,
23 tweets,
4 min read
Read on Twitter
The PDF also requested a bunch of personal identification data such as name, age, and address. They wanted me to fill out the PDF and email it back to them. [2/23]
As the default s̶u̶c̶k̶e̶r̶ sys-admin for my parents and extended family, I've seen them become vulnerable to some pretty nasty phishing attacks and malware in recent years. Heck, I've been a target myself. [3/23]
I'm constantly trying to help them develop their 'sniff test' for suspect interactions. But I'd argue that there's more to be gained by educating businesses on better op-sec than mopping up messes at the individual end. [4/23]
So next time you come across a small business accepting or requesting credit card details on an insecure channel here's just a quick round-up of some of the obvious arguments against this particular practice: [5/23]
To start with the bleeding obvious, we don't share credit card details over unencrypted or insecure channels. Ever. You wouldn't pay for a product on a site without HTTPS. [6/23]
You shouldn't capture credit card details on a Google form (it's against their TOS). Encryption and SSL helps us know who's sending, who's receiving, and hashes (scrambles) the information while it's in transit to make sure no one can snoop. [7/23]
Even if your email gets lucky and transits from sender to receiver without incident, that information will be likely stored in-perpetuity on the servers of the email client. [8/23]
If you're with Google, for example, that means Google having that information available to them and trusting them not to misuse it or share it, ever. [9/23]
Let's examine the PDF container more closely. Many users, especially digital natives will likely fill out a PDF using a text annotation tool and type in the details on their computer. [10/23]
In this case you get the plaintext credit card numbers stored in a nice, easy-to-capture format alongside a bunch of additional personal identifiable data. It's a gift to identity thieves. [11/23]
Even in the instance of bothering to print out the PDF, fill out the info by hand, taking a photo and attaching that to the email, it's still insecure because if that data is intercepted, attackers can use their eyeballs. [12/23]
If you're thinking about fraud at-scale, OCR is pretty good these days. [13/23]
Let's say nothing goes wrong at all - you successfully receive your customers' details via email or PDF and there are no negative repercussions. You are still responsible for materially weakening your customers' security. [14/23]
You're essentially grooming them to be comfortable with the insecure transmission of their sensitive data. Put another way, you're teaching them to accept candy from strangers. [15/23]
If they were to provide their details in the same way to an unscrupulous online retailer, for example, they might be at risk of that information being passed onto third parties for identity theft. This is called merchant collusion. [16/23]
And there are lots of nasty ways to snare the unsuspecting online shopper. Other vectors of attack include... [17/23]
Triangulation fraud:
radial.com/insights/under… [18/23]
radial.com/insights/under… [18/23]
Site cloning:
abc.net.au/news/2018-07-0… [19/23]
abc.net.au/news/2018-07-0… [19/23]
False merchant sites:
trulioo.com/blog/fake-merc… [20/23]
trulioo.com/blog/fake-merc… [20/23]
Asking for credit card data capture on insecure channels is also a violation of your credit card merchant agreements. All credit card merchants are required to conform to PCI-DSS which spells out rules for handing credit card data. [21/23]
If you check the PCI DSS standards, you'll find the following:
"Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.)." (PAN = Primary Account Number) [22/23]
"Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.)." (PAN = Primary Account Number) [22/23]
<<FIN>>
Hopefully that's enough ammunition to help convince your online retail friends to get serious about their security procedure. Let's gently retire the PDF credit card capture form, please. [23/23]
Hopefully that's enough ammunition to help convince your online retail friends to get serious about their security procedure. Let's gently retire the PDF credit card capture form, please. [23/23]
