1. Home
  2. Electronics Design
  3. How safe are websites that require credit card info?
  4. Page 2

How safe are websites that require credit card info?

Relying on what?

  1. A keylogger could not download and install itself in Ubuntu when there is no browser or other program running and Ubuntu is behind a NAT router?

  1. A keylogger running in Ubuntu could not intercept keystrokes meant for the banking vm especially when Sticky does not use the keyboard to log on?

  2. A keylogger running in the browsing vm could not intercept keystrokes meant for the banking vm when
3a. Sticky does not use the keyboard to open the bank web site; 3b. Sticky does not use the keyboard to log on to the bank web site.

Sure, the source code for VirtualBox is available and someone with enough skill could figure out how to jump from the browsing vm through VirtualBox to Ubuntu, then figure out which vm I am using for banking, then filter back through VirtualBox to the banking vm, then override Sticky and figure out what banking site I am going to, and capture the logon information when Sticky logs on.

Possible, but highly unlikely. It's not worth their time and effort when there are much easier targets available.

Besides, I don't have that much money in web-accessible accounts to make it worthwhile. They might get a few thousand, but the rest is offline and in secured accounts that require my presence and a manager's override to access.

Reply to
Tom Swift
Loading thread data ...

I'm all for removing the testicles* and 10 years in jail for those that commit credit card fraud. I have had fraud twice on my credit card, didn't cost me anything, but it is a cost to society. I did have to wait a few days for a new card. I don't know who gets the first financial hit. On my first fraud, someone bought a $200 steak dinner and spent about $100 at a CVS. Does the retailer take the hit or the Credit card company?

The second time it was a bunch of purchases of iTunes products.

We're pretty sure the card numbers were collected in Gainesville Fl. while my daughter was in college both times.

I will congratulate the bank, Citi for having good software catching these things fast. I got a call once asking did I just check out of a hotel? It was about 11am. Also got a call when my wife charged $1.00 for gas, before she saw a cheaper cash price. They said sometimes crooks will charge a small amount to see if the number is good. I can't recall the other times, but I appreciate them keeping track. Mikek

  • I'll supply the branch lopping shears.
--
This email is free from viruses and malware because avast! Antivirus protection is active. 
http://www.avast.com
Reply to
amdx

Ross Anderson's team at the University of Cambridge. It is always worth seeing what they been up to!

IIRC there are videos demonstrating the attack in a UoC canteen, probably on youtube by now.

Standard operating procedure over here. Causes the mom-and-pop retailers significant expense.

Reply to
Tom Gardner

On Fri, 26 Sep 2014 23:00:56 +0100, Tom Gardner Gave us:

There is a BASH vulnerability.

On Thu, 25 Sep 2014 04:59:58 +0300, Henry Crun Gave us:

Check out the discussion on alt.os.linux.ubuntu

Reply to
DecadentLinuxUserNumeroUno

I'm not going to feed this troll. Others may consider taking a similar position.

On 26/09/14 23:05, DecadentLinuxUserNumeroUno wrote:

Reply to
Tom Gardner

Didn't give pin number, and I read transactions less than $35 can be made without a pin. I can buy stuff at McDonald's without a pin. So maybe it's safe to assume the card is only good to $35 without the pin?

--- news://freenews.netfront.net/ - complaints: snipped-for-privacy@netfront.net ---

Reply to
Bill Bowden

Oops, I forgot. I'm in Canada, so they would also need my chip and PIN card to access the bank teller's reader, plus the 5-digit PIN to access the secured accounts. There is only one card and I have it. The PIN is not written down.

The secured accounts cannot be accessed online, from an ATM, or from any other reader such as Walmart, etc. These only have buttons for Checking and Savings accounts. There is no way to access the extra blocked accounts, and it wouldn't do them any good anyway since the account is blocked.

BTW, you should be able to open a secured account. Just open a normal account and have it blocked. Banks need to be able to block an account for various reasons, so the computer understands what that means. But in this case, you are the one who is blocking the account, and it will take a manager's override to access it. Just keep whatever working funds you need in the regular accounts, and keep the rest in the blocked account.

Keep your money. Don't give it to criminals.

Reply to
Tom Swift

Well, there's always the Evil Maid attack. ;)

I don't know the details of the Linux kernel well enough to be sure about that. Do you? Or are you relying on your pal's say-so? (Not throwing rocks here, I just don't know.)

You had to enter the login information from the keyboard at some point, no? And how sure are you that the interface between your password manager and your browser doesn't pass through some interface that can be hooked? I don't know if it can or not, but I'm pretty sure that read-only media like Knoppix CDs are very hard to hack.

So one hopes. Of course, once the script is out there, it costs nothing for them all to try it. That's the problem with malware--Lamarckian evolution. :(

Again, so one hopes. My main money is in an account that has zero web access. They keep asking me to give up my paper statements, and my response is, "You stop sending paper, you don't manage my money."

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs 
Principal Consultant 
ElectroOptical Innovations LLC 
Optics, Electro-optics, Photonics, Analog Electronics 

160 North State Road #203 
Briarcliff Manor NY 10510 

hobbs at electrooptical dot net 
http://electrooptical.net
Reply to
Phil Hobbs

I didn't know there was a $35 transaction limit on these cards. I thought if you used them without the PIN (which is the only way to use them anywhere that isn't an ATM machine or a supermarket, etc) they are pretty much the same as a credit card?

--

Rick
Reply to
rickman

I think a big 10 lb. sledge hammer would give more pleasure.

Reply to
Tom Miller

It depends on the merchant. They assume the risk if they process without the pin or a signature.

Reply to
Tom Miller

Return the funds to your account and wipe out any overdraft charges.

If you're not a deadbeat, they won't have returned "checks", either.

If you're not a deadbeat...

No, it really isn't. Perhaps you are that much of a deadbeat, though.

Reply to
krw

No, it rarely is. Your liability is still limited and if your bank is any good, it's zero. The larger the bank, the "less good".

Reply to
krw

If "pretty much the same" is your attitude toward financial transactions... or any legal matter for that matter...you'd better hand the checkbook over to the spouse, your kid, the maid...anybody else.

Reply to
mike

There is nothing magic about $35. Yes, you're right. Without a PIN, the transaction is cleared through the Visa or MC network and is just like a credit card, with the obvious difference of the direct withdrawal.

Reply to
krw

Are you sure he isn't a liar?

You are getting what he is saying. If you have a problem with a debit card your checks and payments start bouncing even though you had money in your account... until the thieves took it all. By the time you find the problem and get the bank to put the money back, the problem with your record and increased rates on loans is unfixable.

You can't unring a bell either.

--

Rick
Reply to
rickman

Opps, that should be "you aren't getting what he is saying." ^^^^^^

--

Rick
Reply to
rickman

I can attest to this. I was getting rid of a virus for a friend and was reinstalling Windows 2000 from scratch. I would get online to get updates and would immediately get reinfected. It was a pita to keep doing this but I must have been on drugs because I did it several times before I remembered to install the patch to remove the vulnerability

*before* I went online.

I can not attest to this.

BTW, what does "bruited about" mean? I looked it up. I guess the question I really want to ask is, where did you learn this expression?

--

Rick
Reply to
rickman

I don't know either, that's just I read in some internet conversation. Next time I'm in the bank, I will ask the teller about it. But it does seem reasonable there is a limit on debit cards without a pin number. I guess the acid test is to try and buy something for a couple hundred to see if a pin is required.

--- news://freenews.netfront.net/ - complaints: snipped-for-privacy@netfront.net ---

Reply to
Bill Bowden

In olden times the credit card company published a list of stolen card numbers. If you took a charge on a card on the list I believe you were responsible. Otherwise the CC company took the hit. Now since everything is done electronically the CC company has to take the hit.

Hmmm... spending money at CVS is no big deal. If the theft is reported you leave and they have your picture. If you are paying for a steak dinner they have time to call a cop.

Many years ago when he was in college a friend found a credit card while he was on vacation. He went to a bar and was living it up buying drinks for everyone. He was lucky and was just coming out of the bathroom when the cops came in so he lamed it out the back door.

--

Rick
Reply to
rickman

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.