Credit Card Fraud
Okay, let's lay off the banks for a moment and consider the common, garden variety credit card:
- Each credit card has a 13 to 16 digit number that is constructed in a particular manner governed by a mathematical algorithm called a Luhn Formula. This is designed to ensure that only certain numbers are usable; you can't just make up any old number and have it be considered valid.
- A freely downloadable program can be obtained that will prompt for a real card number as a base, and then generate a bunch of similar Luhn-validated numbers as directed. If the range specified is 500, the program generates 500 credit card numbers from the base entered.
- It is reasonable to assume that such a short range of numbers will have a similar expiry date to that of the base card.
- The hacker visits a merchant and purchases an item for download.
- The hacker enters a fake name and address, a fake security number (from the rear of the card), and a card number from the range delivered, along with the expiry date of the base card.
- If the bank has actually issued the card number to a customer, then depending on the level of diligence of the payments gateway, the payment might go through. How can this be? Simple, because many payment gateways receive security numbers, names and addresses, and store that data upon receipt, but never actually check it for validity. So if the card has been issued, and the card structure and expiry date are fine, then the payment is passed and the download proceeds.
- If the actual card holder doesn't spot the hack, then it will never be detected.
A procedure named 3D Secure is now being instituted by Master Card and VISA. In its current form, it employs usernames, passwords and PINs as described earlier, so it will be subject to all of the attacks outlined above. Interestingly, it shifts the burden of responsibility onto the card holder and his/her issuing bank. So now, if you get defrauded through online credit card theft, you're going to get stuck with the bill as well! We will take an in-depth look at this later in the series.
To the systems administrator and security systems architects, the Internet is a battlefield. You are always hoping that you will not get hit, and must quickly move into damage control mode if you are. The secret here is to actually realize that you have been hit, detect the intrusion, and close off the breach before word gets out. Once the hacker jungle drums go off, a perpetual swarm of NMAPpers and other trouble arrives on the scene. (NMAP is a very famous 'security' scanner program that allows a hacker to engage a number of very clever techniques to probe a system with a minimum of disturbance.)
To the hacker, the Internet is a chess board. The structure of the game is defined by systems and hardware designers, and the movement of pieces is defined by systematic probing and well-defined attack strategies.
PINs And Passwords - For The Ten Millionth Time, They're One Of The Biggest Holes
Consumer habits are another hacker's playground. Where people have a choice, they reuse PINs and passwords for multiple applications. For instance, a PIN for a credit card is often also the PIN for an ATM, the online bank, and potentially even the owners home alarm system! This means that a PIN or password broken in one site may grant access to many sites and utilities.
There are several important questions to ask here. Into how many sites do users enter password and PIN details? Do users keep separate passwords and PINs for each site? If users do keep separate identity management information for each site, where do they record their connection details?
Administrators and ordinary workers in many sites will have access to connecting users PINs and passwords that are retained in databases at those sites. Banks, gateways and vendors who hold credit cards on-site, or who give access to user financial accounts, must realize that protecting access to their site may not be enough if the user's ID is stolen somewhere else.
Login Pages - The Flaw In Challenge/Response
Virtually all username and password vulnerability is predicated on the fact that the vast majority of user-to-site communication follows a distinct pattern:
- Upon requesting entry to a site, a user is challenged for a username and password.
- After verifying a user, the site and user engage in a sequence of navigation and transaction management.
Most online financial institutions use a combination of username, password, and a partially transmitted PIN in a standard HTML (type) page. This is a very simple solution that is central to the success of online thieves, because it offers no practical resistance to phishing or spyware/trojans.
Once the user has succeeded in logging in, it is assumed that the user is who they say they are for the duration of the session. This is where the man in the middle attack gains an advantage. There is no need for the MITM to read or break the username and password; the user is allowed to successfully login and the session is piggybacked and/or hijacked.
SSL: Utterly Useless
"But SSL will save us, every place I use to purchase stuff says that I'm using 128-bit encrypted SSL, and that I'm completely safe."
SSL is an acronym for Secure Sockets Layer, a technology created to encrypt data traveling between two points on a network, such as two computers on the Internet. You can see SSL at work when you connect to your bank; a small padlock symbol typically appears in the bottom status line of your browser to show that SSL is in use. You may also see "https:" at the start of the Web address instead of the usual "http:".
SSL does improve security between two network points, but here is the catch; one of those points could be a computer controlled by a MITM. Another vulnerability with SSL is pharming, which redirects you somewhere that you don't expect. So you could connect to the false site and get their SSL icon in your browser; you feel protected, but are still at risk.
Desktop attacks occur on the user's own computer, where SSL has no actual practical application. This is because SSL works between your browser and the Internet site to which you are connected. If a trojan or spyware is working on the desktop, the data will be captured as it is entered into the computer, before it is encrypted.
And as if this weren't bad enough, all the SSL in the world isn't going to defend against rogue employees who have access to personal and sensitive data. It will protect against phishing if the user knows what to do when presented with an unauthorized certificate notification. How many ordinary users do, however?