Secure Credit Card Station

Mauro Souza thoriumbr-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Mon Sep 23 15:07:09 UTC 2013 

Private browsing will not prevent any keylogger from capturing anything,
and would be very very easy to the owner of the system to install a CA
certificate on the machine and MiTM every connection.
A portable credit/debit machine would be ideal. Everyone knows them, trusts
them, and they are easy to setup.

How to hack it? I can see some ways. If you have a browser, and it can
connect to any site, is easy to download a terminal emulator and run it. Or
download a tarball and extract it somewhere, and run whatever is inside. If
I can connect to addons.mozilla.org I can install some good addons and get
a lot of things. I can install a rogue certificate, I can redirect the
users somewhere else. I can run the browser fullscreen, and create a site
that mimics the browser, but all traffic is redirected. Or I can access a
VNC server via browser, let it open, and every user will connect to my
server, instead of yours.

If it can pass GRC testing is a good thing, until someone uses the machine.
You will have to retest the machine for EVERY customer, or it means nothing.

Mauro
http://mauro.limeiratem.com - registered Linux User: 294521
Scripture is both history, and a love letter from God.


2013/9/22 William Park <opengeometry-FFYn/CNdgSA at public.gmane.org>

> On Sat, Sep 21, 2013 at 04:19:33PM -0400, Howard Gibson wrote:
> >    An organzation I belong to is interested in setting up a laptop on
> >    which members can do credit card transactions.  I pointed out to
> >    them that I do not type my credit card number onto MY laptop.  I am
> >    sure as hell not typing it on someone else's.  I am looking into
> >    the problem here, at the very least, because it is interesting.
> >    Let us assume people are willing to trust us.
> >
> >    The offending laptop is running Linux.  It is connected to the
> >    internet, probably through wifi.  It is placed facing a wall or
> >    some other barrier so that people can sit at it and not have their
> >    keystrokes observed.  I have set up a user account with a
> >    restricted environment.  The user can launch a browser that
> >    connects to our website, or they can log out.  There is no access
> >    to other applications, file managers, or terminals.  We will log
> >    them in.  They will not know the password.  There are multiple ways
> >    to do this.  I picked one of them.  As far as I know, the machine
> >    passes http://www.grc.com's True Stealth analysis.  I need to test
> >    this.
> >
> >    Any thoughts on this?
> >
> >    If you knew we were doing this, how would you hack into the machine?
>
> If you are talking about letting members shop online, then I think there
> is "Start Private Browsing" (under Tools tab) in Firefox.  You can tell
> them to use that.  But, I would recommend to avoid this kind of
> liability.
> --
> William
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20130923/e76f883b/attachment.html>

More information about the Legacy mailing list