TechSpot

Web Security? Impossible now. Refute this please!

By TonyGuitar
Mar 28, 2006
  1. Recent stealth spyware is so secretive, everyone*s personal and credit info is at risk.

    A parallel problem to the proposed fee levy on Emails [some backbencher will try it], is<b> the question of a secure payment method on the internet.</b>

    Using a credit card used to be convenient but now with new auto server-bot stealth ware that sends all your credit card details and pin numbers to a server-bot with no hint to you of what is happening, credit cards on line may become impossible.

    This will also tend to enforce the two computer household. I have one computer on line with no personal info and the second computer that is never exposed to the net.

    So the challenge is to come up with a method of on line payment that is as convenient as credit cards but does not require sensitive data to sit on your HD and thus be exposed to the net and stealth Trojan bots to bot servers.

    Credit card companies are suffering huge losses due to these new hidden data gleaner Trojans and they are trying to keep it quiet. This attitude of secrecy on their part will allow many people to lose their credit card information and possibly their identity, while the card companies try to come up with a secure payment system. A system where no information is recorded or stored on your computer..

    If your credit card is compromised, one company, Visa, promptly offers to open a new account for you with a new card and number. Foolish, when you consider that the new card details will be promptly reported to the server-bot by the resident Rootkit hidden Trojan on your machine.

    For one person’s encounter with theft of $450 and all Credit data and a list of only 5 security firms who, [as of March 27th], can detect some of this new threat, check:

    http:// BendGovernment.blogspot.com

    Firms worldwide, but primarily in Europe and the UK are losing sensitive information and all this seems attributed to Michael Haephrati and his wife Ruth. Who own homes in both London and Germany.
    Their arrest followed an international investigation by the Computer crime unit of the Tel Aviv fraud squad, Interpol and various police forces. Michael and Ruth sold custom designed Trojan spy ware to business for spying on their competition and also sold to detective agencies. Links at BendGovernment.[Top on Google]

    Michael honed his computer skills during a three year stint in the Israeli military. TG
     
  2. Spike

    Spike TS Evangelist Posts: 2,168

    Well, first of all, in terms of a secure way of taking payments online, If biometrics are to become widespread, the credit card company could hold a fingerprint on line to be referenced whenever an online payment is made. this would render the credit card number on its own completely useless. Of course, not everybody has a fingerprint scanner on their machines, but it could be done in time no doubt.

    As for the risk in the first place, there isn't any *significant* risk if you are able to keep your machine clean and scanned, but unfortunately this probably means not taking your web browser to random pron sites and the likes, which it seems many people want to do regardless of the cost to their security.

    In essence, the first line of defence in internet security is common sense, the second is the software/hardware setup, and the third is experience. (something like that order anyway). Unfortunately, many people wish to rely purely on their software, and throw common sense to the wind in pursuit of pron and free stuff, and never learn from the experience.

    The chances of encountering a new problem before anybody knows what it is, how it works, and how to defend against it, are remote at best. Of course, there's always going to be someone who's hit first, but you can almost guarentee that most such people aren't likely to be taking even basic precautions anyway. Consider the number of people likely to get hit by a "first strike" from something malicious before it's highly publicised, vs the number of people using the web.
     
  3. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    That thing is BS.. Really. You shouldn't even read through such crap..

    That is if I actually keep my credit card info in plain text files in my computer (that would make me a very stupid person) and if I actually use my computer wrong (don't use Internet Explorer, don't open iles you don't hav complete trust in, don't use any password/form remembering features).

    PIN numbers? You should never, ever, be asked for your credit card PIN number anywhere on the internet. If someone asks you for this, then they are fraudsters and you should not give it to them.

    OK, so what is the use of storing your credit card info on a non-networked computer? :p Or, what is the use of a computer at all if it is not connected to the internet (this is the 21st century after all)?

    No information is stored on your computer already (unless you choose to do so yourself - and that's your loss). The only way a trojan could capture your credit card info is using a keylogger and the only way to take out the keyboard factor would be to use smartcards and/or one-time passwords.

    Is that guy claiming that VISA would send me my new credit card details via e-mail or something? LOL!

    No, I didn't go there. Wow, a blog! That's rock solid proof right there! [/sarcasm] I don't think one *****'s rant about their own stupidity and/or lies about what really happened is worth anything.

    OK, and what has industrial espionage got to do with peoples credit cards? General Motors, instead of looking at the latest designs from Toyota, steals the credit card info of one of their engineers and buys a new leather chair for the CEO? Please!
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    For your info: PayPal has over 96 million members by now (at last count) and they are steadily growing.
    I've been with them since last century (ow, that sounds GOOD!) and never had a problem.
     
  5. m0nty

    m0nty TS Rookie

    whilst some of this may have it's place, i agree, it's possible if you don't follow common sense.. but common sense does indeed go out the window with unknowing internet users.. just because a website has logos and images that syas etrust or trusted server certification doesn't make them trustworthy.. approach all credit card transactions in the same way as you would approach some1 on a car boot or garage sale. follow the links, do some reading and then decide.. if those sites have genuine certificates, then the company will be listed on the certificate issuers website itself.. if it's not listed, then it isn't certificated..

    never use credit card sales unless the transaction is done from a SSL page.. you'll see the padlock in the bottom of the browser and the address will be a https:// addy, instead of http.

    and it is still easy to be ripped off when using paypal!!

    a lot of major credit cards are now refusing to compensate customers for transactions made from paypal.

    but banks and credit card companies lose more money each year through hackers directly hacking the banking computers, stolen cards and card cloning (card readers placed into ATM machines or untrustworthy shop employees than trojans on computers.
     
  6. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    ebay & Paypal scams

    yeah, there's a price for paypal's efficiency and monopoly- it's called high fees and very poor customer service. I use them only because it is a necessary evil.
    I tried advertising with billpay- but not once did a buyer ever use it.

    I use the buyer credit with paypal also -since it is a credit card as well. I learned very quickly to always use a credit card with ebay. There are too many dishonest sellers. At least you can always chargeback when you have a dishonest seller. The last run in I had was with a seller who sold me a broken Atari 8bit computer and advertised it as in working condition.
    Good thing I used a credit card. The only thing I lost was a few bucks in fees.
     
  7. TonyGuitar

    TonyGuitar TS Rookie Topic Starter Posts: 90

    Nodsu suggested this topic should not be responded to, yet did post a 6 point reply.

    I refute all 6 points.

    [1] I did not have any credit info on the cpu at all. Only submitted to a certificate https site. The site is known as legit, but data compromised anyway.

    [2] No pin number used. That was my typo. Should have said typo. There is never a need for pin no. on line, just 3 digit no. on reverse.

    [3] Credit info and pin on an off-line cpu is never exposed.

    [4] Visa et all always send account info by mail... never by Email.

    [5] You contemtuously did not go to the website with the $450 similsr rip-off story. In your view, all blogsites are garbage?? [why did I bother??]

    [6] Industrial espionage has everything to do with credit data theft. Same hardware. Organized crime has become corporate in nature. Very sophisticated.

    I was never as smug as you seem to be. May real life experience moderate your smugness as it has done mine. If a smart and cautious hombre like yours truly can have data logged, then it is only a matter of time until it*s your turn. TG
     
  8. TonyGuitar

    TonyGuitar TS Rookie Topic Starter Posts: 90

    Monty,
    I tend to agree with you.

    Following Trojan and data mining alerts for the last few months, there have been mentions of some huge security credt data losses.

    One example: More than [4] four million accounts were lifted from an Arizona server where the operators allowed sensitive data to collect instead of promptly cleaning the sensitive items. Sloppy operators, huge losses.

    I grouped 7 items of the latest alerts on this stuff at:

    http://BendGovernment.blogspot.com

    The details of the couple where the husband sharpened his computer skills in the Israeli military and then used his skills and stolen software to make big bucks is very interesting. TG
     
  9. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Spyware on a corporate server used to hold the credit card info of thousands of people? The kind of spyware that can actually understand customer databases and lift credit card info from these? Or are you just mixing up a tool used on client computers and a server compromise?

    "Same hardware" as in that computers are used? :p
    The organised crime people may be performing both industrial espionage and credit ard frauds yes. This does not mean that the very same people are working in both branches or that the same methods are used. You can't really take an espionage story and link it to credit card crimes only because computers were involved.
    Organised crime also sells drugs and does slave trade. Should we now deduce that the best way to keep your children off drugs is to perform a daily virus scan in ones computer?

    Your first post here was far from moderate, filled with sweeping claims and technical inaccuracies. You will have my sincere apologies in written form the day I get hit by some cybercriminals of course :) We'll see about Linux keyloggers and trojans that can crack smart cards..
     
  10. TonyGuitar

    TonyGuitar TS Rookie Topic Starter Posts: 90

    Calm down... you are right.. mostly.

    Nodsu,

    You are mostly correct of course. I do not profess to be very well informed in the technical area.

    There are accounts of senior IT people losing their credit and personal data however.

    Authors, Jesse M Torres & Peter Sederis put out a pretty good book.
    entitled; Surviving PC Disaters and blunders.

    They outline an account of an IT pro losing personal data, but of course the person*s name is not mentioned for obvious reasons.

    Sorry if I made the veins on your neck stand out a little. You can have a last laugh when I come asking for help. Techspot is an Excellent site... Picked up Mozilla stuff here, and I realize you must have to handle a lot of novice problems.. Thanks. I*m sure most users appreciate it. TG
     
  11. TonyGuitar

    TonyGuitar TS Rookie Topic Starter Posts: 90

    Security creed for cards on line.

    Credit cards on line
    This has been my creed, yet data was still lifted / logged.

    Full safety = avoid using the card on line.

    But if you must use a card on line:=

    [1] Lower the card ceiling to $500..lower if possible.

    [2] Avoid free screen saver sites and offers.

    [3] Avoid free virus scans unless, Telus or a site you know.

    [4] Avoid Porn Sites. Most dangerous for Trojans & worms.

    [5] Avoid music share sites like *Limewire*.

    [6] Avoid Teen P2P chat sites.

    [7] Never fill in app. Forms sent to you in Email. Phishing.

    [8] Always red X zap Email selling drugs, Rolexes, software.

    [9] Zap means do not click on *stop these Emails*, just on X.

    [10] Zap lottery win notices. Otherwise they win, you lose.

    [11] Zap offers to help bank 2, 3, 5, 10 million for others.


    A credit card was hi-jacked recently.

    The card invoice listed a paysite $35.99 charge and the 1-800 number.

    The charge was fraudulent. Phoning the 800 number, the paysite informs of a charge to an *Adult* site membership. Never heard of it..[B….. On B…..]. Victims will know.

    Not able to spell it out. Some young reader may go there and lose the family savings. Avoiding lawsuits here.

    Two charges to the card… $400 - UK. Server and $380 Isreali server, were refused . Card had $300 open window.

    To check the card validity, the crooks charged $35.99 to the
    B….. on B….. web site. That did pay.

    Theory: Crooks always prefer cash. Crooks paid themselves the $35.99. Ergo, they own the adult website the money was paid to.

    Ok, Interpol… go get *em. You know where they hang out.

    TG
    Got the website name using 1-800 number to *PayCom.Net. *Direc Tech*, who I never had any dealings with, but their info was on the monthly Card account. That*s how I learned the name PayCom.Net *Direc Tech*
    Ring any bells?
     
  12. CrossFire851

    CrossFire851 TS Rookie Posts: 766



    I have to tell you this the cpu is the central processor unit not the harddrive and certainly not an abbreviation for computer. You could have just said HDD, and that right there proves you don't know **** and you're info is false.

    Example

    A P4 is cpu or AMD Athlon.
     
  13. N3051M

    N3051M TS Evangelist Posts: 2,115

    yes, and apart from the mistakes on the hardware, your last post (tonyguitar) can be summerised to common sense (although i dont know if it still exist in the present........... rehetorical question). As far as spam mail goes, dont even touch em.. if you do, it will send a red flag (or sorts) to its server telling it to spam the **** out of you.

    only the user/"customer" can do so much on their end of the line (in terms of security), where if its the recieving server side, its up to the operators and the company to handle the information, wheather good or bad. One will need to stop and analyse if such company is worth trusting or not before clicking "Ok".

    and if you are paranoid enough/seeking better security, go for a Mac pc or a Linux pc... at least 50% less chance of being keylogged/hacked/cracked/other bad stuff happen. the other 50% is for user faults.

    As far as knowing who they are.. google. i dont have a clue and i'm not gonna try.. although i would advice the credit card holder to contact their respective bank and tell them to stop payments and change whatever account details if needed, and report them as well.. also sweeping their pc with various nastie scanners..
     
  14. Spike

    Spike TS Evangelist Posts: 2,168

    I have to tell you that the harddrive is the little black thing with spinning platters and an IDE/SATA/SCSI cable that stores your data, not the computer itself.

    The computer is the combination of all of these parts - often all placed in a case for protection and tidiness. ;)
     
  15. TonyGuitar

    TonyGuitar TS Rookie Topic Starter Posts: 90

    Amusing twist RE: CPU,HDD point is I am Correct=Proof!

    Until Smart Cards come into use in North America, as they are in Europe, Credit Card dealings are not fully secure on the web!

    E-Commerce in Crisis: When SSL Isn't Safe
    ================================
    http://www.sci-tech-today.com/story.xhtml?story_id=12100DICXAH7

    May 25, 2006 11:31AM 

    *It's not a problem of authentication but one of transactional authorization,* says Bruce Schneier, leading security expert and CTO of Counterpane Internet Security. *No matter how hard you make the initial authentication for the end-user or hacker, the malware can just wait until the authentication is done and then manipulate the transaction.*

    Robbing a brick-and-mortar bank seems like petty theft compared with a new breed of cybercrime that, according to a growing number of security experts, is siphoning untold millions of dollars from banks and their customers using SSL-evading Trojans and ever more refined phishing techniques.

    Yet as phishing gets slicker, users are getting smarter. As the average Joe becomes less likely to type in authentication information in response to an e-mail, more and more cybercriminals are turning to SSL-evading Trojans.

    These Trojans install themselves on unsuspecting users' PCs and either capture user log-on credentials or manipulate transactions after a successful log-on. In both cases, the SSL connection between PC and bank remains intact. The user may think the confidential online transaction is protected against mischief -- but it is not. (continued...) TG [Now you must argue the pros... Oops, sorry, no one likes a smart a...]

    http://www.sci-tech-today.com/story.xhtml?story_id=12100DICXAH7
     
  16. Spike

    Spike TS Evangelist Posts: 2,168

    That'll be because the the user was "unsuspecting" and thus off-guard. It would also mean that the user doesn't know what SSL is actually all about, and what can make it insecure. That doesn't mean however that the whole thing is inherantly insecure. It means that if there were a test everyone had to take before using the web, there'd be far fewer problems for the rest of us, and far fewer problems with them.

    Furthermore, and experienced IT user knows that while individual tools provide the level of security they are created to provide, when put together into a complete and working system, NO system is 100% secure. In real terms, this will always be true, but are online payments particularly insecure or dangerous? Well, no. That argument has now been refuted at every corner consistantly.

    The only serious insecurity in the whole thing is the naivity, inexperience, and often times, the simple stupidity of the end user.
     
  17. TonyGuitar

    TonyGuitar TS Rookie Topic Starter Posts: 90

    Spike wins debate..[conditionally, that is]

    You do make good points there Spike, yet since IT pros get caught, it probably boils down to a momentary laps of attention while surfing through several sites to find something and tripping on a very clean looking page that happens to be tricky.

    I*ll admit that you don*t go down easy. We*ll have to arm wrestle sometime. I*ll spot you 4 beer first. 73s TG
     
  18. Spike

    Spike TS Evangelist Posts: 2,168

    There was a debate? lol :)

    I've "won" nothing though, and it certainly wasn't just me providing solid counterpoints.
     
  19. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    That's a good article (took you a while to come up with it). Far from "Web security - impossible" though. You are talking about a highly specialised trojan that can transparently replace a browser or some of the routines and that has intimate knowledge of the exact online service the user is visiting.

    So we need all of the following to be true:
    - a dumbuser who actually gets a trojan on her computer and doesn't notice
    - a standard browser and OS (Internet Explorer/Windows)
    - a well-known online service that doesn't change any of its web content and/or routines
    - the user actually using this online service in a predictable way

    Unless the trojan-writer has infinte knowledge, this thing can only be targeted to a very limited number of people and only a fraction of these people can be successfully exploited. You are more likely to get mugged at your local ATM really..
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...