Comcast Resets 200k Passwords After Customer List Goes On Sale

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Let's give credit where credit is due. Comcast acted fast on this one and, with any luck, none of its customers will be adversely affected.

Over the weekend, a reader (@flanvel) directed Salted Hash to a post on a Dark Web marketplace selling a number of questionable, if not outright illegal goods. The post in question offered a list of 590,000 Comcast email addresses and corresponding passwords. As proof, the seller offered a brief list of 112 accounts with a going rate of $300 USD for 100,000 accounts. However, one wished to purchase the entire list of 590,000 accounts, the final price was $1,000 USD.
 
In a way, it's sad that so many people's lives can thrown into criminal chaos so cheaply. Over 500,000 accounts for $1000? Leet hacking doesn't seem to pay very well.
 
While I was taking a course on computer security over ten years ago there was a (Russian?) site that was selling hundreds of thousands of credit cards for very very little - or just "small" batches (like 10k). The thing is... they would sell that stuff over and over and over - it's not just sold once and they remove 'em but i'm not positive as to how they would... well... mange that :p - (could even buy drivers licenses and such - state specific in the US of A and licenses for other countries). Site was also heavily watched.
 
fuzzylogik said:
While I was taking a course on computer security over ten years ago there was a (Russian?) site that was selling hundreds of thousands of credit cards for very very little - or just "small" batches (like 10k). The thing is... they would sell that stuff over and over and over - it's not just sold once and they remove 'em but i'm not positive as to how they would... well... mange that :p - (could even buy drivers licenses and such - state specific in the US of A and licenses for other countries). Site was also heavily watched.
Click to expand...

Well, back in the day, most websites didn't actually verify the credit card's validity when making online purchases.

And because of this there were quite a few credit card number generators.

And before CC readers were common, most CC and debit card transactions were done with the old card swiper machines where you stick the card in, then stick the transaction record carbon copy paper in and then it would imprint the front of the CC or debit card on the carbon paper.

That was a disaster waiting to happen.

Back then though, you were always required to show a photo ID when making purchases with a card.. not like it would be any more trouble to make a fake ID if you had a fake card, but whatever.

Now days, almost nobody requests photo ID when making a purchase with a card. So anybody can steal a card and go make thousands in purchases before the owner even realizes what has happened.

And this is why every single CC transaction should require a PIN. The stupid smart card chips do absolutely nothing as they still don't require a PIN.
 
So, they reset 200k accounts, but 590k accounts were for sale...

Am I the only one who thinks there might be a 390k account gap here?
 
cyclone3d said:
And this is why every single CC transaction should require a PIN. The stupid smart card chips do absolutely nothing as they still don't require a PIN.
Click to expand...
Yes they do. They help prevent a very specific type of fraud but they don't prevent all fraud.

EMV Chip cards prevent stealing the card number at the point of sale terminal. Mag strips contain the card number, expiration date, and security code (CVV = card verification value). Using the chip instead of swiping the card generates a 1 time transaction code that is shared to the card reader. That transaction code is then sent to the card processor who looks up the code.

Putting in a pin number won't help if the card reader itself is compromised. The criminal will get the pin too. It happens all the time at hacked ATM's.

EMV chip cards will prevent thefts similar to the Target and Home Depot breaches from a couple years ago. With Target they accessed the system through one of their contractor's, but then began skimming the card numbers from the cash registers almost in real time. If EMV cards were prevalent back then, all the criminals would have gotten was the 1 time transaction codes. The criminals would have had to find a different avenue of attack such as their website where customer's are keying in the full card number.
 
CaptNumbNutz said:
Yes they do. They help prevent a very specific type of fraud but they don't prevent all fraud.

EMV Chip cards prevent stealing the card number at the point of sale terminal. Mag strips contain the card number, expiration date, and security code (CVV = card verification value). Using the chip instead of swiping the card generates a 1 time transaction code that is shared to the card reader. That transaction code is then sent to the card processor who looks up the code.

Putting in a pin number won't help if the card reader itself is compromised. The criminal will get the pin too. It happens all the time at hacked ATM's.

EMV chip cards will prevent thefts similar to the Target and Home Depot breaches from a couple years ago. With Target they accessed the system through one of their contractor's, but then began skimming the card numbers from the cash registers almost in real time. If EMV cards were prevalent back then, all the criminals would have gotten was the 1 time transaction codes. The criminals would have had to find a different avenue of attack such as their website where customer's are keying in the full card number.
Click to expand...

Ok, so it is slightly more secure than the regular mag strips.

As it is now though, the current EMV chipped cards still have the magnetic strip as well. and almost no retailers have the chip reader enabled in their systems... at least here in the US.

That being said, it is still nowhere near as secure as if they required a PIN. That would also pretty much eliminate physical card theft as it would be pointless to steal the card without being able to get the PIN at the same time.

The next round of cards better have the mag strip removed AND require a PIN.
 
You must log in or register to reply here.
Back
Top