PC Services

 

PC Services (Electronics)

Credit Card Insecurity for Online Transactions

Tel: 0118 946 3634
Email

linked-in profile facebook profile

   The Company 
   Resources / Examples 
   Commentaries           
   Online Credit Cards 
   Personal 

Online Credit Card Security

How the supposed security method by credit card companies (like Mastercard Secure and Visa 3D Secure) is NOT secure, and breaks the golden rules of safe online purchasing. Financial institutes (banks, insurance, credit card, etc.) all run on the wrong security model.

Just because lots of people do it does not mean it is the right way to do it. The vast majority of the driving public will break driving speed limits (even unintentionally), many will have had or bought alcohol or pornography before the legal age, but that still does not make those right either.

Golden rules of online payments

The three golden rules of online payments are -

  1. Don't enter personal details on an unknown site or popup or frame

  2. Check for 'padlock' symbol, (basically SSL or similar active)

  3. Check website address starts 'https://' and hopefully starts with a recognisable real domain name.

So what do Visa and Mastercard (also used for other types of cards) do?

  • Don't inform card holders of this method and what website(s) to expect to be asked for this information on. They have not WRITTEN to the cardholders, beforehand.

  • Let merchants allow this verification in a popup window or iframe or frame with no address bar or any other indication of which website they are getting the verification pages from.

  • No way to see if this scheme is using a secure connection.

  • Initial (usually pop-up window or frame) asks for all sorts of personal details, from card verification numbers, date of birth and other details. The cardholder has no way of knowing where the frame or popup window has come from, even if it is a valid site and not some phishing website, malware or spyware program.

    This is the same as somebody approaching you in the street and asking for your identity details.

    Plenty of sites get hacked and could redirect to different sites pop-up window, or even to a duplicate one of these from a phishing email, asking you to re-enter detasils after a supposed 'security update' to re-establish your identity.

  • Any good security method would involve cardholders being instructed by letter to go to a particular site with a security code to enter their details like date of birth, card verification numbers, to create a password, they can remember. A lot of people have trouble remember the many 4 digit PIN codes, so any autogenerated (minimum characters, number and letters) non-rememberable password WILL BE WRITTEN DOWN as the cardholders already have so many other passwords to remember and not supposedly write down.

Secure connections

Some of the Mastercard Secure methods I have seen on a few sites have broken server security chain, on the FIRST frame that is seen. This comes from the fact that they make the basic assumption that ALL users will have the absolute latest computer and browser, which cannot be guaranteed. In 2009 the last of my customers (two different retired home users), upgraded their systems from Windows ME.

In other words their SSL keys are broken, as they assume they can force everybody to change computers to suit them.

Security Model

All banks and other financial institutes use the WRONG security model, that assumes any transactions internet/phone/email are the same as a person physically visiting a branch of that institute. This also is true for lots of these financial institutes ringing you out of the blue and asking security questions and not offering ways of proving who they are first.

They also assume that all cardholders will have the same brand new computers a their developers have.

Armed forces in conflict and security

When you consider past conflicts and secure communications, two main methods of radio communications in the Second World War, used were very difficult to break. These were the British Army using procedures for books of 'one time' codes, that were hand delivered to units and not used until a confirmation in code using procedures were received from the remote unit. The other method was the use by American forces who used Navajo natives, for voice communications as the Navajo language was spoken by only a small group of people.

The main point of these secure methods is both parties were working in the same way. The credit card method is one end is supposedly secure and the other end (cardholder) has no idea if what they are seeing, is valid, secure or not some other malware/phishing site.

DNS issues and hijacking

Over the years there has been many instances of software in the form of malware, spyware and virus that have redirected DNS entries, and a few vulnerabilities found in DNS software. This has given rise to web users being taken to a different site than the one they expected to be taken to, which is sometimes used by phishers to get personal details.

Phishing

These popup windows and frames are prime targets for phishing as anybody can copy web pages or close enough to fool the majority of people, copy logos is even easier... It is very easy to find bank logos as images, even places that sell image libraries of them! Many websites have been hacked for the purposes of criminal activity, or malicious intent; several have unknowingly been used for things like pornography, so it is possible to be taken to the wrong site to gather personal data for identity theft.

Conclusions

Throughout all this procedure the card/account holders, have been treated like sheep, expected to be just herded along into yet another scheme, where the slightest problem occurs the card/account holder (or their computer system) can be blamed first. Another excuse for the customer to pay for financial institutes lack of proper implementation of security. Whilst their implementation has been to encourage phishing on websites and emails by their sloppy way of implentation in the SAME manner as many phishing websites do.

Personally ANY site using ONLY these methods of payment does not get ANY business from me or anybody who actually knows anything about security.

© 2010 onwards by PC Services, Reading UK Last Updated: 18th January 2016
If you encounter problems with this page please email your comments to webmaster