Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth

from [Micheal Espinola Jr] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth
Date: Fri, 20 Apr 2007 16:19:19 -0400 
Its a part of the original transaction that you authorized, so TD has to let
Sear do whatever they want.

It sounds fucked up, but once you authorize a company to make a credit-based
transaction, they can in-turn do whatever the hell they want without
interference from your bank or credit provider.  You have to deal with them
directly if there is a dispute, unless you claim fraudulent activity in
which case your bank or credit provider may choose to interfere with the
transaction on your behalf.



On 4/20/07, Troy <tcregger@kennedyinfo.com> wrote: 

Last month I had an interesting experience with sears and tdbanknorth.
Here's the story:

I purchased appliances at sears... the experience was a nightmare in and
of itself as they screwed up the shipping date several times. Sears
ended up having to throw in almost USD 200 in accessories and credits
just so I wouldn't walk away from the sale, OK... nothing odd so far and
I got some free stuff, all good right?

Well, somehow, sears mistakenly refunded me ~ USD 120. I later confirmed
that this did happen and was a mistake, but I hadn't noticed the credit
to my account at the time since there was heavy activity on the account
that month.

A full 5 weeks later, I'm checking my balance and paying some bills when
I notice that there's this charge for USD 120 (and change) from sears!

What the fuck? I asked myself... I then decided to ask TD and sears the
same question. So, I'm on the phone to TD and sears, trying to figure
this out.

After a bunch of calls and basically getting snubbed by TD I learn that
even though I was not present to authorize the transaction, didn't sign
anything, and never entered a PIN, sears was still able to charge my
account.

That didn't sit well with me so I sent a message to TD explaining that
the transaction was not authorized and that I wanted the funds returned.

Here's what TD said...

>
> "If you were credited with funds in error then Sears has the right to
debit the account to make a correction."


And "if you dispute the charge, talk to sears" e.g. "the hand"
apparently...

So... basically as I understand this, if you're a merchant, or otherwise
have access to transaction records CC#'s, names, etc., then there's
literally nothing stopping you from charging someones card for whatever
and whenever you want?

Or am I reading this situation incorrectly?

If that's true, then what's the deterrent? repercussions from the bank?
honor? how much do you trust the guy behind the counter?

Apparently if you're banking with TD nobody there is going to lift a
finger and it's between you and the merchant...

...or evil anonymous hacker who happened to score access to a CC
authorization account and some card numbers.

I closed my TD account, but I find this rather disturbing all the same.
I also don't expect much better from other banks or CC companies, and as
always the burden of security lies mostly with the individual. In this
case it was an honest error, sears did credit my account in error, and I
would have been happy to return the funds, but being a security minded
person I would have hoped that I'd have to authorize the transaction
regardless... but no, I didn't even have to be notified.

I learned something, so it's a good day...

~.:always use cash:.~

--
'''
0-0-
~
`

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
ME2

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth, Jason Miller
Next by Date:  [Full-disclosure] FLEA-2007-0011-1: lighttpd, Foresight Linux Essential Announcement Service
Previous by Thread:  Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth, James Matthews
Next by Thread:  Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth, Troy Cregger
Indexes:  [Date] [Thread] [Top] [All Lists]