Internet Security

Factual Questions
1

Now I know very little about hacking and encryption and what not, so pardon me if this purely hypothetical question seems obvious.

Let’s say I’m on amazon.com about to order… oh I don’t know… say, the book Alyssa Milano: She’s the Boss by Grace Catalano. I’m on a secure page that’s showing me my shipping address and my credit card number.

Now, I open up a new browser window while the secure one is still open and go to www.alyssa.com, which is not secure.

Am I making it easier for someone to get my credit card information? That is, am I somehow allowing non-secure access to my secure information?

Back off, man. I’m a scientist.

2

Heck, man, you’ve already told us too much.

3

No. Their secure which means no one is hacking into their system. when you’re sittin’ idle at your computer, it isn’t transmitting your card number back and forth, only when you hit enter. again, goes into their secure area.

Now if someone is hacking into your computer, then their secure server isn’t going to help much. and you’re probably already screwed.

at least this is how i see it. feel free to correct me.

I treated Art as the supreme reality, and life as a mere mode of fiction–Oscar Wilde

4

I don’t get it. Just cause you completed those little boxes on your screen how can anyone anywhere see what you put in unless you hit ‘submit?’

5

That’s it. they can’t. It’s only claiming to be secure when you hit enter and transmit your card over the line.

It’s like the cones of silence. You could get from maxwell smart, or you could get it from the chief. but you can’t get it when max is telling the chief.

We live in an age that reads to much to be wise, and thinks too much to be beautiful–Oscar Wilde

6

So then, generally speaking, what is the mechanism by which hackers intercept internet information transmissions to steal credit card numbers?

Of course, I am not endorsing such behavior. Just say no.

Back off, man. I’m a scientist.

7

I have never heard of a case of a credit card number stolen by interception over the internet; likewise, I’ve never heard of a case of a credit card number obtained by tapping a phone line. It’s just too hard for someone.

This is my semi-knowledgable take on it (semi because I worked at an ISP and know generally about it, but I’m not a security expert).

When you have a secure connection on a web page, it means that your browser is not dealing with a regular web server, to which requests are sent and responses received. Your browser has received a web page that’s been routed through a security layer that encrypts the page, to be decrypted by your browser. Likewise, when you hit submit, your browser encrypts the form data and sends it back through the layer, which decrypts it. The protocol is called SSL, for Secure Socket Layer.

Intercepting anything in transmission over the Internet is, from what I understand, nearly impossible. Anything sent is broken up into packets (or datagrams) that are measured in bytes. Each packet is addressed; routers send each packet on its way to the next stop. It’s like mailing someone a book, a page at a time. Every letter has the same address, but they’ll all take slightly different routes through the mail system, and collecting all of them in midstream would be difficult. On the Internet, where delivery can take as little as milliseconds, it’s impossible.

It would be possible for someone to listen in at several points along the line, though, and intercept your submission: at your ISP, where your data has been sent in a large gulp along one line; alternately, at the receiving end, where it’s all arriving. In that case, it’s encrypted, and someone would need some serious equipment and knowhow to decrypt it to get your card number.

That you have a secure connection does not mean that no one is hacking into their system. It means your browser will send whatever you submit (and whatever is returned to you) through a layer of encryption while it’s “in the open” on the Internet. Opening a second, nonsecure browser window is irrelevent: your secure ordering page is still targeting the secured recipient. Keep in mind that ‘connection’ is a misnomer. You don’t have a connection the way you have a connection for a phone call, where a line is set aside for your use for the duration of your chat. ‘Connection’ is the metaphor in use to indicate the mutual, programmed agreement between your browser and the secure server to use the security protocol that they’re both programmed to handle.

Amazon.com was a poor choice of example: they were hacked several months ago, and someone made off with credit card numbers that got used. In that case, people found otu what a bad idea it is to use debit cards for Internet purchases: on a credit card, a charge can be reversed; with a debit card, the money is simply gone from your account.

I wouldn’t worry about secure or insecure connections. Just like reading your credit card number to a customer service representative over the phone, you have more to worry about with the company taking the information, than with how it gets to them.

8

Mad props to hansel! Thanks for the info. :slight_smile:

9

There are other ways CC #'s could theoretically be stolen over the internet.
The simplest is a trojan horse program like Back Orifice or NetBus. The trick is to get someone to run this executable file, and the person’s computer becomes your own personal server. You can do pretty much anything to their computer, including taking screen shots. So if someone took a screen shot right when you entered your CC #, well you’d be screwed! Granted, this is unlikely to happen, but it could.

If that doesn’t scare you, read up on Tempest Monitoring.

Quote from http://www.eskimo.com/~joelm/tempest.html

“The general principle is that computer monitors and other devices give off electromagnetic radiation. With the right antenna and receiver, these emanations can be intercepted from a remote location, and then be redisplayed (in the case of a monitor screen) or recorded and replayed (such as with a printer or keyboard).”

These are not really things you should be worried about unless you’re ultra-paranoid, but they CAN happen.

Like hansel says, when CC theft does happen online, it’s not because of your data being intercepted and decrypted en route, it’s from someone breaking into the computers of whoever you gave your number to and getting the list that way. Still, I guess your money is gone either way.

10

Like puffington said Netbus and BO are the easiest ways. Not matter how secure the connection between you and the receiver, if your computer has been hacked it’s as if someone was standing over your shoulder and reading what you type in.

The moral: Get a virus scanner, and use the latest version of your browser and you should be OK.

Hansel: Without encryption it’s very easy to intercept data. This is especially true if you’re using a computer at the office and getting internet access through the LAN.

11

Encryption shouldn’t matter at all when it comes to interception. But am I right in thinking that interception can only be accomplished at chokepoints? Your ISP, the receiver, the office LAN’s connection to the internet: put a packet sniffer on any one point where all the packets pass, and you have them. Or is there another way?

12

Well encryption won’t make it any harder to intercept but the intercepted data will be useless. (Unless you can decipher it)

Yes, the interception would have to be done somewhere where the packets actually pass through. That doesn’t mean you have to work for an ISP. If you manage to gain access to any of the computers along the line you can do it. These computers are usually important servers and pretty secure, but you know the saying how the chain is only as strong as its weakest link.