Rav3n BJan 22, 2023
Lojicholia enshrines triumph

This is pretty near:

Detect breaches with Canary credit cards!

TL;DR;

Today we’re releasing a new Canarytoken type: actual credit cards!

1. Head over to canarytokens.org;
2. We give you a valid credit card (number, expiration, and CVC);
3. If anyone ever attempts to use that card you’ll be notified.

https://blog.thinkst.com/2023/01/swipe-right-on-our-new-credit-card-tokens.html

Swipe right on our new credit card tokens!

Thinkst Thoughts
Jan 22, 2023 at 12:45amMastodon for iOS
Show threadGeorge William HerbertJan 22, 2023
@lojikil oh oh yes. Very this. Excellent development.
Show threadRichard BairwellJan 22, 2023

@lojikil Woot! Although generation did fail for me on Android mobile ;(

If we knew a bank that we would like to participate, have you got an info page/email address we could point them towards?

Show threadHilaryJan 22, 2023

@rbairwell @lojikil

The email address for this is at the end of the article.

Show threadRachel LawsonJan 22, 2023

@lojikil @whalecoiner so, you sign up for the service with your identity (email address), then add the card details to all of the e-commerce you use (your behaviours) and, when you add a card, the e-commerce provider checks the card details are valid, causing a callback to the card provider. They now know who you are and all the things you like…

I’m not saying this is why they are doing it but, goodness me, it could be a great data collector

Show threadLojicholia enshrines triumphJan 22, 2023

@rachel_norfolk @whalecoiner well, they sell this and other types of tokens as a product to businesses; they may use token sign ups as leadgen, but I doubt they’re doing anything too egregious with the data. They’ve a good reputation in the community as far as I’m aware

Also this is aimed more at organizations rather than individual users, so if it were used that way, it could be used to target orgs with card data, but again, as far as I’m aware, they’re good

Show threadLaMancheJan 22, 2023
@lojikil to what effect though? Most of the banks and businesses in the US don't seem interested in prosecuting.
Show threadLojicholia enshrines triumphJan 22, 2023

@lamanche well, at the very least you know your system is compromised and someone has attempted to use the data stored therein; canary tokens are meant to serve like the proverbial “canary in a coal mine,” and alert that someone has access to data they shouldn’t.

So whilst banks won’t prosecute, at least an organization can have a stronger detection signal of compromise

Show threadTim Ward ⭐🇪🇺🔶 #FBPEJan 22, 2023
@lamanche @lojikil The driver for banks and others investing in fraud does not appear, in some cases, to be the fraud losses so much as the risk of being fined by regulators if they don't try hard enough.
Show threadFlorianTischnerJan 22, 2023
@lamanche @lojikil this is more aimed at businesses to detect breaches of their customer data. If you run a shop, add a fake customer with a canary credit card. If the card is ever used, you know your customer data has been breached.
Show threadVolker StolzJan 22, 2023

@lojikil Let's see if this catches better on than one-shot credit cards.

Maybe it will, since it's aimed at corporations, not individuals.

Show threadMalcolm HerbertJan 22, 2023
@lojikil I wonder how long this will be effective - the number ranges for credit cards are pretty well known by leading vendor digits afaik ...
Show threadBakpappaJan 22, 2023
@lojikil Gives me a "Failed to generate credit card. Please contact [email protected]." error.
Show threadTim Ward ⭐🇪🇺🔶 #FBPEJan 22, 2023
@lojikil Is this good or bad news, I wonder, for vendors of systems that use AI to detect fraud?
Show threadLojicholia enshrines triumphJan 22, 2023
@TimWardCam probably minimally impactful news; generally banks use a range of checks for fraud, AML, &c, so I suspect this will be more used on the security side as a signal rather than an input to fraud systems per se
Show threadTim Ward ⭐🇪🇺🔶 #FBPEJan 22, 2023
@lojikil My initial guess is that it would be of greatest value to retailers and the like seeking to avoid fines for failing to detect and respond to data breaches fast enough. The killer application would be if regulators starting increasing fines for slow responses to data breaches because "you didn't even use canary cards".
Show threadSimon LucyJan 22, 2023

@lojikil

Sometime in the 90's I worked up a proposal for virtual credit credit cards with all of the features of a credit card but backed by actual credit cards which you could keep private.

That meant you could finance both privately and using combinations of credit cards.

There was an additional wrinkle of creating CC numbers just for a specific purpose.

It didn't fly at the time.

Show threadExandraJan 22, 2023
@simon_lucy @lojikil apple pay does exactly this today
Show threadSimon LucyJan 22, 2023

@Alexbbrown @lojikil

I tend to avoid thinking about that.

Show threadblherrouJan 22, 2023
@brain
Show threadJeroenJan 22, 2023
@lojikil unfortunately they dont have an auto redirect from http to https so a lot of people will visit the site using http wich is unsafe...
Show threadRobertoJan 22, 2023
@lojikil brilliant, thanks for sharing. Will start the week looking at how to get some of these into our production and dev environments. Also maybe 1Password and some iCloud excel as suggested.
Show threadCalBearJan 22, 2023
@lojikil This is such a great idea! Simple concept yet powerful .
Show threadeffectuatorJan 22, 2023
@lojikil Nice to see a South African enterprise on the leading edge. Also interesting to see that some of the issues flagged in replies have been foreseen in the post and are in fact being leveraged for greater impact.
Show threadStu (Archived)Jan 22, 2023
@lojikil I can immediately think of a use case that I as an end-user would appreciate. There exist services that absolutely insist you can't delete the last credit card you have on file. Would it be reasonable/permissible to use a canary token as that last card? It serves your original intended purpose of notifying me if my account was breached, but also as a placeholder. As an added bonus a dataset is then tripwired even if the vendor didn't do it.
Show threadPeter WeyandJan 23, 2023
@lojikil Every major credit card already does this and have years of security experience in the industry. This doesn't seem all that useful.
Show threadLojicholia enshrines triumphJan 23, 2023
@peter_weyand I apologize, but I’m not aware of another system that allows users to generate cards that they can place in databases and other locations for the sole purposes of alerting them to misuse; can you share some of those orgs?
Show threadKevin P. FlemingJan 24, 2023
@lojikil I am *literally* about to start the massive update cycle for all of our personal service accounts because our primary card was breached over the weekend. I'll definitely be adding a Canarytoken card to each of those sites as I add the new 'real' card too!