portal or app, even though they claim it's simply because "you're not responsible for fraud."  When a stolen credit card is used, the consumer disputes the resulting fraudulent charges.  The dispute makes it to the merchant account issuer, who then takes back the money their merchant had collected, and generally adds insult to injury by charging the merchant a chargeback fee for having to deal with the issue (Amex is notable for not doing this).  The fee is often as high as $20, so the merchant loses whatever merchandise or service they sold, loses the money, and pays the merchant account bank a fee on top of that.

Regarding CVV; PCI permits it being stored 'temporarily', but with specific conditions on how that are far more restrictive than the card number.  Suffice it to say, it should not be possible for an intrusion to obtain it, and we know how that goes....

These days javascript being inserted on the payment page of a compromised site, to steal the card in real time, is becoming a more common occurrence than actually breaching an application or database.  Websites have so much third party garbage loaded into them now, analytics, social media, PPC ads, etc. that it's nearly impossible to know what should or shouldn't be present, or if a given block of JS is sending the submitted card in parallel to some other entity.  There's technologies like subresource integrity to ensure the correct code is served by a given page, but that doesn't stop someone from replacing the page, etc.



On 10/10/18, 10:41 AM, "NANOG on behalf of Naslund, Steve" <nanog-bounces at nanog.org on behalf of SNaslund at medline.com> wrote:

    Yet this data gets compromised again and again, and I know for a fact that the CVV was compromised in at least four cases I personally am aware of.  As long as the processors are getting the money, do you really think they are going to kick out someone like Macy's or Home Depot?  After all, it is really only an inconvenience to you and neither of them care much about that.
    
    Steve
    
    
    
    >It's been a while since I've had to professionally worry about this,
    >but as I recall, compliance with PCI [Payment Card Industry] Data
    >Security Standards prohibit EVER storing the CVV.  Companies which
    >do may find themselves banned from being able to process card
    >payments if they're found out (which is unlikely).
    >	- Brian
    
    



More information about the NANOG mailing list