Re: Detecting CC numbers
Ram0502 wrote: I think this idea has many benefits: https://bugzilla.mozilla.org/show_bug.cgi?id=287092 filed. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
I think this idea has many benefits: 1 helps the user do the right thing 2 drives better behavior in the market (CC#s are sensitive and should be protected) 3 user experience friendly, I don't think a Pentium2 user would notice any latency change 4 cost effective, relatively small amount of relatively simple software ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: HJ wrote: You will notice a swift towards e-mail phishing soon, because there's a lot of chatter about it already. Again, people use Mozilla features on their bank sites, like the password manager, and that makes your inbox even more interesting. Mining useful data from email accounts is harder, and probably involves a human step, so is harder to automate. If phishers are reduced to trying to break into your email, we'll have won a significant victory. Gerv Please keep in mind that phishing attacks are also used for identity theft, something far more serious then a 'one time' credit card fraud. I myself have been victim of such fraud; someone bought a brand new car in my name, but I got the invoice, but I was lucky because I was far far away for months, so it couldn't be me. Neil, my best friend ever, was also victim of this; he bought a house in Germany (nearby Ramstein), which is not true, and he died in a car crash (as did his fiancee and their unborn child) on their way in to defend him. So what exactly did we do wrong? Well, nothing. In fact I was fighting to stay alive and so was Neil. We didn't even log into some site, but they got a handle on our e-mail address and that's what made it possible. Yeah, I've learned a lot of phishing since, but I rather have my best friend back, but that's impossible :( /HJ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
HJ wrote: You will notice a swift towards e-mail phishing soon, because there's a lot of chatter about it already. Again, people use Mozilla features on their bank sites, like the password manager, and that makes your inbox even more interesting. Mining useful data from email accounts is harder, and probably involves a human step, so is harder to automate. If phishers are reduced to trying to break into your email, we'll have won a significant victory. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert ("You _really_ don't want to do this!") if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm? OK, so some places have four boxes for four digits each, but with clever coding, we might be able to catch that version too. Gerv for details an what goes into each companies card numbers, just contact the companies. most e-commerce, from the business end, is through third party site. the banks have a contract with at least one company that handles all online transactions for thier business customers. transactions such as processing your credit card data when you buy something from the company. you could go through the banks to get thier online group, then talk to them about what they want as input, so that the browser can be secured to make the risks lower for both sides of the transaction. ( Canadian system different than US system, different from european system ) each payment agency has different layouts, so that is where layouts are controlled, not the site end. e-commerce sites have to use the processing companie's format, which really has nothing to do with the card type, or length of card number ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
HJ wrote: HJ wrote: Gervase Markham wrote: Ian G wrote: > Much of phishing isn't about credit card details so much as *any* information. Well, I'm sure a phisher isn't really interested in my laundry list. CC numbers are one very quick way to get access to cash, and one people are used to typing into web browsers. And, as attackers are able to adjust their policies to suit what's out there, they could also make their sites foil the checks. Possibly. At the moment, phishers copy-and-paste pages from legit sites. This would at least make them modify them. Gerv You will notice a swift towards e-mail phishing soon, because there's a lot of chatter about it already. Again, people use Mozilla features on their bank sites, like the password manager, and that makes your inbox even more interesting. /HJ ...thing lost password buttons/links! Darn, make that "think..." I shouldn't edit and press Send without reading my comments first :( ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
HJ wrote: Gervase Markham wrote: Ian G wrote: > Much of phishing isn't about credit card details so much as *any* information. Well, I'm sure a phisher isn't really interested in my laundry list. CC numbers are one very quick way to get access to cash, and one people are used to typing into web browsers. And, as attackers are able to adjust their policies to suit what's out there, they could also make their sites foil the checks. Possibly. At the moment, phishers copy-and-paste pages from legit sites. This would at least make them modify them. Gerv You will notice a swift towards e-mail phishing soon, because there's a lot of chatter about it already. Again, people use Mozilla features on their bank sites, like the password manager, and that makes your inbox even more interesting. /HJ ...thing lost password buttons/links! /HJ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: Ian G wrote: > Much of phishing isn't about credit card details so much as *any* information. Well, I'm sure a phisher isn't really interested in my laundry list. CC numbers are one very quick way to get access to cash, and one people are used to typing into web browsers. And, as attackers are able to adjust their policies to suit what's out there, they could also make their sites foil the checks. Possibly. At the moment, phishers copy-and-paste pages from legit sites. This would at least make them modify them. Gerv You will notice a swift towards e-mail phishing soon, because there's a lot of chatter about it already. Again, people use Mozilla features on their bank sites, like the password manager, and that makes your inbox even more interesting. /HJ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: HJ wrote: A credit card number can be as long as 19, 6 for the issuer, 12 for the account number and 1 for the checksum. Ah, OK. Do you have a reference to a document describing the format and the checking algorithm? I assume there is one, as sites do check for valid numbers. Gerv Just do a search for: ANSI X4.13 and/or ISO/IEC 7812-1:1993 /HJ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Ian G wrote: > Much of phishing isn't about credit card details so much as *any* information. Well, I'm sure a phisher isn't really interested in my laundry list. CC numbers are one very quick way to get access to cash, and one people are used to typing into web browsers. And, as attackers are able to adjust their policies to suit what's out there, they could also make their sites foil the checks. Possibly. At the moment, phishers copy-and-paste pages from legit sites. This would at least make them modify them. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
HJ wrote: A credit card number can be as long as 19, 6 for the issuer, 12 for the account number and 1 for the checksum. Ah, OK. Do you have a reference to a document describing the format and the checking algorithm? I assume there is one, as sites do check for valid numbers. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Ian G wrote: Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert ("You _really_ don't want to do this!") if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm? Much of phishing isn't about credit card details so much as *any* information. And, as attackers are able to adjust their policies to suit what's out there, they could also make their sites foil the checks. (Phisher programmers almost certainly haunt these maillists...) Yeah, *if* I was such a programmer, wich I am obviously not, I would rather have access to you inbox, because that will give me the ultimate power trip. /HJ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert ("You _really_ don't want to do this!") if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm? Much of phishing isn't about credit card details so much as *any* information. And, as attackers are able to adjust their policies to suit what's out there, they could also make their sites foil the checks. (Phisher programmers almost certainly haunt these maillists...) Also, I'm not sure whether the drain on CPU would be worth the benefit? Which isn't to say that I don't think it will work, that's just a couple of reasons why it might not be as efficacious as first thought. OK, so some places have four boxes for four digits each, but with clever coding, we might be able to catch that version too. Sounds like an arms race... It's for this reason that most people think about a crypto-inspired solution, as strong keys can't be arms-raced, only bypassed. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Detecting CC numbers
Gervase Markham wrote: Idea off the top of my head - please tell me why it won't work. Could we parse all form submissions over unencrypted channels and put up an alert ("You _really_ don't want to do this!") if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm? A credit card number can be as long as 19, 6 for the issuer, 12 for the account number and 1 for the checksum. OK, so some places have four boxes for four digits each, but with clever coding, we might be able to catch that version too. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security