[simondotau]

Was it always $1? If I was the attacker, surely you’d pick a random number. My guess is that $1 donations would be an outlier in the distribution and therefore easy to spot.

It’s also interesting that merchants (presumably) don’t have a mechanism to flag transactions as being >0% chance of being suspect. Or that you waive any dispute rights.

As a merchant, it would be nice if you could demand the bank verify certain transactions with their customer. If I was a customer, I would want to know that someone tried to use my card numbers to donate to some death metal training school in the Netherlands.

[DamnInteresting]

They did try adding variations to the amount (+0.50-1.00) late in the game, but by then it was ineffective, I could still quickly detect them and turn on the randomized data poisoning. I expect that they want to keep the amount small so most cardholders won't bother to look into the unfamiliar charge.

I do wonder whether these people sold their list of "verified" credit card numbers to any criminal enterprises before they realized the data was poisoned. That would be potentially awkward for them.