Did Credit Card Scammer War Drive?

from the evidence-please? dept

There’s a story making the rounds this morning about a teenager being charged with credit card fraud. He apparently got credit card numbers somehow, made up fake cards, and gave them to people to buy stuff. What’s unclear, however, is how he got the card numbers. The article claims: “They believed that he was gathering credit card numbers online or parking in residential neighborhoods and capturing wireless transmissions of financial information on his laptop.” Gathering credit card numbers online is fairly common, but the claim that he was getting them via wireless networks deserves more scrutiny. It is certainly possible, but it’s pretty difficult. Even if your WiFi network is unprotected, most websites that require a credit card entry will use encryption, meaning he should not have been able to get the card numbers that way. Because the press seems to really like writing up stories about war drivers stealing credit cards, it’s only a matter of time until this aspect of the story gets more attention — but there should be a little more evidence to show that he actually obtained credit card numbers this way, and an explanation of how that happened if people were using sites that used encryption.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Did Credit Card Scammer War Drive?”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Probably easier than you think.

While it’s true that most credit card-accepting sites will use SSL encryption, it’s not always clear how weak the ‘human’ aspect of that security chain is. It’s actually fairly easy to associate with a wireless network and spoof clients into forwarding all outbound traffic to you instead of the router. Once that is done, it’s possible to set up a website proxy which uses a fake SSL certificate on the client side and establishes a real SSL connection with the server.
When this happens, the client does get a warning box from their browser saying that it couldn’t verifiy the SSL certificate of the server, but how often do you think people are willing to click “Ok” to a warning box that they don’t understand? Probably more often than anybody would like to admit. Once the user clicks ok, the “encrypted” session goes on unhindered with the eavesdropper listening in to everything being said.
People don’t understand the gravity of certificate-verification warning boxes. If your browser isn’t able to verify a SSL certificate with a central authority, then the chain of trust is broken and any claims to security are null and void.

Chomper says:

No Subject Given

There are much easier ways to get CC #’s that people are totally oblivious about.

I won’t name the restaraunt, but while there and waiting for a table, they had that nights receipts on the table where the hostess sits and in plain sight were receipts with full credit card numbers along with expiration dates. One shot with a camera phone and those people would have been screwed.

Unfortunatley, a lot of the press are brain dead in terms of technology and have no right to be talking about it, but this stuff does happen.

Another scenario is when people hold out their credit cards while in line waiting to pay, a simple, indiscreet capture of that, again with a camera phone or other type of device and gone.

Mike (profile) says:

Re: Re: Camera Phone theory

How about links right here at Techdirt:


Yeah, that cameraphone story isn’t true. So far, there aren’t many cameraphones out there good enough to snap a photo of credit card numbers. However, it could be an issue at some point, though you hope, by then, people are smart enough to notice someone fiddling with their phone nearby.

saleh says:

Possible, and relatively easy

While the wifi attack may or may not have been used in this case, it would be trivial to accomplish.

Rather than a fancy SSL man-in-the-middle attack, just connect to the (likely unsecured) wifi and install a browser helper (on the likely insecure PC) that keylogs whenever an interesting site is accessed. Come back a month or two later, get the logs, and wipe out the keylogger.

For the finishing touch, use the victim’s own wifi network to connect to the bank and drain his account. The logged IP (that of the router/firewall) would belong to the victim.

Mike (profile) says:

Re: Possible, and relatively easy

Rather than a fancy SSL man-in-the-middle attack, just connect to the (likely unsecured) wifi and install a browser helper (on the likely insecure PC) that keylogs whenever an interesting site is accessed. Come back a month or two later, get the logs, and wipe out the keylogger.

Er… what are you installing a keylogger on? Even if you can get on an average WiFi network, it’s much less likely you’ll get access to someone’s computer.

saleh says:

Re: Re: Possible, and relatively easy

From my condo (not wardriving) I can get to two completely open access points. Both are fully browsable from Windows; the PCs on those networks advertise their names.

If we assume those users took a minimal set baseline steps to secure their PCs (e.g. rename administrator account, use non-dictionary passwords, enable account lockout on invalid passwords, configure the event log to audit logon failures…) then you are correct. But, if someone’s access point is blinking 12:00, how sophisticated is that end-user?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...