• (cs) in reply to frits
    frits:
    Remy:
    All of it was protected using the doubly safe ROT26 encryption.

    The narrator in my head said this without a hint of sarcasm.

    You do know that it works fine with the Chinese symbols on the CC, don't you? After all CC is an acronym for Chinese-Characters

  • edthered (unregistered) in reply to whiskeyjack
    whiskeyjack:
    fennec:
    It's true; an internship always looks good on a resume.

    Except if it's with the White House, during the Clinton administration.

    Or any male republican congressman...

  • edthered (unregistered) in reply to Anonymous
    Anonymous:
    Buffled:
    Anonymous:
    Sometimes it's not enough to simply highlight the security flaw - it requires a practical lesson to reinforce the point. Several thousand customer CC numbers turning up on P2P should do the trick, for example. Let's see how long the flaw remains unpatched after that.

    But cover your tracks kids, us software developer types are too fragile for prison.

    And who cares about the customers whose lives you just made hell, right? There's this thing that us adults have awareness of - it's called "consequences". And it extends far beyond "will I get caught?"
    You have an interesting definition of "hell":

    Customer: "Oh hello there, is this Visa? My card details have been compromised and I now have a fraudulent charge on my bill."

    Visa: "I'm sorry to hear that sir but don't worry, we will cancel your current card and issue you a new one immediately. It should take 3-5 working days to arrive. As soon as our fraud investigation department has cleared up the details, you will be credited for the fraudulent transaction."

    Customer: "Sweet, cheers dude."

    Visa: "Only too happy to help sir!"

    This has happened to me before and the above transcript is pretty much the exact conversation I had with my card issuer. It was HELL!!! Oh wait, no it wasn't, it was a trivial inconvenience.

    Except when that credit card number is actually for a debit card... then you enter the 'you can't get to your money, if you have any left' hell. Been through that too many times...

  • ÃÆâ€â„ (unregistered) in reply to edthered
    edthered:
    whiskeyjack:
    fennec:
    It's true; an internship always looks good on a resume.

    Except if it's with the White House, during the Clinton administration.

    Or any male republican congressman...

    Or your mother...

  • (cs) in reply to Rogier
    Rogier:
    Is Jeff in the database?

    Send him a cake with the text: "The database needs encryption", paid for with his own credit card.

    Congratulations! You win the thread!

  • Ed Von Emacs, VI (unregistered) in reply to xtremezone
    xtremezone:
    Rogier:
    Is Jeff in the database?

    Send him a cake with the text: "The database needs encryption", paid for with his own credit card.

    Congratulations! You win the thread!

    Rogier is correct in identifying cake as the proper course of action. And the cake shall be good cake. Also: I would like some of this cake.

  • Rob (unregistered)

    It still boggles my mind that my $15 a month WoW subscription has vastly superior security than my debit or credit cards.

    I can't go through the drive-through at McDonalds without handing over all of the information Joe McBurger guy needs to buy anything he wants off the internet, with my account.

  • JGM (unregistered) in reply to whiskeyjack
    whiskeyjack:
    fennec:
    It's true; an internship always looks good on a resume.

    Except if it's with the White House, during the Clinton administration.

    No, it still looks good on the resume, just not so much on the blue dress.

  • Anonymouse (unregistered) in reply to Rob
    Rob:
    It still boggles my mind that my $15 a month WoW subscription has vastly superior security than my debit or credit cards.

    I can't go through the drive-through at McDonalds without handing over all of the information Joe McBurger guy needs to buy anything he wants off the internet, with my account.

    This.

    If a video game company that is willing to shell out for multi-factor authentication, why the hell won't my bank do it?

  • Anon-y-mouse (unregistered) in reply to Ed Von Emacs, VI
    Ed Von Emacs:
    xtremezone:
    Rogier:
    Is Jeff in the database?

    Send him a cake with the text: "The database needs encryption", paid for with his own credit card.

    Congratulations! You win the thread!

    Rogier is correct in identifying cake as the proper course of action. And the cake shall be good cake. Also: I would like some of this cake.

    But, the cake is a lie!

  • publiclurker (unregistered) in reply to your name

    Don't laugh. Many years ago, I had a customer who wanted his data files obfuscated in order to prevent his competitors from using them. since they had a lot of numbers in them, I simple rot-5's the numerical parts of the files. turns out his competitors were as technically unskilled as they were unethical, and as far as I know they are still using the program fifteen years later.

  • Otto (unregistered) in reply to Eaten by a Grue
    Eaten by a Grue:
    They also aren't allows to store CC numbers in the clear. Someone should be sued into the ground for this, as this is the kind of thing that PCI standards were created to prevent.

    Yep. Report 'em to Visa. That'll get them in some trouble real quick.

    Also, sometimes this sort of thing can violate key requirements of the Sarbanes–Oxley Act as well. That's no fun.

  • Beta (unregistered) in reply to your name
    your name:
    Warmasta:
    Credit card have NUMBERS so ROT26 jokes are just plain stupid.
    Fine we'll use ROT10 instead. ;-)
    That's all right for you amateurs. An expert like me knows how to create a universal solution-- I call it ROT260, but I'm not telling you how it works.
  • (cs) in reply to whiskeyjack
    whiskeyjack:
    fennec:
    It's true; an internship always looks good on a resume.

    Except if it's with the White House, during the Clinton administration.

    That would depend on what job you are applying for.

  • ÃÆâ€â„ (unregistered) in reply to Beta
    Beta:
    your name:
    Warmasta:
    Credit card have NUMBERS so ROT26 jokes are just plain stupid.
    Fine we'll use ROT10 instead. ;-)
    That's all right for you amateurs. An expert like me knows how to create a universal solution-- I call it ROT260, but I'm not telling you how it works.
    I see you tried to encrypt your sentence there with ROT260.
  • by (unregistered) in reply to Beta
    Beta:
    your name:
    Warmasta:
    Credit card have NUMBERS so ROT26 jokes are just plain stupid.
    Fine we'll use ROT10 instead. ;-)
    That's all right for you amateurs. An expert like me knows how to create a universal solution-- I call it ROT260, but I'm not telling you how it works.
    Why not use ROT215 instead? That's better since 215 is both "random" and "prime".
  • Monica Lewinsky (unregistered) in reply to whiskeyjack
    whiskeyjack:
    fennec:
    It's true; an internship always looks good on a resume.

    Except if it's with the White House, during the Clinton administration.

    You kidding? It did wonders for my career as a professional whore / handbag designer.

  • Bert Glanstron (unregistered) in reply to frits
    frits:
    Remy:
    All of it was protected using the doubly safe ROT26 encryption.

    The narrator in my head said this without a hint of sarcasm.

    You are an idiot and should be banned from using your mommy and daddy's modem.
  • (cs) in reply to by
    by:
    David:
    This sentence was originally encrypted using ROT26. If you can read it, you have successfully decrypted it.
    Next time you should use Triple-ROT26, it's three times as secure. 'Oppeto'
    The technical term for that is ROT78.
  • iToad (unregistered)

    Companies that do this kind of thing need to be taught a lesson. A very hard, expensive lesson.

    Like they said in the olden days, "Those who will not learn from the Word, shall learn by the sword".

  • boog (unregistered) in reply to Anonymous
    Anonymous:
    You have an interesting definition of "hell":

    Customer: "Oh hello there, is this Visa? My card details have been compromised and I now have a fraudulent charge on my bill."

    Visa: "I'm sorry to hear that sir but don't worry, we will cancel your current card and issue you a new one immediately. It should take 3-5 working days to arrive. As soon as our fraud investigation department has cleared up the details, you will be credited for the fraudulent transaction."

    Customer: "Sweet, cheers dude."

    Visa: "Only too happy to help sir!"

    This has happened to me before and the above transcript is pretty much the exact conversation I had with my card issuer. It was HELL!!!

    You think that's bad, get this:

    When my card number was stolen without my knowing (the card itself was still in my wallet), my card company called me up.

    Visa: "Are you aware there is a $3000 charge on your card in Greece?" (I live in the U.S.) Me: "Uh, no ma'am. That sounds suspicious." Visa: "We thought so. We just canceled your card, credited the suspicious charge, and issued you a new card number. Your new card has already been sent, and you should receive it in 3-4 days. Please review your history and let us know if there are any other recent fraudulent charges." Me: "Oh, ok. Thanks!"

    The CC company handled everything and all I had to do was print a form, sign it, and send it back to them at my leisure. What a pain in the ass!

    <disclaimer> In all seriousness, no matter how easy the fraud resolution process has become, it doesn't excuse a lack of proper security. </disclaimer>
  • Ed Von Emacs, VI (unregistered) in reply to iToad
    iToad:
    Companies that do this kind of thing need to be taught a lesson. A very hard, expensive lesson.

    Like they said in the olden days, "Those who will not learn from the Word, shall learn by the sword".

    You seem to be suggesting that we do not give them knives to cut their cake with. But how far are you willing to take it: regular or ice cream?

  • Wyrd (unregistered) in reply to Otto
    Otto:
    Eaten by a Grue:
    They also aren't allows to store CC numbers in the clear. Someone should be sued into the ground for this, as this is the kind of thing that PCI standards were created to prevent.

    Yep. Report 'em to Visa. That'll get them in some trouble real quick.

    Also, sometimes this sort of thing can violate key requirements of the Sarbanes–Oxley Act as well. That's no fun.

    Yeah, man. My org is going crazy to be PCI compliant. IMHO, "Bonnie" should anonymously blow the whistle on her employer--or at the very least seek another work place. I mean it's irritating to see my org spending a lot of time and money to be compliant with something that another org is flagrantly violating.

    IIRC, the fines issued to the violating company are substantial and they can be issued on a per transaction basis--so like each transaction that you process where you save the credit card data in a non-compliant fashion can get you another fine. Ouchie.

    -- Furry cows moo and decompress.

  • Sectoid Dev (unregistered)

    It doesn't surprise me that they removed her encryption code. Unapproved changes (read not requested by mgmt), especially in large companies, usually get your hands smacked no matter how useful or appropriate they are.

  • (cs) in reply to Anonymous
    Anonymous:
    Henryk Plötz:
    "… containing the name, address, credit-card number, verification code and expiration date …"

    Correct me if I'm wrong, but isn't storing the verification code a breach of contract with your credit card clearing center and should lead to the company losing the ability to process card payments?

    You're absolutely correct. Merchants are not allowed to store the CCV (verification code), even if they store the CC number itself. The CCV must be requested from the customer for every transaction and discarded after authorisation. God knows how many merchants are currently breaking this rule though, it's pretty much unenforceable unless you audit every merchant on a regular basis.

    Amazon.com does not ask me for my CVV on every transaction, even though I have a credit card number stored there, which I use to buy stuff. I know that many online companies do this (including Paypal).

    On the other hand, I have read some of the Visa and MasterCard merchant agreements and their data protection requirements. A local restaurant was using a software program to send credit card information to their clearinghouse, and the software was actually storing the entire card number (perhaps without the CCV) and expiration date in a database. ("Card Present" rules are different than "Card not present" rules.) Retail places that swipe credit cards are NOT supposed to store the entire card number.

    The newer version of this particular software only stored the last 4 digits of the card number, which is acceptable IIRC. They finally upgraded, then they went out of business. I tried to contact them to offer to securely erase the hard drives containing their database, but I was not successful. Ugh.

  • notaware (unregistered) in reply to Anonymous

    newegg does this.

    capcha: saepius

  • (cs) in reply to Beta
    Warmasta:
    Credit card have NUMBERS so ROT26 jokes are just plain stupid.

    Maybe you are kidding, but credit cards have numbers that can (and generally are) stored as characters. You realize that the digits from 0-9 do exist in the ASCII (and even EBCDIC) code tables, right?

    ROT26 and ROT215 would work perfectly well on these characters that happen to be digits.

    I like the ROT215 comment! Random, and a prime...

  • Smegzor (unregistered) in reply to GW
    GW:
    Personally, I'd use triple ROT26 encoding.

    What a load of ROT.

  • (cs)

    I also had some money taken from my checking account, when my debit card had been used IN POLAND at a physical ATM to withdraw about $700.

    Turns out that a major company (I think it was Ross or Marshall's or OfficeMax) had been hacked. If they had followed the https://www.pcisecuritystandards.org/index.shtml standards for "card present" transactions, this would not have happened to me.

    The bank was quick to believe that I had never been to Poland; several dozen local people had been victimized in the same way, and it was a national data breach. (Although they seemed to think at first that the data was hacked from Wal-Mart, but I never, ever go there.)

    They refunded slightly more than what I lost. When I pointed out that they had double-refunded some "foreign transaction fees", and so I came out ahead by about $8 or $12 (I forget exactly how much), the bank said "don't worry about it. It would cost us more to fix that than it's worth". I said OK.

  • (cs) in reply to Icelander
    Icelander:
    I had a similar experience. An application I was working on was storing passwords in the clear. Now, it's not credit card data but storing passwords in the clear is just bad practice. So I wrote an encryption function and a decryption function and a function to encrypt the passwords already in the database. I tested it, checked it in, and moved onto another task.

    Of course, even storing encrypted passwords is usually bad practice, because in most cases you don't need to be able to decrypt them. (There are a few exceptions to this.)

    SecTech:
    Buffled:
    And who cares about the customers whose lives you just made hell, right? There's this thing that us adults have awareness of - it's called "consequences". And it extends far beyond "will I get caught?"
    With all due respect this is a bullshit argument. As a security researcher, if we find an exploit in a piece of commercial software we give the vendor 14 days to respond to our findings. If we don't have a satisfactory response after 14 days we will publish the exploit. We understand full well that customers of said vendor may suffer as a result - some may even fall foul of the exploit that we designed and published - but what is the alternative? We keep our mouths shut and hope that security through obscurity does the job? I don't think so. If a vendor is not willing to accept responsibility for the faults in their software then we cannot be held responsible for the fallout.

    There's a huge difference between saying "this company stores their data in plain-text, be wary" and saying "here's a bunch of credit card numbers we got because this company stores their data in plain-text."

    And if you think the latter is acceptable, then... well, I have no respect for you or your ethics. Talk about bullshit...

    edthered:
    Anonymous:
    You have an interesting definition of "hell":

    Customer: "Oh hello there, is this Visa? My card details have been compromised and I now have a fraudulent charge on my bill."

    Visa: "I'm sorry to hear that sir but don't worry, we will cancel your current card and issue you a new one immediately. It should take 3-5 working days to arrive. As soon as our fraud investigation department has cleared up the details, you will be credited for the fraudulent transaction."

    Customer: "Sweet, cheers dude."

    Visa: "Only too happy to help sir!"

    This has happened to me before and the above transcript is pretty much the exact conversation I had with my card issuer. It was HELL!!! Oh wait, no it wasn't, it was a trivial inconvenience.

    Except when that credit card number is actually for a debit card... then you enter the 'you can't get to your money, if you have any left' hell. Been through that too many times...

    Or what about when that CC was being used for some automatic payments that are now bouncing, and now all of a sudden they have a couple hundred dollars in late charges?

  • Dan Neely (unregistered) in reply to Beta
    Beta:
    your name:
    Warmasta:
    Credit card have NUMBERS so ROT26 jokes are just plain stupid.
    Fine we'll use ROT10 instead. ;-)
    That's all right for you amateurs. An expert like me knows how to create a universal solution-- I call it ROT260, but I'm not telling you how it works.

    You're making it too hard. My ROT130 implementation does the same thing with half the work.

  • Matt (unregistered)

    This is common at far too many corporations, they never heard of PCI DSS. They'll have plenty of time to read it in jail though when someone liberates a few thousand records and the investigators find out about this.

  • (cs) in reply to Anonymous
    Anonymous:
    Buffled:
    Anonymous:
    Sometimes it's not enough to simply highlight the security flaw - it requires a practical lesson to reinforce the point. Several thousand customer CC numbers turning up on P2P should do the trick, for example. Let's see how long the flaw remains unpatched after that.

    But cover your tracks kids, us software developer types are too fragile for prison.

    And who cares about the customers whose lives you just made hell, right? There's this thing that us adults have awareness of - it's called "consequences". And it extends far beyond "will I get caught?"
    You have an interesting definition of "hell":

    Customer: "Oh hello there, is this Visa? My card details have been compromised and I now have a fraudulent charge on my bill."

    Visa: "I'm sorry to hear that sir but don't worry, we will cancel your current card and issue you a new one immediately. It should take 3-5 working days to arrive. As soon as our fraud investigation department has cleared up the details, you will be credited for the fraudulent transaction."

    Customer: "Sweet, cheers dude."

    Visa: "Only too happy to help sir!"

    This has happened to me before and the above transcript is pretty much the exact conversation I had with my card issuer. It was HELL!!! Oh wait, no it wasn't, it was a trivial inconvenience.

    If you're so confident of that, try posting your CC details on /b/ and see what happens.
  • (cs) in reply to Warmasta
    Warmasta:
    Credit card have NUMBERS so ROT26 jokes are just plain stupid.
    But ROT26 works *exactly* as well on numbers as it does on letters!
  • (cs) in reply to Anonymouse

    With Big Businesses corporates inability to think about securing sensitive data like credit card information, then why do we need hackers to show these security flaws, when any pimple faced teenager can do it for free.

  • George Nacht (unregistered)

    At least now I know what Fortune 500 stands for. Clearly they built 500 temples to goddess Fortuna, so out of pure luck no one will every try to abuse their data.

    Geez...

  • db (unregistered) in reply to whiskeyjack
    whiskeyjack:
    fennec:
    It's true; an internship always looks good on a resume.

    Except if it's with the White House, during the Clinton administration.

    You win. Give this man a cigar!

  • Matt Westwood (unregistered) in reply to Icelander
    Icelander:
    I had a similar experience. An application I was working on was storing passwords in the clear. Now, it's not credit card data but storing passwords in the clear is just bad practice. So I wrote an encryption function and a decryption function and a function to encrypt the passwords already in the database. I tested it, checked it in, and moved onto another task.

    A month later I hear from my coworker that our boss logged into the production database (why he has access to it I'll never know) and FREAKED OUT because the passwords were all garbled. He then restored the database from his own backup copy (why he has this I'll never know) and then freaked out because he couldn't log in.

    Moral of the story: Don't bother encrypting anything when your boss doesn't know what encryption means.

    We store all our clients' login data in clear. Otherwise how would we know how to log into their data to debug it?

    I am sorry, I am not being ironic, I am not being facetious, I am being honest about our working practices.

  • (cs) in reply to SecTech
    SecTech:
    Buffled:
    Anonymous:
    Sometimes it's not enough to simply highlight the security flaw - it requires a practical lesson to reinforce the point. Several thousand customer CC numbers turning up on P2P should do the trick, for example. Let's see how long the flaw remains unpatched after that.

    But cover your tracks kids, us software developer types are too fragile for prison.

    And who cares about the customers whose lives you just made hell, right? There's this thing that us adults have awareness of - it's called "consequences". And it extends far beyond "will I get caught?"
    With all due respect this is a bullshit argument. As a security researcher, if we find an exploit in a piece of commercial software we give the vendor 14 days to respond to our findings. If we don't have a satisfactory response after 14 days we will publish the exploit. We understand full well that customers of said vendor may suffer as a result - some may even fall foul of the exploit that we designed and published - but what is the alternative? We keep our mouths shut and hope that security through obscurity does the job? I don't think so. If a vendor is not willing to accept responsibility for the faults in their software then we cannot be held responsible for the fallout.

    The situation in today's WTF is no different - if the company knows the problem exists but refuses to fix it, the only way to force their hand is to expose the problem. A small number of people may be inconvenienced as a result but the long term benefits far outweigh the inconvenience of a few customers.

    Fourteen days? Fourteen days? Nowhere I've ever worked could answer the phone in fourteen days.

  • Anonymoose (unregistered)

    Well, AOL (ICQ) stores all passwords simply XOR'd in their database. ROT26 almost seems useful from that point of view.

  • Ben (unregistered) in reply to Anonymous
    Anonymous:
    Henryk Plötz:
    "… containing the name, address, credit-card number, verification code and expiration date …"

    Correct me if I'm wrong, but isn't storing the verification code a breach of contract with your credit card clearing center and should lead to the company losing the ability to process card payments?

    You're absolutely correct. Merchants are not allowed to store the CCV (verification code), even if they store the CC number itself. The CCV must be requested from the customer for every transaction and discarded after authorisation. God knows how many merchants are currently breaking this rule though, it's pretty much unenforceable unless you audit every merchant on a regular basis.

    Or customers dime them out, which I'm going to start doing. (If you can show me a link to the actual agreement, I'd appreciate that.)

    Visa doesn't have a central website, but 1-800-VISA-911 or 1-410-581-9994 internationally.

    And Mastercard:

    http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html

  • Ben (unregistered) in reply to Ilya Ehrenburg
    Ilya Ehrenburg:
    luis.espinal:
    Ouch!:
    Oh well, I guess it works, and by the "If it ain't broke, don't fix it" rule, they did the right thing.

    But it was broken. You simply do not store credit card information in the clear. And that's just for starters since IIRC, they aren't supposed to store credit card verifications codes at all.

    running code != working code

    Luis, I think you should train your ability to detect when others are facetious. Especially on this site, that is something you have to expect.

    Actually, on this site, you have to watch out for people who are ironically pretending not to recognize facetiousness when they really do.

  • Ben (unregistered) in reply to Peter
    Peter:
    Jay Jay:
    I know I had the ethics not to copy the personal information of 250K people; I can't vouch for some of the other guys who worked there, especially the foreign nationals...
    And naturally, foreign nationals are likely to have lower ethical standards than you do.

    Assuming they're are ethically distributed with the same mean and variance as we are, the ones who are somewhat crooked must realize that they can beat feet to their foreign nation and get away clean.

  • PITA (unregistered)

    They could have at least used the little orphan Annie decoder ring - no one could crack that code.

  • TheKoz (unregistered) in reply to Piedone

    If you only double click, you will miss out on some of the 80's Van paintings.

    Since triple ROT26 is better than normal ROT26, Clicking ROT26 100 times must be better than double clicking

    CAPTCHA: inhibeo = a CEO that inhibits the success of a company?

  • Liz (unregistered)

    I worked on a production database that our company hosted for an investment bank. It contained about 1000 users who had signed up for the bank's investment program. The passwords were in clear text. Not only was it an obvious security risk (anyone with access to the data could go online and trade using the customers' details), but some of the passwords were hilarious. One password stands out in my mind. It was "f***ingslut" (without the stars).

  • Jeremy (unregistered) in reply to boog
    boog:

    Visa: "Are you aware there is a $3000 charge on your card in Greece?" (I live in the U.S.)

    Me: "Uh, yes, I've recently been there buying antiques."

    Visa: "We thought s... Oh. Well, er... We just canceled your card, credited the suspicious charge, and issued you a new card number. Your new card has already been sent, and you should receive it in 3-4 days. So, um... Please destroy it immediately, because we will now have to re-debit the original transaction and re-issue your card. That should take another 2-3 weeks, and there will be some charges. Sorry for the inconvenience."

    Me: "Oh, ok. Thanks!"

    The CC company handled everything and all I had to do was print a form, sign it, send it back to them at my leisure, and get by without my credit card for 3 weeks. What a pain in the ass!

    <disclaimer> In all seriousness, no matter how easy the fraud resolution process has become, it doesn't excuse not checking with the customer first. </disclaimer>
  • (cs) in reply to DWalker59
    DWalker59:
    Anonymous:
    Henryk Plötz:
    "… containing the name, address, credit-card number, verification code and expiration date …"

    Correct me if I'm wrong, but isn't storing the verification code a breach of contract with your credit card clearing center and should lead to the company losing the ability to process card payments?

    You're absolutely correct. Merchants are not allowed to store the CCV (verification code), even if they store the CC number itself. The CCV must be requested from the customer for every transaction and discarded after authorisation. God knows how many merchants are currently breaking this rule though, it's pretty much unenforceable unless you audit every merchant on a regular basis.

    Amazon.com does not ask me for my CVV on every transaction, even though I have a credit card number stored there, which I use to buy stuff. I know that many online companies do this (including Paypal).

    On the other hand, I have read some of the Visa and MasterCard merchant agreements and their data protection requirements. A local restaurant was using a software program to send credit card information to their clearinghouse, and the software was actually storing the entire card number (perhaps without the CCV) and expiration date in a database. ("Card Present" rules are different than "Card not present" rules.) Retail places that swipe credit cards are NOT supposed to store the entire card number.

    The newer version of this particular software only stored the last 4 digits of the card number, which is acceptable IIRC. They finally upgraded, then they went out of business. I tried to contact them to offer to securely erase the hard drives containing their database, but I was not successful. Ugh.

    Our software does card-not-present transactions, we never ask for CVV. Perhaps Amazon simply doesn't submit it on subsequent transactions. Just because they don't ask for it isn't a guarantee that they store it. The rules for these things are a bit weird. For example, if a credit card processor sends back a fail for address verification, it's your responsibility to decide whether or not to proceed with the transaction. You are reponsible for all fraud for card-not-present transactions. So, if you screw it up, it's your problem, not the bank's.

  • MasterCrypt (unregistered) in reply to Skippy

    Because of the increased security it Triple-ROT26 is also called "ROT-FL" (Financial Level)

  • boog (unregistered) in reply to Jeremy
    Jeremy:
    boog:

    Visa: "Are you aware there is a $3000 charge on your card in Greece?" (I live in the U.S.)

    Me: "Uh, yes, I've recently been there buying antiques."

    Visa: "We thought s... Oh. Well, er...

    Strange, that doesn't sound like what really happened.

    Jeremy:
    <disclaimer> In all seriousness, no matter how easy the fraud resolution process has become, it doesn't excuse not checking with the customer first. </disclaimer>
    1) Just what do you think the phone discussion was? I'd be surprised if they didn't have everything ready, just waiting for me to confirm it.
    1. In all fairness, the previous charge was that same morning at a coffee shop next to my office. It was pretty safe for them to assume the charge was fraudulent.

    2. If you want to complain about CC companies, just complain about one of the many evil things they actually do. It's not necessary to rewrite a story about a good experience with them in order to make them look evil.

    Wonderful rewrite of my story though, M. Night Shyamalan; what a twist!

Leave a comment on “Internal Standards”

Log In or post as a guest

Replying to comment #:

« Return to Article