I read the following webpage http://www.theregister.co.uk/000110-000013.html?&_ref=1531068205
It puzzles me. ALL the online traders swear the SSL encrption is un-hackable (excpet in degenerate cases). So how is this happening?
I know that the hacker used a flaw in ICVerify, but if I sent all my data thru SSL encryption he needs to have access to all the random paths that my server chooses, right?
Did I make sense?
Nothing in “unhackable”.
But using online transactions, in general, are more secure than handing a slip with your account number to the person behind the register.
Also, if you are worried about this, use a credit card rather than a debit. With most CC’s, if stolen, you are libal for only about $50. With a debit you’d lose all your cash until you can prove to the bank otherwise… which can take a long time.
The greater your dreams, the more terrible your nightmares.
I don’t have anywhere near the technical knowledge necessary to answer your question, but I’ll second what BurnMeUp said about security: even the lowest level of internet security is likely better than what you’ll encounter the rest of the time you use your credit card.
I couldn’t count the number of times I read off my CC number for a catalogue order, or give it to the waiter at a restaurant, or use it for collateral when renting something. Yet somehow I’m supposed to be concerned when using it over the Internet?!
If someone uses my number to make illicit charges, then I simply inform the bank and I’m off the hook. Piece o’ cake.
~ Complacency is far more dangerous than outrage ~
Actually, the big risk with Internet shopping isn’t the credit card getting stolen on the 'Net, but rather, the guy getting paid $5.00/hr in Iowa processing your order.
He is ALSO writing your card number and information on to a little yellow Post-It, and sticking it in his pocket. A few months later when he quits that job or is feeling a little disgruntled, he whips out that Post-It, and surprise… You just ‘ordered’ him a bunch of CDs, jewelry, electronics, that he had sent to a vacant house, and picked up under the cover of night. He pawns the stuff, or just keeps it for himself, and you get screwed.
I previous friend of mine (who I have since stopped hanging out with for obvious reasons) used to work at a dry cleaner, and kept a list of credit cards for his own personal use. He always waited several months (i.e. so numerous credit card billing cycles could pass) after any give transaction took place, however, so they’d never track it back to the dry cleaner…or him.
This is exactly why it is safer to use the internet. In many ecommerce solutions, it is completely unnecessary for any actual human to ever see your credit card number. Usually they only thing a human has to do is enclose the merchandise with a packing slip and label that is printed for them - and does not have to include your CC # (and in my experience, usually does not…)
So, everyone agrees,
On-line shopping is pretty safe and I shouldnt worry about it.
But I am still curious how did this Russian guy get credit card numbers from so many customers. Did he hack the seller’s database?
Probably what some guy in SF did once. They found him with 100,000 CC numbers. He used a nifty little program to find the numbers from the pattern of the numbers on the net.
You know: xxxx-xxxx etc.
Best way to get a CC nbr is just fish it out of the trash, then youhave the nbr, the date & the name.
Look, American Express’s Optima card automatically waives the $50 customer liability for transactions over the Internet. If your credit card number is stolen, they eat all the cost.
Do you really think they’d make this offer if credit cards transactions were being ripped off all the time?
“East is east and west is west and if you take cranberries and stew them like applesauce they taste much more like prunes than rhubarb does.” – Marx
Read “Sundials” in the new issue of Aboriginal Science Fiction. www.sff.net/people/rothman
Amazon (and most others, I assume) will even reimburse you the $50.
I think where you need to be most careful is who you do business with.
Peace,
mangeorge
Wow, 00, I made it! 
Ramesh:
The hacker used a flaw in that software where a debugging log was written even when the option was turned off, and the log was set to be readable by everyone, so with a little work on the webserver he was able to read the log, which contained all their transactions.
Supposedly the bug has been known for quite a while and the ICVerify software hasn’t been patched and a lot of businesses are vulnerable to the same bug, though maybe in slightly different ways (depending if the log can be reached through the web server or not.)
Scarrier that that, is the ‘rumor’ (I think it’s true, but it’s impossible to prove) that the company was talking to him about paying, but was afraid of having to justify the payment during an audit. (“And you transfered this money to a numbered account… why?”) There’ve been a lot of cases where banks/etc have paid off hackers, or hushed up cases to avoid the bad press.
Now, on to the how…
The encryption, once properly setup is nigh-invulnerable. It’d take years for a non-megacorp/government level hacker to find one key, and that’d only decypher one transaction.
But, if the software which generated the keys doesn’t use a proper pseudo random number generator (which, because computers are deterministic is hard to do), or if the key is accidentally weakened, by a programming error, or the user hitting ‘aaaaaaaaaaaaaa’ when asked for random text, etc, then this falls apart.
But, even with that, most transactions aren’t at risk because except in the worst cases, the encryption is just weaker, not broken. So this sort of thing is usually attempted on either end of the connection.
Users are easily targetted, I mean, everyone I know ran the Frog in a Blender after (at most) a virus scan, but it could have been doctored to contain a back door letting the attacker later monitor all your actions, including typing in your passwords and CC#.
The stores are often harder to attack, though unfortunately, not as much so as you’d hope. The main benefit is that usually the admins don’t run silly shockwave applets on the secure servers.
But, even a perfectly setup and secured machines is still vulnerable to bugs. I mean, even if CD U. used ICVerify properly it’d still make the log, even if they didn’t let people read it. Then there are a bunch of other bugs in the webservers, the operating systems, and all other software running.
This assumes the admin knows how to set the system up securely, which should mean turning everything off, and turning only some things back on. Many secure transactions servers are also running mail servers, or other non-essential services, which complicate the process. Then there’s the settings for the needed software. Some parts of the files ICVerify uses need to be readable by anyone because they’re the parts users interact with, other parts (this log) shouldn’t be, etc. You have to know the software in and out to know how to properly run it.
What makes this sort of thing worse is the tendency for companies to store all data about people, often using ‘secret’ information as the key, like indexing people by SSN, or storing the credit card number of the customer, etc. This way when a hacker gets in, asside from just a list of customers, they get everything, perfect for ordering a new physical card, or calling in a change of address, etc.
Some countries (I think NZ or AU) forbid the storing of credit card numbers (and other things?) after a purchase. As soon as it comes back approved or denied, that card number has to be wiped from the logs. This is a smart thing. Perhaps the company could keep the first two digits and the last one, so if a customer called, they could verify that the same number was used, without actually storing enough information to cause problems.
But, online transaction, if handled properly, are incredibly secure. I mean, to the point where it’s near impossible for anyone, the admin for the store, or anyone in between, to get information they should have. Contrast this with giving the waiter your credit card… The problem with online transactions is that this desire to store information, and the volume of transactions, make ripe targets. A waiter could get 10-20 card numbers per shift, and would quickly be caught if they were all used, because the common purchase would lead to the restaurant and the waiter. A hacker could monitor Amazon.com or a big store and get 10k cards per day, and if there was a log, perhaps many more.
So, I’d do it. As people say, you are only liable for $50, and most bank waive that, if you show you didn’t do anything dumb, like not call them after your wallet was stolen. There is less direct risk (per transaction) and maybe a bit more (stolen logs) in total, but it’s still fairly secure, and the stakes are fairly small (for the end user… I wouldn’t doubt CD U. goes out of business over this and the inevitable lawsuits.)
Regarding the $50 – even if the card issuer doesn’t waive it – and most will – it’s often covered as a miscellaneous item in your homeowner or renter’s insurance policy (you DO have a renter’s insurance policy, right??).
-Melin
Yep, that’s basically what he did, once he got past ICVerify where the weak programming actually was.
There’s already been a report of someone whose credit card number was taken from the site where he posted CDUniverse’s client list, and $1,000.00 was charged on it.
Some people are really sick.
“How wonderful it is that nobody need wait a single moment before starting to improve the world.” - Anne Frank
Shayna:
I’m curious, what makes this guy sick?
He obviously doesn’t find laws to be the highest guiding principle in his life, but then I don’t think many people do.
I would reserve sick for a rapist/molestor, not someone into a little credit fraud.
WhiteNight, I was referring to the slime-o that actually took advantage of the posted credit card numbers and used them to their own benefit, not the original hacker. However, upon consideration, I think the hacker is sick too. It is twisted and evil to maliciously infiltrate an encoded computer program for the purpose of extorting money and then making threats to the company whose files have been hacked into.
I agree, rapists and molesters are sick. But I also feel that theives are sick too. If you’ve never been robbed or burgled, you might not understand the intense feeling of invasion one feels when it happens to them. I’ve had my home burgled 3 times (2 different places), and there is no way to describe how physically violated I felt after having discovered someone had been inside my home, touching my personal belongings and then taking what they wanted.
“How wonderful it is that nobody need wait a single moment before starting to improve the world.” - Anne Frank
I used to be a supervisor at an inbound telemarketing company (we used to take calls for Ginsu knives!) and one CSR decided to copy credit card numbers down and have stuff delivered to her. Seems the feds take this sort of thing very seriously because we got a visit by the Secret Service. She was terminated immediately, and prosecuted, but I’m not sure what her sentence was.