April 17,2009
-
An Obvious Credit Card Leak, Pt.2
The "wise" stumble over foolish things.The most comprehensive approach would probably be for the major associations (like VISA, MC, and Discover) to handle it. Each has assignments for their own "eight-digit prefixes" and they could simply run routine searches themselves. It's a big world out there and credit cards can be exposed on the Internet for any number of reasons. Notice here, that Amex is not included in the mix. For whatever reason, design or providence, their credit card PAN formats are largely immune from yielding any cache of "treasure-trove" proportions. That doesn't get them "off-the-hook", however. Once a "trove" of other credit card-types is located by thieves, Amex tends to be guilty by "associations" (other card associations, that is). Once a sight is found by thieves, they can zero-in on what else is on the "trove server" and shazam!. Goodness sakes, there are Amex cards also in the bunch.
Even a mediocre Perle programmer could script and parse search results in half a day and populate a spreadsheet full of gold for immediate sale. Or...the credit card associations themselves could do the same but, protect them, instead. Constant vigilance and monitoring could shorten exposure of credit card vitals down to minutes, instead of years. Track down the URLs and, who knows...might catch some thieves "red-handed" (or "read-handed") as in the case of the "Aussie find last month.
The reality, however, has been disappointing at best. Numerous times, noted security experts have tried to approach the major credit card associations with actual exposed accounts but have only received a "No comment" reply. So, alas, they finally tried the different approach by publicizing the weakness (which the thieves, no doubt, were already aware of). Once the news came out on C-Net back in 2004, there were others to follow who had been holding their tongues all that time. The hope was that the increased pressure would cause some resolve.