Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
2578 posts

Uber Geek
+1 received by user: 3

Mod Emeritus
Trusted
Subscriber

  Reply # 768987 25-Feb-2013 15:59 Send private message

I think the key point here is that by having this system it is not possible to have a cc number registered against your account via phone. This means that as in the scenario freitasm mentioned it is not possible to someone to get a cc number registered against your account that they can then use to "become" you. So yes it does explain why the selectively will allow cc. In one case it is used on the spot and not stored. In the other (debit authority) it is stored against you account and therefore could potentially be used to gain access to that account.







Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64

7160 posts

Uber Geek
+1 received by user: 361

Trusted

  Reply # 769022 25-Feb-2013 17:04 Send private message

The issue here clearly is not security the csr was wrong.

The issue is direct debit authority policy of a certain organization. You cannot give direct debit authority verbally only in writing.




Apologies for poor typing standards when on Samsung S4 [swype's fault]/iPad 2 Wifi[too slow to use!]

1924 posts

Uber Geek
+1 received by user: 92

Trusted
Subscriber

  Reply # 769023 25-Feb-2013 17:05 Send private message

freitasm:
Oriphix: First the CSR told you it was a security risk to update the CC information. Then she TOOK the CC number to make a payment? What'd the difference she got the CC details over the phone either way?


Last year there was a high profile case where a guy in the USA had his iPhone, Macbook, iPad all wiped out through iCloud through a bit of social engineering.

The person doing it couldn't directly change the password on iCloud, he needed the last four digits of a credit card number stored with Apple - he used Amazon to get that information:


Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to us, which we were able to verify via our own tech support phone calls. It’s remarkably easy — so easy that Wired was able to duplicate the exploit twice in minutes.First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.

Each company has different "security" and sometime they overlap, sometimes don't. When these don't overlap you can exploit it. What one company deems "private information" other companies don't. And that's when things can happen. Read the long version here.

Satch: Monopolies don't need to provide efficient service.


In this case they are probably right in doing the way they are doing. Asking for the credit card information for payment is different than recording a credit card against an account, which can then be used for reset, etc.



Yes, but this is not possible with Sky as they have no Web front end for anyone to see their own credit card details. When you log into the sky portal there is no credit card information visible.




Nexus 5, Galaxy Note 10.1, ASUS UX31e Ultrabook, Mysky HDi, 2talk

10933 posts

Uber Geek
+1 received by user: 462

Trusted
Subscriber

  Reply # 770114 25-Feb-2013 21:19 Send private message

freitasm: Correct. A one off payment means that credit card is not associated with your account. A recurring payment means the credit card is recorded against your account, which also means someone could use the same trick used on Amazon to get to reset your account password, change details, etc by claiming "I know my credit card number in the account."

In another side of this there are some security obssessed companies such as Trade Me. It seems they (or their credit card processor) record the credit card information EVEN IF YOU UNCHECK the option to store the number. I know because I once tried to use my Amex to pay my Trade Me balance and their processor compained that I had already used two different credit cards in my account, even though I NEVER check the option to store that data.




Their even worse than that, if you dont choose to save a card, then use it on another account they will then irrevocably link those 2 trademe accounts together.

It is worse with treat me, they refused to allow one card number to be used on multiple accounts.

IMO the idiotic credit card companies need to sort this crap out. Paypal have it sorted for recurring billing that can be revoked at any time for any supplier with no need to reveal any of my card details to the supplier of the subscription.






Richard rich.ms

5342 posts

Uber Geek
+1 received by user: 208

Subscriber

  Reply # 770259 26-Feb-2013 08:40 Send private message

nate: Just as bad, WorldxChange make you post/fax your credit card number to them if you want it saved.

No idea why.


Telecom used to do that a couple of years ago but last time  my card changed my CC I just called them at 123..




Regards,

Old3eyes

1445 posts

Uber Geek
+1 received by user: 102

Subscriber

  Reply # 770422 26-Feb-2013 12:31 Send private message

Nety: I think the key point here is that by having this system it is not possible to have a cc number registered against your account via phone. This means that as in the scenario freitasm mentioned it is not possible to someone to get a cc number registered against your account that they can then use to "become" you. So yes it does explain why the selectively will allow cc. In one case it is used on the spot and not stored. In the other (debit authority) it is stored against you account and therefore could potentially be used to gain access to that account.


What's to stop some cretin from downloading the Sky CC authority form from their website, filling it in, sending it to Sky, then accessing your account via the method frietasm linked to?  I fail to see how this is any more secure?

30 posts

Geek


  Reply # 770443 26-Feb-2013 13:12 Send private message

Satch:
Nety: I think the key point here is that by having this system it is not possible to have a cc number registered against your account via phone. This means that as in the scenario freitasm mentioned it is not possible to someone to get a cc number registered against your account that they can then use to "become" you. So yes it does explain why the selectively will allow cc. In one case it is used on the spot and not stored. In the other (debit authority) it is stored against you account and therefore could potentially be used to gain access to that account.


What's to stop some cretin from downloading the Sky CC authority form from their website, filling it in, sending it to Sky, then accessing your account via the method frietasm linked to?  I fail to see how this is any more secure?


I think I must be missing something too. So someone phones sky pretending to be me, answers whatever security questions that sky may ask (Address DOB etc.) and can now ask the CSR to do anything to my account close/add stuff/change address/order new card etc. but they can't add a credit card because they might then be able to access the account?

647 posts

Ultimate Geek
+1 received by user: 22


  Reply # 770707 26-Feb-2013 20:03 Send private message

If it's for sercurity of storing the credit number explain this one.

When my card expires, i have to have them send out a form, i fill it in and post back as they won't put a recurring payment on new card. In meantime i give new card expirey date on phone for one off payment as the recurring won't be set up in time.


Here's the kicker: The only change on the new card is the expirey date, the number is exactly the same, yet to be recurring payment I have to post in direct debit form giving them the excact same number, just another 3 years on expirey date.

Every other company including telecom, I just give new expirey date on phone, and it's all go again.

10933 posts

Uber Geek
+1 received by user: 462

Trusted
Subscriber

  Reply # 770714 26-Feb-2013 20:27 Send private message

card expiration is yet another thing that needs to be resolved with cards. Absurd that card revocation or expiration can stop a recurring billing.




Richard rich.ms

2860 posts

Uber Geek
+1 received by user: 33

Trusted

  Reply # 770834 27-Feb-2013 06:00 Send private message

I guess if you do a single payment over the phone and later reverse the payment, then it is not much money. But if you setup a recurring payment over the phone and later reverse it, then they stand to loose a lot of money if they do not have your signature as proof of payment authorization. Just a theory.




You can never have enough Volvos!


2462 posts

Uber Geek
+1 received by user: 223

Trusted
Subscriber

  Reply # 770876 27-Feb-2013 08:46 Send private message

richms: card expiration is yet another thing that needs to be resolved with cards. Absurd that card revocation or expiration can stop a recurring billing.


Actually... it is possible for a merchant to get the new expiry without asking you - it's quite common in the US for utilities to know your new card expiry even before you do.  And because it's recurring billing, they don't need the CVV either (which also changes every reissue).

814 posts

Ultimate Geek
+1 received by user: 87


  Reply # 772522 1-Mar-2013 23:51 Send private message


State insurance are the same, just wrote my credit card details on a piece of paper and put it in one of those box things down the road. No SSL here. One word. Pathetic.

And they have cheek to tell me "it's for security reasons". "Write it down in clear text" they say, "Put it in the post" they say. Pathetic.

Don't let my angry outburst give you the impression I was rude to the calltaker. I did ask them to provide customer feedback around my dissatisfaction though.


Contact Energy are just as bad. I regret switching to them now. I was promised by the door2door swithcher that I would be able to provide my credit card details through the webportal just as I had done with Mercury energy. A few weeks later when my account was activated I found out that I had to fill in a form.


freitasm:

In another side of this there are some security obssessed companies such as Trade Me. It seems they (or their credit card processor) record the credit card information EVEN IF YOU UNCHECK the option to store the number. I know because I once tried to use my Amex to pay my Trade Me balance and their processor compained that I had already used two different credit cards in my account, even though I NEVER check the option to store that data.



How do you know they store the details maybe just a one way hash derived from the details?




1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Does NZ need better gun laws?
Created by mattwnz, last reply by KiwiNZ on 2-Sep-2014 06:46 (76 replies)
Pages... 4 5 6


Judith Collins: I am resigning
Created by Presso, last reply by gzt on 1-Sep-2014 23:59 (108 replies)
Pages... 6 7 8


Cirque du Soleil Cellphone Hijack
Created by myopinion, last reply by PhantomNVD on 1-Sep-2014 18:01 (21 replies)
Pages... 2


Lightbox quality comments
Created by ronw, last reply by Lurch on 1-Sep-2014 20:14 (99 replies)
Pages... 5 6 7


Orcon Global Mode launched
Created by freitasm, last reply by shk292 on 1-Sep-2014 11:32 (132 replies)
Pages... 7 8 9


Lightbox press event release
Created by freitasm, last reply by IcI on 30-Aug-2014 17:54 (562 replies)
Pages... 36 37 38


recovering light box video
Created by ronw, last reply by ripdog on 1-Sep-2014 21:12 (35 replies)
Pages... 2 3


VideoEZY OnDemand
Created by Andib, last reply by benokobi on 1-Sep-2014 22:34 (16 replies)
Pages... 2



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.