- Posts: 1302
- Thank you received: 0
credit card security
17 years 10 months ago #19150
by DaLight
Replied by DaLight on topic Re: credit card security
As Starfire said, the first thing is to ensure the credibility of the website which is accepting your payment. Once you're assured of this and trust that the appropriate SSL encryption standards are being used, then you can be reasonably certain that the communications from your browser to the website over the internet will be secure. Your main problem will be the possibility of key-loggers and similar software which may be present on the computers in the cyber-cafe, as these will trap your credit card details as they are being entered into your browser. I personally do not enter my credit card details on machines I do not own or have total administrative control over. But that's because I have the choice ...
17 years 8 months ago #20323
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: credit card security
Hmmm...
If I *had* to do this... and I mean absolutely *had* to... I would do it this way:
1. Try to get them to connect my laptop (if you have one).
2. Get myself a livecd which has Firefox and Tor. I'm partial to this one: sourceforge.net/projects/anonym-os/ but there are others out there.
3. Check the keyboard connector for hardware keyloggers (they look like small little adaptors attached to the end of the keyboard jack) If you're not sure... don't use it.
4. Boot the Live CD and configure the network connection. Get just the basic details required for configuration. Don't let the admin do this for you, or if he does, watch what he does.
5. Ensure all traffic is being routed through Tor or the proxy of your choice. The most secure is a host that you control running proxy services... maybe an SSH port forward etc. Of course, you may not have this. DON'T use public proxy lists.
6. Newer banks have a facility to generate a temporary card for the amount you want to transact. If you have this facility, try and generate a temporary card before hand. Also, if your bank uses two factor authentication with a token etc, you should use it.
7. Login to the merchant you want to bank with and double check the SSL certificates. You do NOT want to find that you're being fed an ssl proxy cert.
8. If you're super paranoid, verify the ip address that you're connecting to. Visit your merchant directly through this IP that you resolve using some online service. This should stop anyone fooling around with DNS requests.
9. Perform your transaction... run ethereal / tcpdump to ensure that your data is being encrypted.
10. If your Live CD created swap on the remote machine, wipe this swap space (this is too complex for me to explain here, it's also unlikely you will need it).
Well.. that's the most 'easy' way I would think of doing it. Personally though I think it's the worst idea ever and would only advocate this approach in a desperate situation. In these cases it's often better to perform the transaction in some other way.
Oh by the way, the axe grinds both ways, if you're trying to perform this transaction anonymously, you've probably managed that... however there are steps that I've left out to ensure people don't get up to no good with stolen cards etc. If you're paranoid enough to be transacting from an anonymous physical location you will be smart enough to figure these steps out.
Cheers,
If I *had* to do this... and I mean absolutely *had* to... I would do it this way:
1. Try to get them to connect my laptop (if you have one).
2. Get myself a livecd which has Firefox and Tor. I'm partial to this one: sourceforge.net/projects/anonym-os/ but there are others out there.
3. Check the keyboard connector for hardware keyloggers (they look like small little adaptors attached to the end of the keyboard jack) If you're not sure... don't use it.
4. Boot the Live CD and configure the network connection. Get just the basic details required for configuration. Don't let the admin do this for you, or if he does, watch what he does.
5. Ensure all traffic is being routed through Tor or the proxy of your choice. The most secure is a host that you control running proxy services... maybe an SSH port forward etc. Of course, you may not have this. DON'T use public proxy lists.
6. Newer banks have a facility to generate a temporary card for the amount you want to transact. If you have this facility, try and generate a temporary card before hand. Also, if your bank uses two factor authentication with a token etc, you should use it.
7. Login to the merchant you want to bank with and double check the SSL certificates. You do NOT want to find that you're being fed an ssl proxy cert.
8. If you're super paranoid, verify the ip address that you're connecting to. Visit your merchant directly through this IP that you resolve using some online service. This should stop anyone fooling around with DNS requests.
9. Perform your transaction... run ethereal / tcpdump to ensure that your data is being encrypted.
10. If your Live CD created swap on the remote machine, wipe this swap space (this is too complex for me to explain here, it's also unlikely you will need it).
Well.. that's the most 'easy' way I would think of doing it. Personally though I think it's the worst idea ever and would only advocate this approach in a desperate situation. In these cases it's often better to perform the transaction in some other way.
Oh by the way, the axe grinds both ways, if you're trying to perform this transaction anonymously, you've probably managed that... however there are steps that I've left out to ensure people don't get up to no good with stolen cards etc. If you're paranoid enough to be transacting from an anonymous physical location you will be smart enough to figure these steps out.
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.116 seconds