republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Scam and Phishbusters > Authorize.Net should be investigated for being involved

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Phish Tracker ·Anti-Phishing Work Group ·Avoid Phishing
AuthorAll Replies


Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18

reply to pcdebb

Re: Authorize.Net should be investigated for being involved

MGD See Profile covers this well in the last portion of this topic: »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Here are the detailed snippets.

said by MGD:
If they were able to process fraud charges against these cards with only those two pieces of data, then there is another huge security hole that needs some focus. We do know for certain that this syndicate mandates that all the fraudulent site merchant accounts are set up using Authorize.net / Cybersource as a gateway provider. It has been assumed from the beginning that the reason was the lack of adequate vetting and minimal standards. However, not considered before was that they may have the ability to bypass or hack (AVS) Address Verification System or CVV2 requirements of card not present transactions.
then

said by MGD:
Of course from the earliest days we knew that all the fraud operation sites had one thing in common, they were using Authorize.net as a merchant gateway. Subsequent communication intercepts revealed that the crime syndicate mandated that the recruited cyber-mules only use banks that were affiliated with authorize.net. Using authorize.net was an absolute requirement. It became obvious that the vetting and operational system facilitated the fraud.

I now see cases where the merchant account configuration though it has (AVS) verification toggled on. The reject on invalid zip to street address is turned OFF. So essentially though it may be checking it, invalid entries are still processed. Worse yet, CVV2 validation is also turned off. Now I am not even sure what the requirements are for a CNP card not present transaction using that system is, besides having a valid card number and expiration date. The criminals have have full access to that merchant account control panel, and I assume they can toggle any setting on or off regardless of the original configuration. It has always bothered me, and I have been unable to explain why all fraud charges to Debit cards show up on the line item statements as a POS (Point of Sale) transaction. I do not know if that is generic to all CNP Debit transactions or unique to this criminal enterprise.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?
to forum · permalink · 2008-04-19 13:05:26 ·
Forums > Broadband Tech > Security > Scam and Phishbusters

Wednesday, 30-May 22:44:59 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics