Credit card security
This discussion has been closed.
Daz 3D is part of 
Connect
DAZ Productions, Inc.
7533 S Center View Ct #4664
West Jordan, UT 84084
Licensing Agreement | Terms of Service | Privacy Policy | EULA
© 2025 Daz Productions Inc. All Rights Reserved.
Comments
I think dictionary attacks would only be effective for one, two or perhaps 3 words max. If your password contains multiple words strung together to create a very long password, as in the case of MDO2010, dictionary attack would be useless. Unless, the couple lines from his/her poem are published somewhere.
Or unless the 20 years ago when she had the poetry discussion with someone, that someone memorized the lines of poetry and decided to make a password attack 20 years later. ;)
Some of these cracks are coming from keystroke loggers, not many though. Based on the number of people at this forum with attempted theft against them I'd say it's mostly business sites being compromised.
There was a write up recently in one of these tech journals about this American security business knowing selling government grade cracking tools to criminal organizations. Well, needless to say criminals with crack tools that knowlegable about the SW vunerabilities and backdoors will find that many businesses are easy to crack into,
Also there was an article about these big call centers that had bought massive amounts of customer data from these huge and legal data warehouses and proceded to scam people in that database out of over 350 million dollars claiming they were the American IRS. Think that's new? No, they did a similar bust in 2013. Hardly a week go by that I don't get 3 or 4 calls from such criminal organizations. It's why I will be changing my number soon and giving businesses a number that go to a turned-off pre-paid cell phone I keep in my car for breakdowns.
LOL - If someone has the time and computing power to run a dictonary attack on a password that is more than 50 characters long (alot more), case-sensitive and which may or may nor include odd spellings, rare words and punctuation, they are welcome to whatever is in there.
Everything I have ever heard or read on the subject says that a long password, even one made up of recognizable words, is much more secure than a shorter, more complex password.
And poetry had nothing to do with my college experience - I only mentioned it to give context to the fact that in my entire life I have only talked about what kind of poetry I like one time, more than 20 years ago, with one person, and neither the poet nor the peom in question came up - there are no references to it anywhere else in my life. My point was that it's a long, easy to remember password that no one but me could have any idea about - saying publicly that it is part of a poem doesn't really give anything useful away, but does suggest, as intended, that picking something like this is an easy way to come up with a long password that you don't need to write down anywhere. It's just the one master password that has words in it - all my other passwords are randomly generated using the maximum length and complexity any given site will allow.
Otherwise though, I completely agree with you; more paranoia about this kind of thing is better than less.
What I find irritating is making up a very long password that it is easy to change a couple of characters in it but say the same thing to make it unique and yet I go to these websiste that have these character limits of 12 characters or other such things and I have to go with a comparitively simple password anyway. Of course them I am forced to write them down outside my computer (at home) just to remember them because should you forget them you can be locked out of your account with no way to log back in. E.G., dont' use your credit/debit card at Apple for a very long time such that expires and you trashed it and don't remember the number well then good luck on the very, very, very long wait of weeks and months before Apple support contacts you to unlock your account. As these security questions I never can remember my answers too. Or the recovery email I deleted because it was being spammed too much.
For my really important passwords, such as PayPal I make them quite long and quite complimacated. And when I can type them reliably every time without looking them up, then I change them for one even longer etc. I have ended up with a 18, or it may be 19 or 20 character password at the moment. I never use anything except this PC to purchase on line, my phone is dumb and plugs into a socket in the wall, I don't have a tablet unless you mean one of the ones in the bottle in the medicine cabinet. I don't use wireless, it's not very reliable when one lives in a house built in the 1830s, of solid stone, with 18inch to 2 ft thick walls. I couldn't use one of those fancy Amazon things that let your fridge talk to your computer if I wanted to, as there is even a 2 ft thick wall between the kitchen and the room where I work, I do have radio controlled clocks, but I have to make sure they are situated where they can look out of a window.
Well you just get one of those password cracking devices you often see in movies which cracks the password one character/digit at a time, until you got them all.
The thing is dictionary attacks are not that massive a resource hogs; tbh you're likely correct, I doubt someone would take the trouble.
My perspective is, why provide that info in the first place; relying on someone else is not my preferred method.
I find that intensely annoying; it simply can't be done like that.
Ha!
Don't get me started on the security issues of all these 'smart' devices they currently want us to buy.
... Sure, I'll do that just as soon as someone starts thawing out hell.
I have had a few cards very recently be compromised, and my mother has also. I suspected spyware on my computer by found it was secure.
Now I use paypal for everywhere on the internet. It is much safer, because your cc info is not given to anyone during a transaction. I wish I had started using it long ago.
The folks at DAZ have been a fantastic help when I had to cancel my cc also.
Hope this helps.
Well given my clean install of Windows 10, twice, and the other activity in this thread I've confirmed that my CC information was stolen again (3rd time since December), they are attempting to use it and there are only 4 online places it could of been stolen from.
I will definately start using PayPal but I won't do any sort of one-click or such things linking PayPal with other sites for easy payments seeing how easily these sites are being stolen from on multiple occasions.
I use PayPal occasionally - no account, I pass the CC number at time of transaction.
As for telephone scammers - I ave caller ID and will not answer 'unknown caller', 'out of area' or any unknown number from outside my area code until after I've looked it up. If it was important, they'll call back.
Well, I just had the Mastercard I use here (among other places) hacked, and I'm extremely careful about passwords and machine security. I do use it at several 3D marketplaces, as well as a some other online stores. I will say that I don't have the card "stored" here at Daz, or at any other site, or in my browser. I doubt it's from anything on my computer as I don't even type the card info in. It's stored in an encrypted password safe and copied/pasted.
In my case, there wasn't enough money in the account for the charge to go through, so nothing happened, but it's a hassle to cancel the card and get a new one.
Okay, so I just got a call from for a different card that there was a separate hack attempt. The bank declined it, and then called to confirm. So another card that has to be replaced.
Both of these cards were used recently (within the last two months) at various digital marketplaces, but I've never used this second card at Daz. There are other common demoninators, so I won't mention a specific company, but I have my suspicions which one it is.
I've already received an e-mailed warning from Renderosity that they had a data breech a few weeks ago and fortunately my wife is really on the ball about keeping an eye on those accounts: we just caught several thousand dollars in fraudulent charges on the card I use for Rendo and Daz. I haven't had time to read this thread all the way through, but there's a thread running in Rendo's store support forum about people spotting trojans during their Rendo's check out process.
I've never used anything but paypal at daz or rendo and I've never had a problem. Curious to know if anyone who just uses paypal has experienced fraud. I'm really not sure how they could accomplish it, since I'm not entering numbers in a website.
How do you log out of Renderosity? I can't find any logout control anyplace I look.
Greetings,
Wait, Renderosity is claiming they had a breach _this year_ from March 9th? Because I literally have an email from LAST year, specifically saying:
Is it possible that folks are seeing something that is from last year, and thinking it was this year?
(During that breach last year, I had one card replaced, and then the REPLACEMENT immediately abused. After that I only pay for 'Rosity items with PayPal, and it's a lot harder to pry money from me there.)
----------------------------------------
In general one source of weakness can be serving ads. Ads contain snippets of JavaScript in order to do 'pretty things' to attract your attention, like old video games had 'attract mode', to draw gamers in to play.
That JavaScript can also do things like...monitor the input fields on the page and forward that data to another server by encoding it as a string and requesting a 1x1 transparent gif from their server with that name. It's not a downloadable trojan that goes onto your system, it's one that's injected onto their site via JavaScript, either by the ad provider, or the ad provider gets good JavaScript but the code relies on some OTHER domain that gets compromised, or someone manages to hack the store's own pages and add a nice-looking, but evil JS file in. It's ugly, and unpleasant, and one of the WORST parts of all of it is that there's no REASON for any store to serve ads on the checkout pages, NOR is there any good reason for any store to ask folks to enter their credit card details into form fields every time.
When DAZ stores your credit card information, from what I see, I believe it is _not_ stored on DAZ's own site. It's stored at an intermediary, like Stripe, Authorize.net, or even PayPal Merchant Services. (It looks like they use one named Batch Pay, probably with VirtualPay, a related service). All of these (IIRC) offer the ability to store CC info on THEIR site (which is vastly better secured that most internet sites) and provide a 'token' back to the market (DAZ in this case, or any other store that would choose to do it). That token is used to make purchases (in combination with the CVC of the card), and the credit card number is only exposed ONCE, and saved to that secure intermediary. This is why your CC# is MUCH more secure if you save it on a site, than if you have to enter it every time.
Any other store could do that also; it's really easy to set up. But instead, they've had multiple breaches over multiple years, that leave their customers having to clean up the mess.
I kinda love that DAZ takes its position as a store seriously. That said, nobody's perfectly secure, so always keep an eye out.
-- Morgan
p.s. You joke about password-guessing in movies that detect one character at a time, but there's actually a bit of truth to that when attacking embedded systems. If your 'password checker' behaves differently by microseconds when it finds a first-character match vs. when it doesn't, then the attacker can stream guesses at the embedded processor, measure the delay, and determine that it's correctly guessed a series of bits, lock those in place, and continue guessing the rest. Modern password hashing/testing algorithms have had to take this into account, even though the vagaries of internet delays make it less a viable target on the web.
Greeting Morgan :)
That was very informative thank you for sharing that information.
About the password guessing . there has been something called brute force attackers where they can do password guessing in less than 6 second.
I just read a article on brute force attackers ( http://www.digitaltrends.com/computing/credit-card-security-hacking-brute-force-tesco-bank/) and found it a bit scary what is your take on brute force attacks & password guessing? and how do you recommend a safe guard against it, I'm guessing properly paypal or a pre pay credit card is safest right?
No, but in a movie anything that make the heroes/villains look cool and smart is allowed.
Nope. I got an email from Rendo directly informing me of the breach. My guess is that they were legally obligated to contact me as I had made several charges during the timefrane that that particular breach had occured, as I never saw any general announcement about it.
I also booked some tickets on United right before Drag-gate, so I'm just having a wonderful week...
A brute force attack can be easily detected and blocked if a server is properly protected. The real threat is if the attacker finds a backdoor to grab the hash table -- essentially an 'encoding' of all the passwords stored at the site. Many passwords up to a certain character length can be bypassed simply by looking it up on another table -- or, to put it simply, they generated an 'encoding' of all possible passwords. Many sites now use 'salting', stronger levels of encryption, or token services, but the safest level of protection is to limit your exposure to risk.
In my personal opinion, you're already doing *better* than most by using a prepaid card online.
Oh, and running an AdBlocker works wonders too, as ad networks are frequently compromised...
edit: Oh, I forgot: enabling two-factor authentication works *wonders* in preventing break-ins...
Greetings,
So...look, when I was a kid, I learned a lot about how systems worked, and in my curiosity I did some things that make me wince in retrospect. The Internet was in its infancy, if you could even call it that back then, and credit cards were relatively insecure. At that time, I learned the algorithm for validating a credit card. It's easy to find now, but in the late 80's, it was a LOT harder to learn this info. Anyway, if you took a known prefix (you could even use your own if you had one, or your parents if they had one) you could have ~8 digits of 'something I know the bank issues', generate 7 random-ish digits, and a check digit which made the validity check work. If you start with a known card, you could then use software to auto-dial these slightly altered random CC#'s into (at the time) adult phone service lines. CVC's didn't exist, so you'd send a guess at the expiration date, and it'd either let you in, or ask you to try again once or twice. Since the CC services tended to generate these in bulk around the same time, they tended to have similar expiration ranges.
So it was trivial to generate a credit card number, AND validate the expiration through one of these phone-in services after a few tries.
The attack they're describing sounds like an updated version of that exact same thing. I am not trying to fear-monger when I say, _there's nothing you can 'do' to protect against that_. That kind of attack is _not_ targeting you, and so there's nothing you can do to guard yourself other than not having a card. Using your card through PayPal doesn't help, and using pre-paid cards doesn't really help, because the attack is against the _card system_, not you personally. This is something that the card system needs to address, and if you read the article, Mastercard _does_ address it. They alert when any number of merchants fail against the same underlying card over some period of time. That raises an alert. That's where protection from this kind of problem needs to be, at the systemic level.
The system needs to protect itself against that kind of problem, and they usually do. There's fallbacks and safety measures that catch abusive behavior, or buggy behavior, and shut it down, and they are _astoundingly_ competent at that. (I worked for PayPal for a few years, and our fraud team was the best in the business, but I'm sure a lot of the top techniques have dispersed into all the other payment providers.)
Anyway, that kind of 'brute force' attack is not something to be afraid of, because they gain no additional information from you, and they have to make fraudulent purchases to use what they do have. They don't know your name, your phone number, your ID number, your PIN, or anything else personal about you. They have to make purchases on a relatively small number of sites that can be used without a name, address, or any other 'unguessable' aspects of your credit, and those purchases need to be something that they can turn into money. And they're still going to fail a lot, and the system will get smarter and able to block them.
Ultimately, and this is the super-duper-ubér-shmooper hard part for folks, you have to trust that the entirety of the system has its own best interests at heart, and they ultimately align with your best interests. Consumers need to trust the credit card system, or they won't use it, and so there's a huge impetus to fix holes and keep your money (and their money) safe. This is why CVC's were invented (to fix the problem I found in the 80s), this is why chips were added to the cards, and Mastercard detects multiple failed requests across merchants, and why PCI compliance is a huge aspect of the industry, and..and..and.
The credit card system takes their responsibilities seriously. You should exercise caution in day-to-day use where you can, but don't worry about the systemic issues like that one. That's for them to worry about.
-- Morgan
e.g. Paraphrased,
The thing about PCI DSS compliance is that it is ALSO applicable for systems TRANSMITTING credit card data, regardless of whether they are storing it or not. Needless to say, those systems could be vulnerable to man-in-the-middle attack. Last I checked, Daz website does collect the credit card details during order processing. So it is imperative that they (along with their hosting infrastructure provider) must follow PCI compliance even if they store it in memory while transmitting it to a third party. Most small scale online retailers rely a third party to accept the payment on their behalf due to these stringent compliance requirements.
For your second point, I think Amazon already does it. IIRC, they store the credit card info and ask for only the CVV number during checkout. That way even if someone else steals your Amazon credentials, they have a 'resonably' slim chance to use your stored card information to make purchases on your behalf.
On a side note, rendo at least had the professional courtesy to acknowledge that their systems were compromised, unlike many other businesses who would refrain from disclosing/acknowledging such breaches for fear of losing trust. By letting the customers know that their information has been compromised they are allowing their customers to take remedial measures before that information could be misused. And simultaneously, they are setting a standard for themselves to improve their security measures. Unlike other merchants who might just say - your card info got stolen, that's your problem, our systems follow NASA standards.
Except that that's against the law, at both the federal (because interstate communications are involved) and the state level, Tennesse included. Businesses have no choice but to disclose the breach in a timely manner. They didn't provide a professional courtesy, but simply followed the same regulations all businesses are required to.
Ivy was referring to a specific vulnerability that a set of researchers found, around generating a random (but valid) credit card number and then determining its expiration and CVV/CVC number in a short period of time using a broad set of unrelated online merchants to do rapid-fire guessing of the various values.
I am confident that they understated the span last year, for their February/March breach as well. I'd give them credit for letting folks know that a breach happened, but that credit only extends so far because they didn't _fix_ the underlying problem between last year and this. :(
-- Morgan
Thank you Morgan for taking the time to write all that out to explain it to me. That was very informative and more in debt than the article was. I have a little better understanding of brute force attacks now .. But its still scary that every time a new way comes out blocking these thieves, that they can come up so quickly ways to circumvent the security . I think I'll stick with a pre paid card from now on for online purchases.
We are locking this thread as, while there has been useful and interesting information posted, there have also been a number, an increasing number, of accusations or near accusations agaisnt various sites and entities.