The only important innovation here on the part of the carders is the use of automated ordering programs.<p>In the same way that cartels use hundreds of drug mules to smuggle drugs across the border knowing that a certain percentage will be caught and a certain percentage will succeed, carders are now using this same pattern. Instead of placing a small number of orders for a high value, place a large number of orders for a medium-to-high value under the assumption that some will go through.<p>Looking at the e-commerce store mentioned in Brian's article, it seems they're simply new to the scene and haven't understood that credit card fraud using physical items follows 3 patterns:<p>1. Billing and shipping address are different.<p>2. IP address is geographically far from the billing address OR its a server/EC2/VPN.
Note: Yes, carders sometimes use proxies near the billing address BUT ask yourself, if they're shipping it to a separate address with (presumably not to attract suspicion) the same "ship to" name as the "bill to" name, why would they ship it elsewhere? I have seen carders that will use the same last name but with a different name, making it appear that its a relative or family member, but those are usually few and far between and still flagged for other reasons.<p>3. Credit card number was pasted instead of typed.
Wow. The story and comments below it make me realize security is a lot more important than my data science background led me to believe.<p>I had no idea people are working so hard to buy stuff with fake or stolen credit card information. Bots running on AWS to sell stuff on eBay, then actually purchase the sold item and have it sent to the buyer. Wow
That begs the question: isn't fraud important enough that we should have more security on credit card?<p>2-factor authentication is now a well known process. How come you can still order things with a card number and nothing else whatsoever?<p>Well, here are my 2 guess, not exclusive:<p>- fraud prevention is actually a lucrative business, and having better security would destroy a cash cow<p>- the added security is deemed too hard for a large part of the population, and would raise support cost too much
This seems pretty easy to mitigate If the merchant enforces a rule like if this is your first N orders, require the shipping and billing to match, or more loosely, an alternative address you've registered with your CC<p>Nowadays it is very easy to register an alternative address with your CC that the merchant can verify so besides that bit of friction I don't see the merchant losing much business.
This can be done even easier. Find popular product on ebay, list same product for 5 bucks less and when you receive order, order from real merchant with stolen paypal account.
Off all of this - the act of placing an ecommerce order from EC2 (or from any hosting VPS/server for that matter) should trigger manual review.<p>This could cut fraud drastically - that is if merchant has any clues about security.
The bottom of this blog post, Brain Krebs mentioned the name a company who specialized in fraud prevent. That sounds like a product placement advertising to me (he does do CPM based ad placement on his blog[0], so I am more suspicious about product placement).<p>Additionally, I lost the respect for him when he questioned the validity of Ashley Madison site data breach, disregarding confirmation of many other sources but solely based on the interview he had with Raja Bhatia, ex-CTO of Avid Life Media, who was proven to be clueless about security in retrospect. Brian Krebs later did retract his original reporting with an update shortly after overwhelming evidences proved he was wrong.[1]<p>Basically, he's neither a security research nor a good investigative journalist IMMO.<p>[0]: <a href="http://krebsonsecurity.com/cpm/" rel="nofollow">http://krebsonsecurity.com/cpm/</a><p>[1]: <a href="http://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/" rel="nofollow">http://krebsonsecurity.com/2015/08/was-the-ashley-madison-da...</a>
this is apaypal issue, not ebay or credit card.<p>ebay do not let you sell or buy without a paypal account. which only allows credit card from a single country.<p>so why can't the police link the two things easily? seems to me people are either hacking paypal to somehow get the money out or paypal is going out of the way to make it disappear.<p>either that or using stolen credit cards for online purchase is completely safe.