I.P. address Vs location

hairyslug

I'm asking this in relation to fraud, something odd popped up on shopify today.
Someone abandoned a checkout and I had a nose at their details, his IP was 16000km from his postal address (I had 2 visits to the site from China and Kazakhstan today).
Now, I know sweet fa about this sort of stuff, but is it normal to have your IP address so far from your location.

RainMakerToo

Could be using a VPN for whatever reason? or a proxy to access geo-restricted content

ED E

If I was a betting man its CC testing.

1. Somebody steals a cards details (in fact 100s or 1000s of cards)
2. They sell them
3. The buyer then tests them to see which work, €1/2 transactions
4. The buyer uses the working ones once or twice before it gets shut down


The other thing that can happen with Visa but not MC is that you can brute force a credit card, so if Shopify leaks any info they'll use that too.

Steve: A squirrely site. Anyway, so now they have the expiration date that matches the credit card as approved by the backend verifier. They cancel the purchase instead of following through with it. Or maybe they buy something for a dollar. But basically that allows them to take that first step. Now they go to a site that checks the credit card number, the expiration date, which they have both of now, and the CVV. Well, that's three digits. So there's only a thousand of those. Lots of ecommerce sites. So they again guess until they get it right.
Now they're down to the address. And it's a little trickier there. First of all, it should be noted that most sites don't incorporate address. That is, just the three fields - the credit card number, the expiration date, and the CVV - they're regarded as, well, how could a bad guy know that? That's got to be secure enough. So it's very likely that that's all they need, then, in order to essentially reverse-engineer the information. So the weakness comes from the fact that the backend verifier is not smarter, is not as smart as it could be.

It turns out MasterCard processing is. It will notice 10 global attempts and failures on the same card and lock it down. Visa, the largest processor/credit card network in the world does have no similar protections. So MasterCard will tend to thwart this because, if you've got to guess 60 expirations plus a thousand - oh, I guess expirations, maybe half that on average, so 30 - and maybe 500 CVVs. Still, now you're at 530. And on average guessing a MasterCard locks you out after 10. So you cannot attack MasterCard that way. But you can attack Visa that way. I just thought this was very clever. I mean, it's just been, again, one of these things that's been sitting here in the open that nobody really thought about.

And, for example, GRC also, as I've mentioned before, puts a strict limit on the number of anything that happens on our ecommerce system. That is, I have a counter, and I count up. And as soon as that thing hits a maximum, I say, I'm sorry, I mean, for any reason at all because you can't have any exceptions. I just say, you know, whatever you're doing is not in compliance with the policies of this site. We'd love to sell you a copy of SpinRite, but apparently that's not going to happen. Many sites do perform a lockout like this, but there are others that don't. And even those that do, that are not testing everything, can still be abused.

So this proof-of-concept software that these guys developed uses a site until it locks them out, and then they go somewhere else. And again, there's tens of thousands of them on the Internet, no coordination among them except for the central clearinghouse. MasterCard got it right. For whatever reason, Visa decided not to do that. And these guys noted that, once you get enough information, you can then transfer money through Western Union to Russia or wherever, and that money is gone. Now, of course, Visa indemnifies its cardholders for that kind of fraud, so you just say, "Hey, I didn't buy this," and they remove the charge from your statement. At some point, if this continues to escalate, this gets expensive for Visa. And I imagine they'll think about creating a better lockout system. Very cool hack, though. Just I thought that was so clever.