Did Credit Card Scammer War Drive?
from the evidence-please? dept
There’s a story making the rounds this morning about a teenager being charged with credit card fraud. He apparently got credit card numbers somehow, made up fake cards, and gave them to people to buy stuff. What’s unclear, however, is how he got the card numbers. The article claims: “They believed that he was gathering credit card numbers online or parking in residential neighborhoods and capturing wireless transmissions of financial information on his laptop.” Gathering credit card numbers online is fairly common, but the claim that he was getting them via wireless networks deserves more scrutiny. It is certainly possible, but it’s pretty difficult. Even if your WiFi network is unprotected, most websites that require a credit card entry will use encryption, meaning he should not have been able to get the card numbers that way. Because the press seems to really like writing up stories about war drivers stealing credit cards, it’s only a matter of time until this aspect of the story gets more attention — but there should be a little more evidence to show that he actually obtained credit card numbers this way, and an explanation of how that happened if people were using sites that used encryption.
Comments on “Did Credit Card Scammer War Drive?”
Probably easier than you think.
While it’s true that most credit card-accepting sites will use SSL encryption, it’s not always clear how weak the ‘human’ aspect of that security chain is. It’s actually fairly easy to associate with a wireless network and spoof clients into forwarding all outbound traffic to you instead of the router. Once that is done, it’s possible to set up a website proxy which uses a fake SSL certificate on the client side and establishes a real SSL connection with the server.
When this happens, the client does get a warning box from their browser saying that it couldn’t verifiy the SSL certificate of the server, but how often do you think people are willing to click “Ok” to a warning box that they don’t understand? Probably more often than anybody would like to admit. Once the user clicks ok, the “encrypted” session goes on unhindered with the eavesdropper listening in to everything being said.
People don’t understand the gravity of certificate-verification warning boxes. If your browser isn’t able to verify a SSL certificate with a central authority, then the chain of trust is broken and any claims to security are null and void.
No Subject Given
There are much easier ways to get CC #’s that people are totally oblivious about.
I won’t name the restaraunt, but while there and waiting for a table, they had that nights receipts on the table where the hostess sits and in plain sight were receipts with full credit card numbers along with expiration dates. One shot with a camera phone and those people would have been screwed.
Unfortunatley, a lot of the press are brain dead in terms of technology and have no right to be talking about it, but this stuff does happen.
Another scenario is when people hold out their credit cards while in line waiting to pay, a simple, indiscreet capture of that, again with a camera phone or other type of device and gone.
Re: Camera Phone theory
Chomper,
While I’ll agree with you that # stealing is eas & usually doesn’t have to rely on technology … the camera phone theory has already been shot down.
Somebody got the links ?
Re: Re: Camera Phone theory
How about links right here at Techdirt:
http://www.techdirt.com/articles/20041223/1438218.shtml
Yeah, that cameraphone story isn’t true. So far, there aren’t many cameraphones out there good enough to snap a photo of credit card numbers. However, it could be an issue at some point, though you hope, by then, people are smart enough to notice someone fiddling with their phone nearby.
Residential neighborhoods?
There have been stories about people doing this near Big Chain Store Inc. where they used wireless from the cash register or such, but residential neighborhoods? As you point out, it doesn’t seem likely…
– ask
Possible, and relatively easy
While the wifi attack may or may not have been used in this case, it would be trivial to accomplish.
Rather than a fancy SSL man-in-the-middle attack, just connect to the (likely unsecured) wifi and install a browser helper (on the likely insecure PC) that keylogs whenever an interesting site is accessed. Come back a month or two later, get the logs, and wipe out the keylogger.
For the finishing touch, use the victim’s own wifi network to connect to the bank and drain his account. The logged IP (that of the router/firewall) would belong to the victim.
Re: Possible, and relatively easy
Rather than a fancy SSL man-in-the-middle attack, just connect to the (likely unsecured) wifi and install a browser helper (on the likely insecure PC) that keylogs whenever an interesting site is accessed. Come back a month or two later, get the logs, and wipe out the keylogger.
Er… what are you installing a keylogger on? Even if you can get on an average WiFi network, it’s much less likely you’ll get access to someone’s computer.
Re: Re: Possible, and relatively easy
From my condo (not wardriving) I can get to two completely open access points. Both are fully browsable from Windows; the PCs on those networks advertise their names.
If we assume those users took a minimal set baseline steps to secure their PCs (e.g. rename administrator account, use non-dictionary passwords, enable account lockout on invalid passwords, configure the event log to audit logon failures…) then you are correct. But, if someone’s access point is blinking 12:00, how sophisticated is that end-user?