Most of what he says is obvious stuff and the emphasis he puts on how much he modifies stuff makes me assume he's someone that just runs programs and doesn't have any unique insight, but he does make one interesting point:
> Try to use "Verified-By-Visa" and "Mastercard-Securecode" as rarely as possible. If only your CVV2 code is getting sniffed, you are not liable for any damage, because the code is physicly printed and could have been stolen while you payed with your card at a store. Same applies if someone cloned your CC reading the magnetic stripe or sniffing RFID. Only losing your VBV or MCSC password can cause serious trouble.
Does anyone know if this (using verified-by-visa, mastercard-securecode remove any payment protection if you get key-logged etc) is correct?
As someone in the financial payment industry, let me shed some light on it. 3DSecure (the generic name) when used, generally prevents the user from issuing chargebacks, even in the case of fraud. It's a Terms & Conditions change basically for that purchase. Since your credentials can be hijacked at your web browser level, it is possible to give up your credentials AND give up your ability to re-mediate the issue later.
If you are purchasing stuff online, I advise using a credit card and CVV. Federal law (in the US) limits your damages to $50 total in the event of Fraud. (Not true of debit cards, or 3DSecure).
Although the mandatory sign-up for VBV on Newegg is old news (~3 years ago now?), any time you get a "you are now being redirected to your credit card's website for a mandatory additional agreement," that should be a huge red flag.
You can cancel the "mandatory" VBV page by pressing the back button. At first, the VBV page did have a tiny link that let you opt-out, but it disappeared some time in 2009.
I was quite surprised when I had finally given up and was ready to empty the Newegg shopping cart, only to find the order was accepted when I used the back button to escape VBV.
does this mean i have more than $50 fraid liability if something goes south with my newegg purchase? if so- thus is a real reason not to risk doing business with them.
Kind of sad, the last time I built a PC I had to have the hardware within 2 days. Newegg said the order went through and then the next day I got an e-mail to call and verify my order. I cancelled the order, found everything on Amazon for the same price and had it shipped overnight it.
I don't know how many times now I've gone to an e-commerce site and the stupid Mastercard-Securecode has popped up, or my order has been frozen for verification -- and I immediately go straight to Amazon. Perhaps the real beneficiary here is Amazon. They know my order history and they know when I order a $4000 TV to an address I been shipping $X amount of stuff to without incident.
I've also shifted all my business from newegg to amazon for that reason and also this one: newegg's packing is horrible. What am I supposed to do with an enormous pile of packing peanuts from the box that's three times larger than it needs to be? If you want to collapse the box, good luck pouring all those peanuts into a garbage bag without getting them everywhere. And if you don't have access to a dumpster, you get to waste a ton of space in your garbage can.
With amazon, you get to stab the air bubbles with a knife and wad them up.
same thing happened to me. on a whim, i wanted a very specific poster. i went to order it from the first place i found it and then had trouble on the order enty. after 10 minites of frustration i decided to check amazon, and found it cheaper and with free shipping, as im on prime. amazon really is the walmart of the web. my last newegg purchase was split as many of the pieces were cheaper on amazon, and i have more trust in them.
Nothing. This 'feature' is entirely designed to reduce the banks' liability. It shifts the onus of security onto you (from the banks and the merchants).
It sounds like in principle it might also reduce fraud overall. Thus, maybe 80% of the fraud goes away and 20% remains, but that liability is shifted to the consumer rather than the bank (who otherwise passes it to the merchant anyway). If the merchant has reduced fraud liability, they may be able to offer lower prices. So, in principle there might be a long-term win for the consumer. In practice, who knows.
I think the idea of a pin at checkout is a good one to reduce fraud. However this is more work for the consumer, and reduces the bank's liability. Most consumers would probably prefer this, as it makes their card more secure and reduces the possibility of fraud hassles, which are annoying regardless of liability. Having something that is more work for the consumer and could save the bank money switch the liability to the consumer is just obnoxious.
There is now Chip and pin fraud. With chip and pin the liability is now on the consumer to prove it wasn't their transaction. Customers have had to take the banks to court in the UK to get fraud losses removed. In these cases it has been proven that Chip and pin is infallible. Same applies online with 3-D secure.
> I think the idea of a pin at checkout is a good one to reduce fraud.
For in-person transactions, merchants can check your signature against the one on the card or alternatively ask to see a photo ID. The process is there, though it's hardly ever done.
Given the fact that your signature is on the card, this seem rather ineffective. Approximate signatures are easy to forge and no merchant will deny a transaction based on a different signature.
In fact, that is not the purpose of your signature. The purpose is that you are signing a contract and agreeing to pay. It has nothing to do with security or fraud and merchants are not supposed to check signature matches - only that you signed.
A smiley face is a valid signature, as long as it is you and you agree to the credit card contract.
Actually, signing the receipt has everything to do with fraud. If you use a credit card in a transaction you are required to pay regardless of whether you sign an agreement saying so. The difference is, if the merchant does not collect your signature, they are liable for any chargebacks AKA reports of fraud whereas the bank would be if the merchant did collect the signature. [1][2]
My point in bringing up the signature line on the back of the card is that, while it might not meet your personal standard of effectiveness, it is an example of "a pin at checkout is a good one to reduce fraud. However it is more work for the consumer, and reduces the bank's liability."
Signature verification is an old-fashioned, and perhaps imperfect, nonetheless established method of security.
If you have ever used traveler's checks, you will know that they also use signature-matching as the method of security/verification.
Because if you did not sign, there is no written contract for that transaction, so there is far less of a case that the charge is valid. Regardless of what the signature looks like, you are liable if it was you (or someone you authorized) who signed and you are not liable otherwise. You are even liable if you charged for the transaction but did not sign - there is just no written, signed contract, so you are presumed not to have agreed to the charge.
None of the above is legal advice as IANAL, however I do believe it is correct.
Do you really think a merchant can verify those electronic scribbles on a tiny, crappy pen input device? No. Any mark made by you with the intent to sign is a legal signature.
None really. A) Fraud liability effectively shifts to you, versus the often waived $50 limit, and B) it interjects an authorisation from your issuing bank into the checkout process oftentimes screwing it up.
VBV (or 3D secure as it is called today) is part of a move by the credit card companies and the banks to push the risk to the most vulnerable party, the consumer.
The idea is that this absolutely crack proof scheme requires you to authenticate yourself to your bank in a fairly complex three way handshake.
In the old (read pre-VBV) days the card companies and issuing banks would saddle the merchants with any charges that were disputed using the chargeback mechanmism.
Verified-by-Visa removes this safeguard by adding an additional layer of authentication which supposedly has the same strength as you being on-premise and signing on the dotted line to authorize your purchase. This will effectively remove a lot of the excuses that you might have had such as 'it wasn't me', 'I wasn't there' and 'I never meant to buy this', which were the most common excuses consumers would come up with after using a service for anywhere up to 6 months and then yanking back all 6 months worth of payments and saddling the merchants with the loss of income, pay-outs to affiliates already made and additional charge-back fees on top of that.
So even if the goal was a fairly noble one it looks as though the whole idea is predicated on one tiny little detail, which is that VBV is supposedly hack-proof, but in fact this is highly dependent on both your bank and the security of their implementation. Neither of those are as ironclad as they should be to remove all doubt.
But of course the banks/card companies are not willing to end up holding the bag if there is trouble so it falls to the consumer to prove that they really were not involved in the transaction and that is very hard.
On the positive side in this whole debate: Even if a consumer is defrauded there is always someone who benefits and following the money usually leads to the perp. That's why it is hard to order stuff online with credit cards that were not issued in the country that the person using them is from, that's why it is hard to spend your money on three different continents with the same credit card within a single day and so on.
Lots and lots of money goes in to early warning fraud detection (before the fraud happens) and this nips a very large percentage of potential fraud in the bud.
Something very strange I noticed with Verified by Visa and with Mastercard Secure Code is that both sometimes forget that you have already enrolled and make you re-enroll (i.e., answer their weak "security questions", like date of birth, and then choose a password).
It happened once with Verified by Visa and twice with Mastercard Secure Code so far. (No, my card numbers had not changed.)
These systems can't be trusted to even reliably remember my previous password.
When a website asks me to use one of these, and I don't want to, how do I decline but still make the purchase? It always seems like my options are take-it-and-like-it or don't complete the transaction. Is there a third option?
I've had certain websites require VbV for purchases. I can only assume the transaction fees are lower for such transactions, or they got some kind of other deal from their merchant bank.
The worst part is the information required for the "I forgot my password" process is often not terribly hard to get hold of (date of birth, that kind of thing).
The best option at this stage is probably to have a "normal" credit card for everyday use which is specifically NOT VbV enabled, and a special VbV credit card that you keep at home for internet purchases from companies that require it. Or just don't buy from those companies.
> I've had certain websites require VbV for purchases. I can only assume the transaction fees are lower for such transactions, or they got some kind of other deal from their merchant bank.
Transaction fees are not the problem, putting a stop to consumer fraud and charge-backs are the net win for the merchant.
In Canada it pops up a browser window that prompts for various personal information and its URL points at ... drumroll ... https://secureserver.net. If that's not by the book appearance of a phishing site, I don't know what is.
I very suspicious of that the first time I was subjected to Verified by Visa.
The other thing that infuriated me about Verified by Visa is that when you are forced to sign up for it, it thanks you for choosing to sign up. The only choice I had was to sign up or not make the transaction!
I really wouldn't be surprised. The security group at my university do a lot of stuff on banking security, and from what I've heard, this was one of the main reasons behind the switch to chip-and-PIN in the UK --- the user is now liable when his card gets stolen and used.
And, from many years of personal experience, quite a lot of people don't treat their card and PIN securely. This might be in the form of (and these are genuine examples):
1. Writing the PIN on a post-it note and sticking it to the back of the card.
2. Writing the PIN on some paper and keeping it in the same place the card is kept.
3. Giving the card to someone else (partner, kids, relatives, etc.), along with the PIN, to run an errand for them.
4. Saying the PIN out loud as they type it in.
5. Asking the customer assistant/whoever is dealing with the transaction to enter the PIN for them.
Chip&Pin, while claiming to be more secure, enabled and made convenient basic forms of fraud, such as that in points 3 and 5.
I'd actually argue that the shifting of liability from the card issuer/merchant to the card holder/customer in the UK is a direct consequence of C&P allowing careless people to be more lax with the security of their card.
The worst thing is the chip+pin machines that do not have any shield to hide you punching the pin in, and then to just add insult to injury, they're the kind of buttons that you have to forcefully press with all your might to get them to register. So it's blatantly obvious to anyone taking notice which buttons you pressed.
Richard Clayton (etc) have lots of interesting stuff about bank security (and the lack of) - they've attacked chip and pin, which means that if someone does manage to defraud the card the owner might have some chance of getting the cash back.
I've only used VbV once or twice, years ago. Do they still use iframes? I've never understood why they try to make the site more "secure" by using these services, but then use an iframe so the average user can't easily confirm if the login screen is legit or not.
In the UK I see it occasionally. Oddly enough it's mainly when I order food online.
It really peeves me that they are training people to accept entering sensitive information into something it would be so very easy to fake. There's nothing to prove that it is actually what it says it is.
On top of that, if you forget your phrase the security question (the usual researchable ones) and answer sequence happens within the iframe without recourse to any external site or emails.
As other comments have said, none of this is for the customers benefit.
at least for mastercard this is true: as per my banks tos i have to take care that nobody gains access my 'securecode' and i am liable for any unauthorized charges. (because the 'securecode' is supposed to guarantee that it is me who is using the card)
Somewhere in the thread he says that he started coding around operation payback. That is december 2010. I would assume that either he is truely a genius or that his abilities to program properly are limited.
I very much enjoyed the reading of his comments - I pulled a few of his that others may find interesting.
[polymorphism code - to hide virus signature]
Randomness is your friend, make your own crypter and make it so fucking random on every compile, that AV reverse engineers kill themselfs (HINT: randomize the crypters sourcecode using perl scripts)
[polymorphism code - to hide virus signature]
I started coding about a year ago, hacking old malware sourcecodes and reading russian boards. Most botnet operators are dumb as fuck, who don't even care about their traces, the ones you see on TV, catched by Microsoft and Brian Krebs. If you have more knowledge you can automatize nearly everything, like creating scripts that rewrite your sourcecode for your crypters so your malware gets undetected again, saving you hard work.
[finding infections on a computer]
Use GMER (http://www.gmer.net/) every now and then when your spider sense is tingling. Srsly, you can't fool GMER, it scans from the deepest possible point in your system, at ring0 and is impossible to fool, there is nothing deeper than ring0 on a usual PC where malware can hide stuff from. I always wondered why other AV vendors don't do it like GMER, it can detect all rootkits. But when a AV can detect everything, who will pay 30$ a year for signature updates...
the statement about GMER is not true. I've seen GMER miss MANY rootkits/etc. As far as catching and removing rootkits that other most av's tend to misss i've had by far the most success with combofix(which includes a GMER scan). Nothing will catch 0day rootkits 100% of the time, once a system is compromised it's best to format and start from scratch (or restore from backup if you're positive it's clean, but make sure you replace the mbr too). Theres just no other way to be completely certain. I lost track of the times that I thought I got everything on a windows machine, then google for something like malwarebytes as a test only to be redirected.
He seems to think of himself as very skilled because most other people in his field can't program. While he certainly is pretty good at what he does, it is scary to think what somebody with real knowledge could do.
Let's play 33 bits on this guy, my guess is that he's German, Austrian or Swiss based on the settings for his IRC client, that should knock about 6 bits off, 27 to go.
oh I was doing that while reading the AMA. the giveaway is being the 4th customer of a bank that provides HBCI:
> My bank had around 20,000 customers using smsTAN and 3 (I was the 4th lol) using HBCI.
He is German, of college age and an early customer at one of 2 or 3 banks that provide HBCI. Consider him nailed.
I also bet he has published security related work under his real name at some point, especially since he has been applying for jobs. Most people in the security industry applying for legit work who don't have qualifications pad out their resumes with online research (or speaking at conferences, etc.).
This is fallicious. Anyone can register for an account. Knowing someone is on HN only gives enough information, that said person is in the 'HN demographic'. Just because he happened to register for an account, vs someone similar who didn't, does not give us the amount of entropy removal you implied.
> Even if 90% of those 7,200 were mined by botnets, and 100% of those mined were sold, that would represent well under 10% of the daily trading volume.
Polish nationals studying engineering in Germany should narrow it down quite a bit.
Edit: definitely not a Pole. Likely in former Eastern Germany though (lots of people there have a working knowledge of Russian / Polish, people from the Western parts not so much).
Universities in former Eastern Germany with an engineering department?
He is very familiar with the differences between C, C++ and C#. Are there any Germans that can comment of what kind of student would have that knowledge? I thought that advanced engineering the degrees in Germany are too academic for students to be familiar with the intimate details of programming, but I might be wrong.
User: rawrr69, on Reddit: "His writing style, long and nested sentences and use of commas are another hint. Plus he likes to laugh about and feel superior to other people and rectify their "mistakes" - 100% definitely German."
> Plus he likes to laugh about and feel superior to other people and rectify their "mistakes" - 100% definitely German."
well, as a German, I'd like to point out that this might have something to do with the fact that he is kind of an asshole. There are nice and well-mannered people here too.
"Protip against driveby infections (the ones in the browsers): Disable addons in your browser and only activate the ones you need. Chromium and Chrome for example let you disable all additional content like flash, html5, pdf and java in the options, you will see a grey box instead of the content and can manually run it using right-click -> Run. Chrome options -> Content options -> Plug-Ins -> Disable all or Click-to-play. Chrome also allows you to whitelist sites you trust, like youtube. This will make you immune to driveby infections regardless of the version of your java or adobe reader, because you will only be able to click and run content, that is VISIBLE on the site. Malicious content is ALWAYS hidden in a 0pixel iframe! This also stops the nasty flash advertisements implying you can't aim precise enough to win an iPad3."
This is one thing I've been trying to convince people to do for ages but, for some reason, that one extra click turns so many people off. The extra minute or two I probably spend a day clicking on plugins to activate them will pale in comparison to how much time I'll have to spend recovering from being infected.
I've actually stopped using Firefox because it re-enables plugins that I've disabled (maybe it's more accurate to say it allows 3rd-party software updates to re-enable them).
$40 per day is weak. Less than California minimum wage. And the risks are considerable. Reminds of the work of Sudhir Venkatesh who found that average wage for drug dealing grunt is about $3.30/hr - not far from what we're seeing here, though at least bot herder doesn't risk being shot. He is right that this thing has no future for him.
Also, why not mine litecoins (cpu's are good at doing that, so no drivers needed and he can mine bitcoins at the same time) and sell them for bitcoins? They are worth enough that his profits would go up noticeably much.
I don't understand how these people sleep at night. The whole notion I didn't make the game I just play the ball is just hilarious.
Furthermore those guys don't understand that eventually they're hurting the web. All that will bring stricter legislation and governments will start enforcing rules like IP identification for just about anyone out there.
I can understand organized crime exploiting the cyberspace. But for individuals its just plain stupid.
They are just like petty criminals in real life, you've seen what surveillance and legislation does in real life... virtually nothing. The smarter ones go into the cracks and the shadows (Tor) which just leaves us folk being monitored for no reason, but we're okay with it because "it's helping to stop crime"
There is also the addition that you are just interacting with a computer, a keyboard, a mouse and a screen. I bet if you asked this guy if he would go out and mug someone he'd say no, because he'd be face to face with the person... he'd see the upset and pain he's caused.
Not saying it's right, but there is certainly a bit of psychology involved here, gaining from the computer doesn't seem like a crime to those not in charge of their own compass.
This is a big part of a lot of the talks I give about my criminal past. It's not like you wake up one day and decide to start committing fraud. It's a gradual, slippery slope. Humans can, will, and need to rationalize everything they do. As you slide down the slope the rationalization becomes, well, less rational. But you don't see it that way. If you did you wouldn't be able to do it.
It was quite interesting to me how he rationalised his behaviour; Yes, it's a bad thing to do, but at the same time the world is full of bad actors, unscrupulous politicians and out of control corrupt financial institutions, so really I'm just acting in accordance with the established order.
I think people don't consider how the blatant and endemic corruption in society affects the moral codes of ordinary people very often, but this is a good case in point.
yea, the world is a weird place. seeing a lot of angry ethical reactions on reddit, i can't help but think: on one side, there are people like this guy in the comments who left marketing a health product due to false claims, or me refusing to code for certain clients based on "personal" ethical judgments and on the other side there are these "crackers" who steal the credit cards of random people and who even hate them.
one thing i want to believe, you can't build a future on crime, or can you?
It sounds like you're considering a life of crime. Probably thinking about how you could be like that botnet guy on Reddit. Getting money without working is a nice thought, after all.
You know, the "ethical reactions" stem from that guy doing evil things. He knows he's being evil but doesn't care. Some people find that appalling.
For him, it's just an easy way to make money, and the fact that he produces no value to society at large is irrelevant. He even gets to work on challenging problems!
In fact, what he's doing is quite similar to working for the financial industry, doing HFT or whatever. It's clearly wrong, and clearly harmful to mankind, but it's easy money, so ethics are thrown out the window.
It is generally easier to make money by scamming/abusing people than by doing something valuable. That doesn't mean you should.
The thing that most people don't realize is that it isn't as easy as most people think or how he makes it sound. It's very similar to building a passive income product. You invest a lot of work up front for an "easy" payout later.
It may only take him an hour or two a day to manage the network but I doubt that's all the time he spends on it. From reading the AMA and my own personal experience I bet this guy spends much of his time researching tools, improving his code, testing AV software, and browsing / contributing to "industry" forums. This isn't even taking into account the time he spent upfront before it made him any money.
It may be something he enjoys but it's not as easy as clicking a few buttons every day and watching the money pile up. It's sad to think that all this time could be spent building a legitimate product instead of something like this.
Do you think anyone in a governmental capacity will take this Reddit and start an investigation? I'd like to think so, but sadly doubt it. There might be a couple of vigilante efforts though.
Your point is well served without the analogy of heft and the financial industry being added. Matter of fact, I assume that it will likely be met with discussion that shifts the focus onto those examples which are irrelevant to the greater topic at hand.
There have been several in depth discussions and posts on both hacker news and reddit which comprehensively make the case for both.
I work in the financial industry and I'm very convinced that my work is not harmful by any stretch of the imagination.
In the past I've left well paid positions out of moral issues, in different industries. For instance, when my algorithms were getting patented, or I was increasingly made to work in .NET.
People have different views. However, stealing CCs and massively screwing over random people... you cannot possibly put that in the same breadth.
> I work in the financial industry and I'm very convinced that my work is not harmful by any stretch of the imagination.
Well duh? Of course you are. It's you working for the financial industry, after all.
We could debate this all day without getting anywhere. It's easy for you to blow smoke up everyone's ass, pretending your work is beneficial because it provides "liquidity" or whatever. You can confuse us laymen with fancy terms we don't understand.
I know these sites. They're rather juvenile but sometimes there's stuff of real value there. There are crooks in finance, and everywhere else, which doesn't mean "finance is bad" by definition.
> You work for an industry whose raison d'être is making money with money. This is vastly different from producing something of value.
There is nothing bad about making money from financial services. If you stretch it a bit, you can call it "making money with money" the same as you can argue that the sole reason for any imaginable job is making money. It's not.
We're already well on our way to getting nowhere with this.
> Not-so-obviously, if I had qualms about my job I wouldn't be doing it. Some people are for sale, I'm not.
So participating in the financial industry driving the Western world's economy off a cliff is fine, but having to work with .NET is where you draw the line?
> I know these sites. They're rather juvenile
These sites discuss (the economic) Reality, and what's going on in it. Trying to discredit them is logical, of course, for someone working for the financial industry.
Here's someone with a more somber take on things, in case it helps: http://globaleconomicanalysis.blogspot.com/ - he's on the same page with the aforementioned two, though.
> There is nothing bad about making money from financial services.
No? Well, what good is there about it? How does it benefit the real economy, where people use their time and skills to produce something of value, which they then exchange for goods and services as necessary?
What is it that grounds the financial industry into the real economy? In other words, in what ways is it not about making money with money?
> If you stretch it a bit, you can call it "making money with money" the same as you can argue that the sole reason for any imaginable job is making money. It's not.
Huh? A job is an arrangement where an employer pays someone a salary in exchange for using his time/skills in a way that benefits the employer (in a monetary sense, ultimately).
For both parties involved, it is about making money. Otherwise we're talking about some kind of charitable operation.
I consider my job not only not to be bad, but GOOD for society. My job helps making a level field and removes the need of extra people working in trying to scalp away from market fluctuations.
I consider my job to be good in the sense that the alternative to be worse. Quite like a free market I consider it to be good, because it's the MUCH better alternative to a CAPTIVE market. Because that's in fact the only alternative. Some manipulative politicians trying to justify their job would tell you the alternative is a "regulated market" - it honestly is not about more or less regulation, it's about better or worse regulation. The freest market is not the least nor the most regulated, it's the best regulated.
> These sites discuss (the economic) Reality, and what's going on in it. Trying to discredit them is logical, of course, for someone working for the financial industry.
You've very conveniently cherry-picked my criticism about them. I like these sites and they're rather good. However, their style is indeed juvenile. That's the way they're redacted, the public they cater to the most and very likely the personality of the main contributors.
They also seem to be quite libertarian-leaning. Like myself. Which is totally besides the point, anyway.
> For both parties involved, it is about making money. Otherwise we're talking about some kind of charitable operation.
But you're missing the point that it's not ONLY about that. Thankfully, most of us don't work just for mere subsistence and are in the position to choose one work over another based in more than pay.
This point is related to the post because I'd actually take this job over most other jobs taking a significant pay cut. I've worked in telecom, microchip design, even videogames, and this is my favourite job so far. I'd take it over any of my previous jobs on equal pay and they weren't bad jobs for the most part. I'd even take a pay cut. That's how much I like my job and how positive for society I think it is. My sister is a doctor, I think my job is more positive for society than even that, it affects way more people.
Funny fact. A lot of people in finance seems to believe that they are making things more efficient and removing people. And yet the finance industry as a whole continues to grow rapidly relative to the rest of the economy. Also their share of profits relative to companies in the "real" economy is at historic highs.
I submit that you're doing the exact opposite of what you think you are. When you make financial manipulation require fewer highly paid people, you increase profit margins. The primary effect of this is to increase the volume of such activity.
Oh, absolutely. However what the software industry enables more of is often stuff that I think is good.
For instance I have 2 contracts right now. One will help people find a college program that they want, and the other will help people find a job that they want. These are causes whose value proposition is pretty clear to me. I don't need to justify my work on the basis of, "I'm getting rid of people who do what I do." Rather I can say, "I'm helping good things happen for people."
Thus I don't see a problem in the fact that my successes create more demand for people like me.
On the one hand, I'm helping people preserving their pension funds by detecting risky situations early. These people don't want highly speculative markets or high profits, they don't want their savings protected from the money printing machine among other things.
I'm also helping decide producers what should they be doing next, to meet demand and so people don't suffer shortages. I don't work for a bucket shop or a commodity hoarding fund. I help supply meet demand and more people have their needs met and better met than otherwise thanks to people like me. There would be a lot more poverty in the world without this industry. In fact, there was a lot more poverty in the world as a direct result of the lack of this level of commerce in the past. It's not our duty to stop the poorest regions of the world from over-breeding, though, which is the main reason for poverty nowadays (including pockets of poverty in wealthy nations).
> I consider my job not only not to be bad, but GOOD for society.
Really now? Wow. Wasn't expecting that. Tell me, again, how exactly is it good for society?
> My job helps making a level field and removes the need of extra people working in trying to scalp away from market fluctuations.
This smells like a rationalization of HFT. Is that what you do? It is quite popular among the HN folks after all.
> I consider my job to be good in the sense that the alternative to be worse.
That's quite an achievement in the art of Rationalization. In a similar vein, I guess shooting someone in the head is better than torturing them to death.
> Quite like a free market I consider it to be good, because it's the MUCH better alternative to a CAPTIVE market.
Umm.. so your job's goodness is comparable to a free market being good by way of being better than a captive one? Care to elaborate?
> Because that's in fact the only alternative.
A captive market is the only alternative to a free market.. or your job? What's the point here?
> The freest market is not the least nor the most regulated, it's the best regulated.
This seems to make sense, but how is it related to what you do?
> You've very conveniently cherry-picked my criticism about them.
Well, your only criticism of those sites was that they're "rather juvenile", which didn't leave much room for cherry-picking. But of course, "cherry-picking" is a common accusation on HN.
> That's the way they're redacted, the public they cater to the most and very likely the personality of the main contributors.
Redacted how?
> But you're missing the point that it's not ONLY about that.
Actually, I didn't miss that detail in what you said. I just wanted to see if you'd "go there". You didn't disappoint.
You see, a job not being only about money is just as blindingly obvious as the fact that not every single goddamn black guy is a better dancer than your average white guy.
> This point is related to the post because I'd actually take this job over most other jobs taking a significant pay cut.
Glad you cleared that up, I was starting to wonder. But what else would you say, especially at this point? Of course you're going to make that claim, because for you, this has been all about rationalizing what you do right from the start.
> My sister is a doctor, I think my job is more positive for society than even that, it affects way more people.
That's quite an audacious load of bullshit right there.
Yes, your job has far-reaching potential consequences, including - but not limited to - collapsing economies and countries along with them, causing massive loss of wealth for us little folks, social unrest, chaos on the streets, people killing each other for food, power-grabs by totalitarian forces, and so on.
Before you start foaming at the mouth, note the word "potential" there.
I'm pretty sure that just by having done that IAmA alone, that guy has already done greater good to humanity than 99% of all human beings on this planet ever will.
Questioning his subjective opinions on morals sounds a bit of a waste of energy after this.
> I'm pretty sure that just by having done that IAmA alone, that guy has already done greater good to humanity than 99% of all human beings on this planet ever will.
Can you explain? I really don't understand? Because it's making people more security-conscious or something?
Magnetic stripes are the most hilarious thing ever, but still work almost everywhere on the globe.
I am amazed that magnetic stripes are still the norm for credit cards in the US. Europe has managed to move all but completely to chip-based cards, but the US hasn't.
Does the cost of fraud due to magnetic stripes outweigh the cost to upgrade the entire US system, or is the market just too fragmented to coordinate such a transition?
Credit card fraud is actually a fairly small problem in the US. Wikipedia tells me that the total cost of fraud is 0.07% of the transaction value. And I suspect (without evidence) that the bulk of this is made up of remote purchases, not swiped activity.
Really, the chip things are an example of security theater. Yes, they're more "secure" in the sense of being harder to defeat. No, they're probably not actually worth it in terms of the cost of upgrading all the infrastructure.
A serious upgrade would need to look at things like two factor authentication, c.f. Google Wallet, etc...
You're missing the point entirely. I'm not saying that chip & pin has no value. I'm saying that the value it has is finite (i.e. it saves money equal to the amount of fraud it eliminates) and needs to be weight against the cost of replacing all the card reader infrastructure. And I argue that the fact the US has not upgraded is an existence proof that the upgrade cost[1] outweighs the savings.
[1] Really the amortized upgrade cost. Remember that chips are dinosaur technology already, and have known problems. What's the point of doing an upgrade if you need to dump it all and start over in 6 years anyway?
The fact that the US has not upgraded is not an existence proof, it's simply one piece of supporting evidence. There are other possible reasons why the upgrade hasn't happened even if it makes overall economic sense - perhaps the cost of fraud and the cost of upgrades aren't borne by the same actors; perhaps there's some kind of game theoretic problem like a first mover disadvantage; perhaps the actors aren't acting entirely rationally.
It seems like the upgrade of terminal equipment could be done quite cheaply if it was done as part of the regular cycle of equipment refresh, for example.
"cost of replacing all the card reader infrastructure"
I'm not sure how many PoS are already equipped to deal with chip cards. In the USA/Canada it's hit or miss (most misses), and in Europe it was the standard 10 years ago (but most readers take swipe cards).
Replacing cards is cheap and they can be replaced as they expire
What would be the upgrade cost for each PoS? $100? Some systems are more integrated than others (like card reader integrated with the register as one device) so this may cost more.
Or maybe it's just a matter of issuing the cards to justify the stores to upgrade.
My previous U.S. card had a chip. The very recent replacement came without one.
So they aren't really moving in the direction of issuing cards with chips. I never actually encountered a situation where I was aware I could use the chip, over 5 years or whatever it was.
It's not fair to just look at it in terms of the cost of fraud vs. profit. Consumers whose CC info is stolen aren't liable for fraudulent charges but it can still be very expensive and time-consuming for them to correct everything, not to mention the affect it can have on a credit score. And obviously, the consumers don't get any say in whether the costs to upgrade the infrastructure are worth it.
> Consumers whose CC info is stolen aren't liable for fraudulent charges
That's only if the credit card company believes or accepts your story.
I once reserved a flight by telephone using a credit card, but at the airport I paid for the flight with cash. Later I found that my credit card was charged for the flight. The airline said that they couldn't find any evidence that I had paid in cash, and even though their policy was to get a signature when paying by credit card, they could not produce my signature. But they still insisted that I had paid by credit card.
I complained to the credit card issuer, but they took the airline's word (United Airlines, by the way) over mine.
It's not enough that charges are fraudulent -- if the merchant is mistaken in their belief (or lying), you are on the hook!
Try to find the value of all swiped CC transactions. Then take 0.07% of that number. I'm guessing you'll be hard pressed to call the result "fairly small".
The whole chip and pin thing is pointless though, my company credit card gets used by plenty of people who don't know the PIN thanks to online/phone purchases, and in the past when I've forgotten a PIN, or just got a new card which I haven't yet received a PIN for, I've had no problem persuading shops to let me swipe them (magnetic strip) and sign for it instead.
Yeah, this has got to be it. Non-US CC info seems much more difficult to acquire, and thus more valuable. And just because Americans are in debt (obviously not all) doesn't mean their credit cards are maxed out.
Unless charge-back means something different to what I think it does, of course you can with a UK card. The terms and conditions may be different, but the usual fraud etc. is covered.
If you have a problem with a purchase made by credit card or via a credit agreement offered by a retailer, you may be protected under section 75 of the Consumer Credit Act. This makes the credit provider jointly liable with the retailer for anything you buy, provided the item costs between £100 and £30,000. ... Purchases made on debit or prepaid cards or chargecards are not covered by section 75. Neither are purchases on credit cards that are worth less than £100 or more than £30,000. However, your card provider may offer chargeback.http://www.guardian.co.uk/money/2012/jan/20/section-75-charg...
Anything under £100 and might be out of luck.
Take Mastercard's scheme
• The cover applies to Mastercard debit cards, prepaid cards and Maestro cards, and to purchases made on a Mastercard credit card which don't qualify for section 75 cover
• There is a minimum spend of £10 but no upper limit on spending
PS: Subsection (1) does not apply to a claim—
(a)under a non-commercial agreement, F1. . .
(b)so far as the claim relates to any single item to which the supplier has attached a cash price not exceeding [F2£100] or more than [F3£30,000][F4, or]
I've had to do it twice so far, never had a problem, and all for purchases (actually, things like London congestion charge fine payments, as well as pizza deliveries etc.) under 100 GBP. The way I see it, the law describes minimums; banks, on the other hand, may want to keep customers.
There's so many legal ways this guy could make just as much money with his skills. I never understood why someone is willing to put his freedom at risk when that is the case.
I guess he's just lazy or thinks he's incapable of making as much as easily legally, maybe he likes the thrill and challenge of it all, maybe he thinks he's invincible and there's zero chance of him getting caught. Either way he's very foolish for continuing to do this especially if he has no endgame in sight.
I have read that in many criminal enterprises it is much like business, where grunts at the bottom have lower income and lots of hours, and most of the risk (exposure). I think this guy is a grunt, probably at the same level of structure of a 2 employee business. when i read through his comments i am struck with the impression that he has passivly attempted legit employment that use the skills he has learned but has not been sucessful yet. he probably has his initial goals set to high. if he starts at the bottom somewhere, given his supposed skill level he should be promoted quickly. just need to put in the time. if not patient enough, put that effort into consulting.
given the real return on his enterprise, i agree with your assesment that he can probably make much more with a real legitimate job and just avoid that risk altogether.
The fact that this guy even posted an AMA shows that it's either entirely fake (doesn't seem it), or he's way too cocky. I suspect some trouble may be coming his way soon. He seems to think that he's infallible and that he won't catch a charge for running a botnet.
From what he says I agree that he seems either stupid or a liar, but I'm not sure about your premise, it's not hard to post an AMA that can't be linked to you.
Every bit of bragging about himself makes it easier to find him. He has disclosed this information so far:
* He tried to apply for a job at Kaspersky during last year. Didn't have enough credentials and still whines about it.
* He hangs out on Anonymous IRC.
* Uses Liberty Reserve.
* Exchanges bitcoins to dollars (periodically I guess).
* May be German-speaking. Understands Russian.
Well, we can suppose all that is transmitted thru TOR and he never used any personal emails/old passwords/etc when signing up there, so that wont help us
For the average cyber-stalker, that's true. But I'd wager if some government agency actually wanted to track him down (he's probably too low-value of a target), he's revealed more than enough bits of information about his personal life for them to do so.
He is using Tor, which gets a lot of criticism for not being secure but actually defeats Syrian or Chinese governments. If the US can track a hidden service in Tor, they will probably not waste this trump by catching such a small fish.
You don't need to crack Tor for that. Get the list of Germans hanging out on Anonymous IRC. Choose only college students. Remove ones that don't have time to do this stuff due to actually working somewhere. Intersect with HBCI users in banks where there aren't many of those. Remove Mac users and Linux users (he mentions he only uses Windows). Remove families that use credit cards (he mentions his family does not). This would already probably end up in reasonably short list. Now amending this list with various other bits of info he left - such as which sites he frequents, which drinks he prefers, which software he uses, etc. I don't believe it should pose any major challenge for a law enforcement agency, even if part of the info is lies - they are used to legwork and assembling small pieces. But probably with his size nobody would bother unless he does something major (i.e. catching him generates a big press-release) or he just hands himself to law enforcement by doing something stupid like drinking too much and bragging about being elite haxor criminal to a female undercover officer. If he just does it for a year and then stops, he has good chances to get away with it, but not because of mighty Tor, but because the law enforcement would never notice him.
Is something like a reddit thread enough to arrest someone then? Even the person behind the AMA is tracked down, is that evidence enough to get him in jail?
As evidence - of course not. But as means to fin out who that is - sure, why not. Once the person is identified, it is a question of good old survelliance, and they are professionals at that, so chances are the guy will make a mistake, and sooner rather than later, and the hard evidence will be there. Look what happened to LulzSec - once the person is known, if he continues to do what he does, he will lose. Even professional spies can not pull it off if identified, what to say about some college students?
It is more of an attitude that he has. He either gets out soon or he will get caught sooner or later, the longer you go with attitude like that the more proud you become, the more shortcuts you take and then one day you make one mistake too many
It's fascinating to know all this stuff from his perspective but the moral attacks by others in the comments truly suck. What is the point of AMA if all they do is attack the one sharing information.
Especially downvoting his comments. Like he cares about karma points. All it does is push all his responses to the bottom or hide them. Then what's the point of an AMA?
Great post. I forwarded it on to my family and friends in order to give them some awareness of the people who're looking at them from the other side of the internet. Rather than sending more strident "think before clicking" warnings, this post is a great way to get them to think like an attacker so that they can avoid the attacks better.
So, if you don't care about violating the terms of PCI-DSS, you can store the CVV2/CVC/whatever. I bet lots of places do. In fact, I worked for a Visa Level-1 merchant that had a card processing system that used an Oracle DB table as a queue for outgoing authorization requests. The table held the CVV2/CVC/whatever for as long as it took to get an authorization or a timeout, whichever came first. We passed the PCI audit, even though the auditors knew about it.
Given that there's only 1,000 CVV2 values (10,000 for Amex) isn't putting so much into CVV2 value a bit ridiculous? Someone who really wanted to could get a CVV2 value in only 500 auth attempts on average.
The point is that even if someone steals your order database with credit card numbers and expiration dates, they need to try every number 1000 times. That's a decent speedbump.
If you store CVV2 in your database against your merchant agreement, and someone steals it, I'm sure the credit card comp will come after you for the losses.
If you're a "Carder", and you've got 1,000 cards, you just try them once a day. You'll get 2 CVV2's a day, average. And a bet that a once-a-day wrong CVV2 doesn't trip very many, if any, fraud checks. How much more is a card worth to a carder with CVV2/CVC than one without? Another niche service to provide in the cybercriminal underground, I guess.
As far as being non-PCI compliant, you as a merchant are only compliant right at the time of the audit. And maybe not even then, given Heartland's experience. The whole PCI thing is to give Visa and MasterCard a way to do some CYA.
Not only will they be sued, but they'll no longer be able to accept credit cards. They'll most likely go out of business. It's a serious matter to be non-PCI compliant.
You'd be surprised how many vendors and merchants simply do not care. I was employed with an e-commerce vendor that indefinitely stored CVV2 in plaintext (among other numbers).
Now, what has to be done not to get hacked ends up being answered as; AVs won't help, macs won't help, linux won't help, and use ipad? are we heading towards a world where average users will end up in managed computing behind walls, and only some hackers and crackers will use open computing? is computing doomed to be a the black and white world of tyrannic rule vs. mob rule?
I don't see the relevance. Linux is no good target, because there are not many linux boxes compared to windows/mac and because 100 linux boxes might require 10 different ways to attack them, while 100 windows boxes might require 1 or 2. There is nothing obscure here, just diversity.
Diversity is always a good tacit in defeating pest.
Learn from nature / biology. Monocultures are unstable and have to be superficially stabilized with great effort.
But how do you get the malware on the servers? Most malware spread by tricking unsophisticated users into install them. It is much harder to trick a system administrator to so. Exploiting a vulnerable public facing service is the alternative. However, that option is out of reach to all but the most dedicated attackers, assuming you keep the system updated.
The thing that's scary is how easy it is for these people to get away with what they're doing. I wonder how much money is lost every year and how many hackers you never hear about going to jail for this stuff. I'm pretty sure this is the motivation to do a lot of this stuff. The risk/reward level is completely slanted.
I see a LOT of stories on HN and other Tech sites about these kinds of attacks. Unfortunately, I rarely, if ever, hear about hackers getting arrested for this sort of activity.
> Try to use "Verified-By-Visa" and "Mastercard-Securecode" as rarely as possible. If only your CVV2 code is getting sniffed, you are not liable for any damage, because the code is physicly printed and could have been stolen while you payed with your card at a store. Same applies if someone cloned your CC reading the magnetic stripe or sniffing RFID. Only losing your VBV or MCSC password can cause serious trouble.
Does anyone know if this (using verified-by-visa, mastercard-securecode remove any payment protection if you get key-logged etc) is correct?