After my bad experience trying to notify ASB Banks Pago GM about a flaw in their mobile payment service which left them wide open to a simple social engineering hack, and a seperate client-hardware based attack, only to be basically ignored, with the GM doing nothing about my initally private warning, I found myself wondering what to do about my latest discovery.
Well - here goes... I decided to just post a notification of the flaw (but not details on how to take advantage of it) on the internet.
If NZ Post want to contact me, they are more than welcome to. Please note that I will require your company contact details, so that I can proactively call you back on a company line (otherwise any fool could ring me...). Drop me an email to tony at tall dot co dot nz.
Tonight while performing some perfectly legitimate business on the internet, I discovered a way to make two seperate purchases with a value of over $30NZD without having a single cent charged to my prepaid Visa card.
I have replicated this one more time purely for educational purposes, with a much smaller amount.
I am semi-confident that under the right conditions, a much larger purchase could also be made, but I am not prepared to commit major fraud to prove this - perhaps I will test it with the blessing of a willing merchant participant at some stage?
Really - NZ Post, someone in authority should contact me soon, because im not a super-smart security consultant, and didnt set out to do this on purpose - so im sure others will discover it fairly soon, and distribute the instructions, which will spread like wildfire.
P.S. Its also possible that the problem is partly or fully the fault of the merchant concerned, but either way, I think NZ Post should be concerned, as it dispels any trust people may have in the prepaid card system, and makes your company look a little incompetent. VISA probably should take equal blame, although really, its an NZ Post product, bought from NZ Post.
P.P.S. It should also be noted that I plan to pay for my ill-gotten gains in full. If I wasnt going to, why would I blog about it? (Before anyone accuses me of being some sort of thief or criminal fraudster).
[Originally posted 9th Jan 2007 22:14, and shamelessly bumped up the front page at 9:55am on the 10th Jan]
## Update: thanks to Juha Saarinen for the Computerworld Story
NZ Post's general manager for payment services, Terese Tunnicliffe, says that this is indeed what will happen: "The retailer is accepting the risk that the purchaser does have sufficient funds for the transaction and is not committing fraud - or making a genuine mistake about the amount of funds available," she says.
So the retailer takes the risk on that a prepaid credit card has not run out, when they probably never get to see the balance on the card. Nice answer NZ Post.
Other related posts:
How to move your Drupal 7 site to a different folder on your domain...
HOWTO: Install Ubuntu Server 12.04 LTS and get working mailserver
I want broadband, why do I have to wait 3 days to even know if its POSSIBLE?
Comment by chiefie, on 9-Jan-2007 22:33
Geepers! Hope NZ Post looks into this ASAP with so many people are recommending and more and more people getting comfy with the Prepaid credit card idea, this won't be good if it is being abused or the exploit become known. Also, I hope you won't face the same difficult at the guy that does NZ Reserve Bank phone exploit. Good luck! Keep us posted with any progress from NZ Post.
Comment by inane, on 9-Jan-2007 22:46
feel free to let me know how you did it so I can further prove your claim...
for purely "educational" purposes only of course!! lol.
Comment by johnr, on 9-Jan-2007 22:53
Tony my best friend I think we should catch up on MSN for a chat I need some new toys to play with and you may be able to help
Comment by alasta, on 10-Jan-2007 08:17
Damn you, why did you have to go and tell them! I want my free money!
Comment by chiefie, on 10-Jan-2007 09:07
Awww... don't be so hard on yourself... if those companies are giving you grieves... put it to public, find a lawyer and see what they suggest? In the end, the public needs to know the flaw to protect them.
Comment by inane, on 10-Jan-2007 10:07
Document everything, then send it to them with an invoice for security consultation services,
there are people who do that for a living (like that guy who hacked the reserve bank phone system)
Comment by adamj, on 10-Jan-2007 11:29
I have had 2 telephone conversations with Pago GM and several emails, mainly about usability of their site, but it was obvious from the moment I heard of the concept how easily the system could be exploited with a little social engineering.
Comment by juha, on 10-Jan-2007 17:39
OK, can't do trackbacks from the Computerworld website, but here's our Tony featuring in a major story. :)
Been thinking about it, and I don't think it's fair to say that it's NZ Post's fault. They're just repackaging a Visa card, aren't they? Not their problem that retailers don't authenticate purchases straightaway.
That, incidentally, means the hole is available for more than just the Prezzy card...
Comment by sbiddle, on 10-Jan-2007 19:57
Another quesrion for Tony/Juha - how "realtime" are realtime credit card systems? How long does it take for a purchase from an online retailer that is using a realtime credit card authorisation system or any bricks & mortar retailer using an EFTPOS terminal to actually be debited from the card?
Comment by johnr, on 10-Jan-2007 21:15
Hey Tony I need pizza and beer here at work can I borrow your Prezzy card again!! LOL
Comment by juha, on 12-Jan-2007 09:16
Should be pretty much instant to authorise payments... I mean, look at EFTPOS: even big outlets use slow 9,600 bps leased lines for multiple terminals, so iTunes should be able to verify transactions over the Internet in a few seconds.
Comment by Hone, on 6-Oct-2008 21:37
should of got some bonus bonds with your card tony.
Comment by cashback, on 11-Mar-2009 10:29
nice read thanks good insight.
Comment by Lerin, on 29-Jun-2009 22:29
Hi sir, im in a big problem.I saw ur add in the net thats y i write this.Can you give me some money as u like,even it is $1 that ill b great 4 me.I live in Nz.Dont think this is a fake message.
Comment by Sui, on 26-Apr-2010 12:25
Hi there I was hardly looking to find something free online to help me gain some money for my family especially my kids. I really need your help.
Comment by Guenter Finau, on 28-Feb-2012 13:31
hello and how are you sir/ma'am i would like to apply for are card thank you