Here's a short HOWTO on using CC's securely on the 'net.
First, some statistics:
Number of credit card numbers stolen from badly/not-configured vendor
systems:
a few million and growing.
Number of credit card numbers stolen in transit (by snooping the
'net):
0
SSL & Co are eyewash. Why would anyone waste his time installing
snoopers and go through gigabytes/terabytes of data looking for
potential CC numbers when all he has to do is exploit a few buffer
overflows/javascript exploits in IIS 1/2/3/4/5/all future versions and
then just walk into the vendor's system and pick up the whole lot?
So, if you want your transaction to be secure, do the following:
1. Forget about SSL. It doesn't matter. Really. If the people
sitting on the VSNL routers are smart enough to pick up your CC number
from your data stream, give them a large hand -- they're pretty
low-paid anyway and they deserve it.
2. Run Nmap on the target (vendor) computer. If you find any ports
except 80 and 443 open, don't send your CC number.
3. telnet ip.of.vendor.system 80
HEAD / HTTP/1.0
If the response string contains ``IIS'', don't send your CC number.
4. Go to www.rootshell.com and gather as many exploits for the target
system type as you can find.
5. Keep hitting the target until you r00t it.
6. Go in and pick up as many CC numbers as you can.
7. NOW you can send your CC number to the vendor. If your CC gets
stolen and you get humunguous charges on your next statement, don't
complain. Send a mail to the vendor that you have his CC numbers
hostage and ask for even larger amounts of money (tumhari behan aur
tumhari maa hamare kabze mein hai). Pay off your CC bill with the
ransom amount, cancel your credit card, and retire to a life of luxury
beyond your wildest dreams with the remaining money.
8. Do all this from Atul Chitnis' phone number, dial-up account and
e-mail to ensure that your life of luxury isn't spent in the lap of
the wardens in Tihar Jail.
9. Visit Atul in Tihar from time to time and bring him cigarettes and
pizza to help him tide over his temporary (20 years) inconvenience.
HTH,
Regards,
-- Raju
>>>>> "Zen" == Zen <[EMAIL PROTECTED]> writes:
Zen> The perception that all kinds of people are scanning,snooping
Zen> & sniffing has mainly to do with inaccurate press coverage.If
Zen> one were to believe them , it would seem that CC fraud was
Zen> happening all the time.Fact is, messages being broken into
Zen> packets arrive at the destination via dynamic routes, which
Zen> can't be predicted to pass through a particular router on
Zen> it's way.And in any case the transaction is encrypted.Mostly
Zen> it's a Java Applet handling the stuff at the client end, (so
Zen> there's restricted access to the applets memory area....)
Zen> which passes the result to a server side script, which
Zen> connects to a payment Gateway, to check the CC status &&
Zen> accepts ( or rejects ) the transaction.Which is then again
Zen> passed over to the merchents a/c at the payment Gateway.
Zen> Therefore even the merchant does'nt know your CCN.
Zen> This entire thing is sold as a package (SSL,SET,SSLelay
Zen> etc..), in which the above steps cannot easily be reverse
Zen> engineered to do fraudulant things.
Zen> So the CCN being compromised on the way is out.
Zen> However the risk is genuine if there's some trojan( a
Zen> keylogger for example) sitting on your m/c.It's always
Zen> advisable to check if the site you're buying stuff from has a
Zen> https URL ( as Binad pointed out)& proper security mechanisms
Zen> in place. In short it's much more worthwile to use physical
Zen> means to get the CCN, than electronically.If U care to check
Zen> the stats with ICICI etc.. there isn't any credit card fraud
Zen> to speak of in the Internet compared to what happens at the
Zen> mall everyday.
Zen> bye Kaushik
Zen> Chcek :- www.geocities.com/aseet_in/soft/hck/SSL.HTM
Zen> ----- Original Message ----- From: Binand Raj
Zen> S. <[EMAIL PROTECTED]> Sent: Saturday, March 24,
Zen> 2001 11:11 AM
>> On Sat, Mar 24, 2001 at 10:04:05AM +0530, Mukund wrote: > |Has
>> anybody purchased from India through net. If so how secure is
>> the > Never dared!!, looking at the security of Indian ISP.
>>
>> Oops! I have been purchasing quite a lot of stuff from
>> fabmart.com. I hope they are a bit secure (https auth et
>> al). Anyone ever had any problems with stolen CC numbers in
>> India?
>>
>> Binand
--
Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/
----------------------------------------------
LIH is all for free speech. But it was created
for a purpose. Violations of the rules of
this list will result in stern action.
