An October 28, 2010 Visa Alert released today says criminals are exploiting weak credentials. They attack the weak credentials in order to breach merchant accounts and issue thousands of dollars of credit to debit cards.

Although no merchandise is sold, credit for a sale transaction will be applied to a foreign debit card. The criminals also sometimes are clever enough to also issue a false sale transaction to balance the amount and obscure the breach.

Visa gives the following recommendations:

To prevent fraudulent credits from entering the payment card system, Visa recommends that acquirers and processors review their credit transaction monitoring rules. Issuers should monitor clients’ credit and debit card accounts for unusual credits without a matching debit transaction.

In addition, these precautions may also be taken:

• Protect online credentials and use strong authentication to access online accounts.
• Alert merchants to phishing, voice phishing (vishing) and other social engineering schemes that target merchant credentials.
• Monitor accounts for unusual credits (particularly those with no original offsetting debit, or with the credit going to a different payment card account).
• Identify exceptions to average sales in real time; decline (or hold for investigation) return transactions that exceed normal thresholds.
• Confirm that incoming transaction data matches existing merchant name, terminal ID, acquirer bank identification number (BIN), and source of communication.
• Match return and credit transactions to corresponding sales by account; decline or investigate mismatches.
• Conduct real-time velocity monitoring of return and credit transactions by account or by single merchant.
• Require merchants to report lost or stolen point-of-sale (POS) terminals; block all transactions from these terminals.
• Allow only trusted IP filtering connections to access online web portals.
• Immediately report suspected fraudulent credit schemes to the issuing bank that is receiving the credit; the issuing bank may agree to hold funds to prevent fraud loss and/or conduct velocity monitoring of return transactions by merchant location in real time.
• Report suspected fraudulent credit schemes to the appropriate law enforcement or regulatory agency and to Visa Fraud Control at USFraudControl@visa.com (from the Visa U.S. or Canada regions) or Visa Payment System Risk at LACRMAC@visa.com (from the Visa Latin America and Caribbean region).

Bruce has a post today titled Airplane Terrorism Twenty Years Ago. He calls a pilot’s article in Salon “Excellent”.

Nothing more, nothing less, just the word excellent and then an excerpt from the article.

Here’s a scenario:

Middle Eastern terrorists hijack a U.S. jetliner bound for Italy. A two-week drama ensues in which the plane’s occupants are split into groups and held hostage in secret locations in Lebanon and Syria.

While this drama is unfolding, another group of terrorists detonates a bomb in the luggage hold of a 747 over the North Atlantic, killing more than 300 people.

Not long afterward, terrorists kill 19 people and wound more than a hundred others in coordinated attacks at European airport ticket counters.

A few months later, a U.S. airliner is bombed over Greece, killing four passengers.

Five months after that, another U.S. airliner is stormed by heavily armed terrorists at the airport in Karachi, Pakistan, killing at least 20 people and wounding 150 more.

Things are quiet for a while, until two years later when a 747 bound for New York is blown up over Europe killing 270 passengers and crew.

Nine months from then, a French airliner en route to Paris is bombed over Africa, killing 170 people from 17 countries.

That’s a pretty macabre fantasy, no? A worst-case war-game scenario for the CIA? A script for the End Times? Except, of course, that everything above actually happened, in a four-year span between 1985 and 1989.

Here’s my comment on why I think the article is less than excellent. I see important differences from then versus now (post 9/11):

1. Need to stop use of a plane as a missile. Armoring the cockpit has solved this threat. If that fails, detection would lead to interceptor jets or other typical anti-aircraft measures, which removes the residual risk. Wost-case is casualties same as past attacks, instead of higher (critical infrastructure)
2. Need to find terrorists. This is harder than 1 because risk is left to the imagination. Anyone, anywhere, etc. could be in danger instead of those on a hijacked plane, or in the Olympics, or stationed at an embassy in Africa, or in the mid-East or Asia…or, well, any place other than “inside” the border. All the examples from the past are “outside” attacks.

Once solution to 2 that has been proposed is increased scanning and vigilance at airports. That really is better suited to solve 1, but even there it is not a good trade-off.

Take body scanners, for example. They are stupid because they are not making planes less likely to be used as a missile (1) or finding terrorists often enough (2) to justify their expense and inconvenience. However, they do bring a few good ideas into use and represent the beginning of technology that could help solve 2. Scanners that are less costly, less invasive and less hassle could make sense if they caught terrorists. That just puts them back into place as a tool for intelligence gathering.

That being said, the real solution to 2 is smarter, smoother and faster intelligence gathering, which actually has been working remarkably well and not just “inside” the borders.

Recent littoral combat operations in Somalia have been quiet yet effective, just like arrests of Somalis in Los Angeles (an extension of last year’s investigation in Minneapolis) that most people probably never heard about. The cases of fringe behavior, incidentally, have been uncovered by examining economics and welfare in cities, rather than looking at shoes in airports.

Investigators say the poverty, grim gang wars and overpacked public housing towers produced one of the largest militant operations in the United States since the Sept. 11 terrorist attacks.

The author misses these differentiation points.