"From Payroll to Body Scanners"
Credit Card Insecurity for Online Transactions
Tel: 0118 946 3634
Online Credit Card Security
How the supposed security method by credit card companies (like Mastercard Secure and Visa 3D Secure) is NOT secure, and breaks the golden rules of safe online purchasing. Financial institutes (banks, insurance, credit card, etc.) all run on the wrong security model.
Just because lots of people do it does not mean it is the right way to do it. The vast majority of the driving public will break driving speed limits (even unintentionally), many will have had or bought alcohol or pornography before the legal age, but that still does not make those right either.
Golden rules of online payments
The three golden rules of online payments are -
So what do Visa and Mastercard (also used for other types of cards) do?
Some of the Mastercard Secure methods I have seen on a few sites have broken server security chain, on the FIRST frame that is seen. This comes from the fact that they make the basic assumption that ALL users will have the absolute latest computer and browser, which cannot be guaranteed. In 2009 the last of my customers (two different retired home users), upgraded their systems from Windows ME.
In other words their SSL keys are broken, as they assume they can force everybody to change computers to suit them.
All banks and other financial institutes use the WRONG security model, that assumes any transactions internet/phone/email are the same as a person physically visiting a branch of that institute. This also is true for lots of these financial institutes ringing you out of the blue and asking security questions and not offering wys of proving who they are first.
They also assume that all cardholders will have the same brand new computers a their developers have.
Armed forces in conflict and security
When you consider past conflicts and secure communications, two main methods of radio communications in the Second World War, used were very difficult to break. These were the British Army using procedures for books of 'one time' codes, that were hand delivered to units and not used until a confirmation in code using procedures were received from the remote unit. The other method was the use by American forces who used Navajo natives, for voice communications as the Navajo language was spoken by only a small group of people.
The main point of these secure methods is both parties were working in the same way. The credit card method is one end is supposedly secure and the other end (cardholder) has no idea if what they are seeing, is valid, secure or not some other malware/phishing site.
DNS issues and hijacking
Over the years there has been many instances of software in the form of malware, spyware and virus that have redirected DNS entries, and a few vulnerabilities found in DNS software. This has given rise to web users being taken to a different site than the one they expected to be taken to, which is sometimes used by phishers to get peronal details.
These popup windows and frames are prime targets for phishing as anybody can copy web pages or close enough to fool the majority of people, copy logos is even easier... It is very easy to find bank logos as images, even places that sell image libraries of them! Many websites have been hacked for the purposes of criminal activity, or malicious intent; several have unknowingly been used for things like pornography, so it is possible to be taken to the wrong site to gather personal data for identity theft.
Throughout all this procedure the card/account holders, have been treated like sheep, expected to be just herded along into yet another scheme, where the slightest problem occurs the card/account holder (or their computer system) can be blamed first. Another excuse for the customer to pay for financial institues lack of proper implementation of security. Whilst their implementation has been to encourage phishing on websites and emails by their sloppy way of implentation in the SAME manner as many phishing websites do.
Personally ANY site using ONLY these methods of payment does not get ANY business from me or anybody who actually knows anything about security.
|© 2010 onwards by PC Services, Reading UK||Last Updated: 5th August 2012|
|If you encounter problems with this page please email your comments to webmaster|