Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth

from [Troy Cregger] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth
Date: Fri, 20 Apr 2007 18:59:42 -0400 
Indeed, but something I was not aware of until this happened.

It didn't case me any problems or anything, it was just one of those
"They can do that?"

Old news yes, but new to me.

Micheal Espinola Jr wrote:

Its a part of the original transaction that you authorized, so TD has to
let Sear do whatever they want.

It sounds fucked up, but once you authorize a company to make a
credit-based transaction, they can in-turn do whatever the hell they
want without interference from your bank or credit provider.  You have
to deal with them directly if there is a dispute, unless you claim
fraudulent activity in which case your bank or credit provider may
choose to interfere with the transaction on your behalf.



On 4/20/07, *Troy* <tcregger@kennedyinfo.com
<mailto:tcregger@kennedyinfo.com>> wrote:

    Last month I had an interesting experience with sears and tdbanknorth.
    Here's the story:

    I purchased appliances at sears... the experience was a nightmare in and
    of itself as they screwed up the shipping date several times. Sears
    ended up having to throw in almost USD 200 in accessories and credits
    just so I wouldn't walk away from the sale, OK... nothing odd so far and
    I got some free stuff, all good right?

    Well, somehow, sears mistakenly refunded me ~ USD 120. I later
    confirmed
    that this did happen and was a mistake, but I hadn't noticed the credit
    to my account at the time since there was heavy activity on the account
    that month.

    A full 5 weeks later, I'm checking my balance and paying some bills
    when
    I notice that there's this charge for USD 120 (and change) from sears!

    What the fuck? I asked myself... I then decided to ask TD and sears the
    same question. So, I'm on the phone to TD and sears, trying to figure
    this out.

    After a bunch of calls and basically getting snubbed by TD I learn that
    even though I was not present to authorize the transaction, didn't sign
    anything, and never entered a PIN, sears was still able to charge my
    account.

    That didn't sit well with me so I sent a message to TD explaining that
    the transaction was not authorized and that I wanted the funds returned.

    Here's what TD said...

    >
    > "If you were credited with funds in error then Sears has the right
    to debit the account to make a correction."


    And "if you dispute the charge, talk to sears" e.g. "the hand"
    apparently...

    So... basically as I understand this, if you're a merchant, or otherwise
    have access to transaction records CC#'s, names, etc., then there's
    literally nothing stopping you from charging someones card for whatever
    and whenever you want?

    Or am I reading this situation incorrectly?

    If that's true, then what's the deterrent? repercussions from the bank?
    honor? how much do you trust the guy behind the counter?

    Apparently if you're banking with TD nobody there is going to lift a
    finger and it's between you and the merchant...

    ...or evil anonymous hacker who happened to score access to a CC
    authorization account and some card numbers.

    I closed my TD account, but I find this rather disturbing all the same.
    I also don't expect much better from other banks or CC companies, and as
    always the burden of security lies mostly with the individual. In this
    case it was an honest error, sears did credit my account in error, and I
    would have been happy to return the funds, but being a security minded
    person I would have hoped that I'd have to authorize the transaction
    regardless... but no, I didn't even have to be notified.

    I learned something, so it's a good day...

    ~.:always use cash:.~

    --
    '''
    0-0-
    ~
    `

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/




-- 
ME2


------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] OpenSSH - System Account Enumeration if S/Key is used, rembrandt
Next by Date:  Re: [Full-disclosure] eEye Announcement, CEO blog and addiction, Knud Erik Højgaard
Previous by Thread:  Re: [Full-disclosure] OT? - TDBanknorth + merchant's CC auth, Micheal Espinola Jr
Next by Thread:  [Full-disclosure] UseBB Version 1.0.4 Path Disclosure Vulnerability, SecurityResearch
Indexes:  [Date] [Thread] [Top] [All Lists]