I beg to differ, wither I aggregate my announcements does not impact the $50B charge identity theft puts on the US economy.
Perhaps a better start on impacting this would be for the credit card companies to pursue the people that abuse their cards/systems instead of just writing fraudulent purchases off as a loss and not pursuing them any further. I been through it myself and I know for a fact that at least one major cc company operates in this way. In this model there's nothing to discourage someone from using stolen numbers. Just my $.02 ~M -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Rick Wesson Sent: Tuesday, October 31, 2006 8:02 PM To: Barry Greene (bgreene) Cc: nanog@merit.edu Subject: Re: advise on network security report Barry Greene (bgreene) wrote:
Postings like this to NANOG will not have any impact. So if your goal is instigate action, posting is not going to work. The core data point is the weekly CIDR report. It only works if you have peers using the weekly list to apply peer pressure to the networks listed to act.
I beg to differ, wither I aggregate my announcements does not impact the $50B charge identity theft puts on the US economy. would it assist if I associated a dollar value for each bot hosted, we can estimate the number of credit cards stolen per bot and extrapolate in to something with some zeros on it.
Sharing summaries to communities like dshield, NSP-SEC, DA, SANs and other security mitigation communities along with a subscription web page that would allow an organization to get enough details to take action.
nsp-sec players still won't let us in their sand-box... but we will share to the communities you have enumerated. -rick
On Wed, 01 Nov 2006 15:09:59 EST, Mike Callahan said:
Perhaps a better start on impacting this would be for the credit card companies to pursue the people that abuse their cards/systems instead of just writing fraudulent purchases off as a loss and not pursuing them any further.
Let's take a hypothetical $300 fraudulent charge. If the card company spends more than $300 pursuing it, it's losing money on it and is better off just swallowing it. Now what does $300 get you? If you're lucky, that gets you 5 hours of a tech's time to chase logs, make phone calls, and get all the evidence together, and 1 hour of a lawyer's time to get the ball rolling if you pursue it as a civil matter. How much pursuit can you get done in 5 hours? The credit card companies are *acutely* aware of *exactly* how much it costs to swallow any given fraud, and how much it costs to chase a particular miscreant down. And barring some major economic/political/legal changes that alter the price/performance ratio, they're unlikely to change the way they do things. (Hint - $50B sounds like a lot, but what percent of the total Visa/MasterCard business per year is that, really? Not much compared against the $1,325B done by the top 4 card networks in 2004: http://www.fdic.gov/bank/analytical/banking/2005nov/Art2table1.html The whole article is here: http://www.fdic.gov/bank/analytical/banking/2005nov/article2.html and discusses in fair amount of detail what the credit card companies *really* worry about, and why....
participants (2)
-
Mike Callahan
-
Valdis.Kletnieks@vt.edu