Credit card and 15C



#2

Just a heads up to those who purchased the 15C LE. I purchased two, one each at two different merchants mentioned here. That's the only time I've used my credit card in the last two or more months. The day after one of the charges went through, I started getting fraudulent charges. Could be a coincidence, might not be. You might want to carefully review your next statements.


#3

It is most likely not a coincidence. I *never* had a fraudulent charge on a card, ever* until the internet. $19000 (yes 3 zeros) a year ago (that happened while using a Mexican computer in a hotel) and also a few thousand in New Jersey, after buying an ANSI standard.

I am convinced that many of these so called "secure" sites are totally hacked. I also fail to understand how there can be useful "encryption" when the key obviously has to travel with the rest of the data--it isn't like there is a password coming by US mail first!

(* years ago, 1992, I had an item, one item, charged in Michigan, on a card which I had just received in the mail and never yet used at all. I think it was an account number screw-up!)


Edited: 21 Sept 2011, 10:55 p.m.


#4

Quote:
I am convinced that many of these so called "secure" sites are totally hacked.

Most likely they are. Likewise for your PC.

I've heard several times that the time until hacked for a Windows machine on the Internet is in the 30 - 45 seconds range. This matches the the times we saw reported back when I was doing computer security incidence response work.

The crooks have the latest antivirus software. They code around it. If you machine is hacked these days, you won't and quite possible can't detect it.

Quote:
I also fail to understand how there can be useful "encryption" when the key obviously has to travel with the rest of the data--it isn't like there is a password coming by US mail first!

With some rather clever mathematics there are ways to set up an encrypted session without transferring the key information. This only protects the data in transit between your computer and the vendor's. At either end, the information is unencrypted and that is where it will be stolen.

- Pauli


Edited: 21 Sept 2011, 11:18 p.m.


#5

Quote:
This only protects the data in transit between your computer and the vendor's. At either end, the information is unencrypted and that is where it will be stolen.

Bingo. Most credit card numbers get stolen by malware on a user's PC. This can be as simple as an email directing the user to what looks like a merchant site or a bank. Once you follow the link, it looks very, very similar to what you are used to seeing. You enter your credit card info and *poof* you are toast. (Checking the address bar to verify the site is what it should be is a good defense against this sort of thing. Another is to be very wary when following links from email.)

Another type of credit stealing malware is a "key logger." This logs the keystrokes you type, thus stealing passwords or CC numbers directly. This lovely beast is sometimes the payload of a virus. Regular scans with up-to-date virus definitions can help minimize this, as can software designed to find malware. The antivirus companies can't know about every threat. They do their best, but there's usually a lag between a new threat showing up and deploying an updated scan definition. Never, ever transact business on a shared PC. Those things can be accessed by anyone sitting in front. It's child's play to install malware when you have physical access to the machine.

If you have anything really valuable, none of those precautions will help. Billion dollar inside information and national secrets get subjected to attacks that beggar belief. (You only rarely hear about the existence of such things, let alone the technical details of how they are implemented, but some details of how information warfare is conducted have leaked out in the last couple of years.) So it's good to be ordinary in this regard. The strength of the herd is reasonably good protection. Unless you are targeted, normal precautions and expensive resource stealing software (read: AV) keep you mostly safe.


#6

Quote:
Most credit card numbers get stolen by malware on a user's PC. This can be as simple as an email directing the user to what looks like a merchant site or a bank...

Another type of credit stealing malware is a "key logger."


Don't for get used HDs. A while back I caught a documentary on e-waste. Long-story-short, your HDs end up in Africa where they extract any remaining data for fraud purposes.

All of my old floppies, HDs, CDs, flash memory, and tape are in a large box in the basement waiting for me to take them to the shredders. I've got stuff back to the '80s.

Quote:
The antivirus companies can't know about every threat. They do their best, but there's usually a lag between a new threat showing up and deploying an updated scan definition...

The best antivirus programs kill the user. :-) I've never had a problem with this using OS/X, Linux, or Windows (for 15 years). Commonsense and mistrust is your best defense.

#7

Yipe!

Yet another thing to be paranoid about, after that darned mail carrier. :)

#8

Quote:
Don't forget used HDs. A while back I caught a documentary on e-waste. Long-story-short, your HDs end up in Africa where they extract any remaining data for fraud purposes.

I have a great story along these lines but I won't share it electronically. Ask me at HHC. The bottom line is that corporate security and privacy policies are a joke and nothing more than "security theater" - a show to make you feel secure.
#9

I work in the domain of federally funded research medicine. To achieve federal compliance with data management regulations, we need to destroy our hard disks after using them. For obvious reasons, I recommend adopting this policy with your personal hard drives as well.

W/r/t destruction tools, most people employ a hammer and screwdriver. I personally recommend a 12-gauge shotgun and a pair of safety goggles.

Edited: 23 Sept 2011, 1:36 p.m.


#10

Quote:
W/r/t destruction tools, most people employ a hammer and screwdriver

If you do use a screwdriver (a small Torx - 8 or 9 - is necessary, in my experience), you can get the platters out quite easily - and smash them with your hammer if so inclined. You SHOULD save the very nice platter ball bearing for some home project. If you don't want it, please send it to me! You also get a couple of very strong magnets to play with.

#11

Diffie-Hellman Key Exchange doesn't by itself give you much security, because there could be a man-in-the-middle that is separately negotiating DH with both parties. This is why the SSL and TLS secure session protocols need certificates, which are digitally signed proof of identity of the server.

Of course, there can still be problems. For instance, a certificate authority might be compromised, as recently happened with DigiNotar . That was serious enough that the company was taken over by the Dutch government, and the owners declared the company bankrupt.

Or the SSL/TLS protocol might have flaws, such as some that were just discovered in SSL version 3.0 and TLS version 1.0: Hackers break SSL encryption used by millions of sites (Versions 1.1 and 1.2 of TLS are not affected, but no common browsers or web servers support them.)

Cryptography is hard to get right. Anyone who tells you otherwise is a fool. The actual cipher (e.g., AES) may not seem to complicated, and it might not be too hard to implement it, but the cipher is only the beginning of what is necessary for secure cryptography. Getting the protocols right is incredibly difficult even for the experts, which is why SSL 3.0 and TLS 1.0 have this flaw.

You can't get security just by buying a product that is advertised as being secure. Any salesman that tells you otherwise is a liar and a thief. As Bruce Schneier says, security is a process, not a product.


#12

I definitely agree here. It is possible to circumvent such key exchanges. However, the easiest line of attack is to simply compromise an end point. I don't remember ever seeing a man in the middle attack or even hearing of one taking place. Theoretically possible for sure but not worth the effort.

Even with a perfect cryptographic system in place, a couple of thugs and a wooden stick and you'll divulge your passwords in time. Very well expressed in this web comic: http://xkcd.com/538/.

Attackers will always choose the weakest link. That isn't the key exchange or a man in the middle or the cryptographic algorithms for the kind of transactions we're likely to be doing.


- Pauli


#13

Why do cryptography at all? Obviously, without end-to-end encryption, commerce on the Internet would not exist as we know it. It's a matter of trust. Yes, it's hard to do cryptographic protocols, period. Doing it with untrusted endpoints makes it tougher. Given that, how hard should we try to get transport security right? Hard enough to offer sufficient protection at a bearable cost. What is sufficient protection? Enough protection to ensure that transactions are not subverted to the point that people stop trusting the transport. What is a bearable cost? A low enough cost that those who pay it can afford the transport security, and the trust it brings. What is that trust worth? A lot, so merchants who depend on that trust pay a lot to maintain it. That's the economics of TLS at scale. It's all about trust.

Keeping something absolutely safe is very, very tough. End points are vulnerable. People do things they shouldn't with passwords and the like. If somebody wants a piece of information stored on my laptop badly enough, they can get it for a some amount of effort and expense. If they don't mind me knowing about it, they can burglarize my apartment. If they want to keep their interest secret, they can get malware on my machine. (I hope that will cost them a little more than doing the burglary, but I'm probably fooling myself. :)

Do I shop on the Internet? Of course! Why? Because I've never been ripped off, and I'm like almost everybody out there! I maintain some minimum level of client security. I have different passwords for different sites. I'm careful about what I click on. I use a Mac, which helps a little. Given all that, the trust paid for by Internet merchants is enough to convince me it's "good enough." I do this in spite of the knowledge that practically any bad guy anywhere can pwn my Mac if only they care to spend enough time and/or money. I don't have anything worth that much time and effort! So practicality cuts both ways. It is impractically expensive to achieve "perfect" security. But it's also impractical to put out too much effort to get through a prudent set of precautions. There's just too much lower hanging fruit out there. :)


#14

Quote:
Keeping something absolutely safe is very, very tough. End points are vulnerable. People do things they shouldn't with passwords and the like.

As Gene Spafford memorably said, "Using encryption on the Internet is the equilvant of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."

;)

Best,

--- Les

[http://www.lesbell.com.au]


#15

Quote:
As Gene Spafford memorably said ...

Spaf is one of my heros. :)

#16

Quote:
I don't remember ever seeing a man in the middle attack or even hearing of one taking place. Theoretically possible for sure but not worth the effort.

Come to one of my classes - I demonstrate them quite often. ;)

The reason they work is that the software concerned usually pops up a warning dialog or message along the lines of "Danger, Will Robinson! This site/server is possibly fake! It doesn't seem to know the correct private key! Danger! Danger! Do you want to proceed [Yes] [No]"

And guess which button the [*&^%$$%^&] user presses?

But I agree - rubber hose cryptography is usually faster, cheaper and less risky for the attacker.

Best,

--- Les

[http://www.lesbell.com.au]

#17

Quote:
the easiest line of attack is to simply compromise an end point.

Sometimes it is, sometimes it isn't. It depends on the specific circumstances.

Quote:
I don't remember ever seeing a man in the middle attack or even hearing of one taking place. Theoretically possible for sure but not worth the effort.

Man-in-the-middle attacks happen all the time. They're not just theoretical. There was a serious problem with MITM attacks against SSL in 2007, and software vendors offered patches/upgrades to protect against it. Part of the problem is that many people do not install such patches/upgrades.

Most likely the motivation for compromising DigiNotar to obtain fraudulent certificates (e.g., for google.com) was to enable criminals to more easily do man-in-the-middle attacks, since fraudulent certificates make that even easier than the recently discovered SSL/TLS vulnerability.

Quote:
Even with a perfect cryptographic system in place, a couple of thugs and a wooden stick and you'll divulge your passwords in time.

The existence of that threat model exists does not excuse being lax about making systems and networks secure.

#18

Quote:
Very well expressed in this web comic: http://xkcd.com/538/.

That one always cracks me up. And people say brute-force attacks take too long. :-)
#19

Quote:
I am convinced that many of these so called "secure" sites are totally hacked. I also fail to understand how there can be useful "encryption" when the key obviously has to travel with the rest of the data--it isn't like there is a password coming by US mail first!

Most merchants who accept credit card payment online have to comply with the PCI DSS (Payment Card Industry Data Security Standard) requirements. These are fairly prescriptive, rather than talking in general terms - e.g.

Quote:
"3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
* One-way hashes based on strong cryptography (hash must be of the entire PAN)
* Truncation (hashing cannot be used to replace the truncated segment of PAN)
* Index tokens and pads (pads must be securely stored)
* Strong cryptography with associated key-management processes and procedures

(PAN = Primary Account Number = credit card number)

Most small merchants can self-audit, but would find the compliance requirements too burdensome, while larger merchants have to undergo and audit by a qualified assessor. For these reasons, many merchants prefer not to handle credit card numbers at all, but instead hand off the payment processing to an external provider (their bank, PayPal or some other service provider) whose pages may (or may not) be branded with the merchant's logo & color scheme, etc.

I ordered a 15CLE from Samson Cables, but didn't notice whether they did this; however, I did just check and see that they provide a "secure contact form" via an external provider and expect that they handle CC processing the same way.

As a result, even if a small site is "totally hacked", there are generally no credit card details there to be compromised.

As to what is known as "the key exchange problem" (how does Alice get a key to Bob without Eve [the eavesdropper) getting it?), public key cryptography solves that. When your browser enters SSL/TLS mode, it fetches a certificate from the web site which contains the site's public key, checks out the certificate and extracts the public key. It can then do one of two things:

a) either generate a short-term session key and encrypt it with the web site's public key and send it to the site (where the private key is used to decrypt it, or

b) use the Diffie-Hellman Key Agreement Protocol to arrange for both ends to come up with the same session key, while an observer can't deduce it.

Which technique is used really depends upon what the web server software is and how it is configured. Either way, all subsequent data is transferred using symmetric cryptography (for speed) in both directions. (I've simplified the actual TLS protocol, but this is basically how it works).

(I teach this stuff at the university where I'm doing my PhD).

So, I wouldn't panic, and I wouldn't worry too much about shopping online. It certainly wouldn't stop me ordering another 15CLE if I needed one urgently!

Best,

--- Les

[http://www.lesbell.com.au]


#20

Les, your post is impressively knowledgeable and therefore, comforting. It also reinforces my belief that the encryption on these sites are generally acceptable, rendering any transactions, in themselves, safe.

But I agree with other posters who have said that it is the relative insecurity at the other end of the transaction that permits the theft of credit card numbers or passwords, and the like. I have had some circumstantial hints that personnel at commerce sites and banks do not always observe or adhere to secure protocols. Years past, when checks were processed by banks, I suppose, with more people involved, some employee of my bank mailed back to me, in a handwritten envelope with a handwritten note, some checks that had been written by me and found by the unidentified person unattended at an improper location somewhere in their offices. (Complaints to the bank elicited little response.) I have seen in news reports that store and bank employees have been caught and arrested for stealing credit card numbers along with other information.

It is possible that some of the fraudulent charges on the accounts of some here could have arisen in this way, i.e., either by sloppy handling or outright theft at that end, and not during the electronic transaction.


#21

Ed, I agree that most people aren't particularly security-conscious; that's why the processes for dealing with credit-card payments are increasingly designed to keep the CC# away from people. ;) For example, in the scenarios I described, the clerical people at the merchant never see the CC# - they just get an "approved" indication (by email, a web interface, etc.) from their bank or payment gateway. Their systems never see the number, either.

Which leaves the other parties who do actually handle the CC# - the payment processors and the customer themselves. PCI DSS compliance of payment processors is no guarantee - remember Heartland Payment Systems (think I've got the name right - I'm going on memory here) who were breached while having passed audit. However, the publicity - not to mention direct and indirect costs - associated with such breaches means that senior management is getting the message and the situation has been improving. Gradually.

At the customer end, a malware infection on the computer or a hardware keystroke logger can capture all data entered via keyboard. The only defences here are use of good, frequently-updated antivirus or anti-spyware programs, and being alert. However, even that won't always protect you. One example I've been discussing with my students is the "osCommerce willysy mass infection incident" (I can't reveal too much here, as my students are doing an exercise on it, due in 10 days' time (!) but Googling will turn up info). In this case, vulnerabilities in an open-source merchant server product were used by attackers to inject two different malware exploits onto the Windows PC's of any shoppers who visited infected stores. It took a few days before the antivirus vendors caught up with that one, and at its peak a few weeks ago, Google was reporting approximately 8 million web pages infected with the malware. :(

The other mechanism that leads to breaches is credit card skimming, either by devices attached to the front of ATM's, or hand-held devices used by people who physically handle your card - and I think that's what you're alluding to. However, that mechanism probably doesn't apply in the case of these particular purchases.

In summary, for a reasonably switched-on user with a half-way decent antivirus program (and there are some good free ones) the risk of credit card fraud (particularly in this market) remains very low.

Best,

--- Les

[http://www.lesbell.com.au]


#22

Having been the one who implemented the PCI DSS compliance in my previous employer's products, I'd even do as far as saying PCI DSS is way less than a guarantee. It is a set of policies and procedures that have to be followed that really don't achieve all that much.

Better than nothing, definitely. Able to prevent attacks? Not really.


Yes, I'm feeling very cynical at the moment.


- Pauli


#23

Shhhh! Not in front of the children!

(I'm somewhat in agreement - it raised the bar off the floor for the bottom end of the market, but many merchants were already doing the right thing. Ultimately, it's a risk transference exercise for the card brands.)

Best,

--- Les

[http://www.lesbell.com.au]


#24

"... One example I've been discussing with my students is the "osCommerce willysy mass infection incident" (I can't reveal too much here, as my students are doing an exercise on it, due in 10 days' time (!) but Googling will turn up info). In this case, vulnerabilities in an open-source merchant server product were used by attackers to inject two different malware exploits onto the Windows PC's of any shoppers who visited infected stores. It took a few days before the antivirus vendors caught up with that one, and at its peak a few weeks ago, Google was reporting approximately 8 million web pages infected with the malware. :( ... "

Perhaps I am a bit naive, but I would have thought that online merchants would be very vigilant against this type of attack from something deposited on their end, since, as you and Paul mentioned, the publicity is quite negative and may be a huge blow to their business. Of course, such systems vigilance does sound expensive...

#25

Thanks for the heads up. I ordered from buy.com and SC but no fraudulent charges have been posted. I will keep my eye on it in any case.

I had a Chase card several years ago that I got from Amazon and had several fraudulent charges, but that is the only time. Otherwise I've been using a CC on the internet since 1995 with no issues.


Possibly Related Threads...
Thread Author Replies Views Last Post
  HP41 Card Reader not Pulling Card Colin Verrilli 14 1,193 07-29-2012, 05:53 PM
Last Post: Randy
  Credit Card Sized DM-16CC Mark Hardman 3 429 01-16-2012, 09:51 AM
Last Post: htom trites jr
  Original 15C Keyboard Test Works With 15C LE!!! DigiGal 5 796 09-26-2011, 07:33 PM
Last Post: M. Joury
  Credit Card Size RPN calculator? Elliott W Jackson 20 1,334 03-12-2009, 05:41 PM
Last Post: DaveJ
  HP 48GX and Cynox Ram card 128kb ( warning invalid card data...) NACHO 2 373 10-25-2008, 02:46 PM
Last Post: NACHO
  Non-HP credit-card-sized scientific Don Davis 6 531 07-06-2008, 11:28 PM
Last Post: DaveJ
  Revisit of "Can't we give HP some credit" ECL 2 335 11-30-2005, 10:08 AM
Last Post: Arnaud Amiel
  41CV Emulator card / 128K RAM card for HP48 Bobby Lapointe 2 394 03-11-2003, 12:49 AM
Last Post: Bobby Lapointe
  Ebay photo, link but no credit A Friend 0 242 02-18-2003, 08:02 AM
Last Post: A Friend

Forum Jump: