Secure Credit Card Station
Mauro Souza
thoriumbr-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Mon Sep 23 15:07:09 UTC 2013
Private browsing will not prevent any keylogger from capturing anything,
and would be very very easy to the owner of the system to install a CA
certificate on the machine and MiTM every connection.
A portable credit/debit machine would be ideal. Everyone knows them, trusts
them, and they are easy to setup.
How to hack it? I can see some ways. If you have a browser, and it can
connect to any site, is easy to download a terminal emulator and run it. Or
download a tarball and extract it somewhere, and run whatever is inside. If
I can connect to addons.mozilla.org I can install some good addons and get
a lot of things. I can install a rogue certificate, I can redirect the
users somewhere else. I can run the browser fullscreen, and create a site
that mimics the browser, but all traffic is redirected. Or I can access a
VNC server via browser, let it open, and every user will connect to my
server, instead of yours.
If it can pass GRC testing is a good thing, until someone uses the machine.
You will have to retest the machine for EVERY customer, or it means nothing.
Mauro
http://mauro.limeiratem.com - registered Linux User: 294521
Scripture is both history, and a love letter from God.
2013/9/22 William Park <opengeometry-FFYn/CNdgSA at public.gmane.org>
> On Sat, Sep 21, 2013 at 04:19:33PM -0400, Howard Gibson wrote:
> > An organzation I belong to is interested in setting up a laptop on
> > which members can do credit card transactions. I pointed out to
> > them that I do not type my credit card number onto MY laptop. I am
> > sure as hell not typing it on someone else's. I am looking into
> > the problem here, at the very least, because it is interesting.
> > Let us assume people are willing to trust us.
> >
> > The offending laptop is running Linux. It is connected to the
> > internet, probably through wifi. It is placed facing a wall or
> > some other barrier so that people can sit at it and not have their
> > keystrokes observed. I have set up a user account with a
> > restricted environment. The user can launch a browser that
> > connects to our website, or they can log out. There is no access
> > to other applications, file managers, or terminals. We will log
> > them in. They will not know the password. There are multiple ways
> > to do this. I picked one of them. As far as I know, the machine
> > passes http://www.grc.com's True Stealth analysis. I need to test
> > this.
> >
> > Any thoughts on this?
> >
> > If you knew we were doing this, how would you hack into the machine?
>
> If you are talking about letting members shop online, then I think there
> is "Start Private Browsing" (under Tools tab) in Firefox. You can tell
> them to use that. But, I would recommend to avoid this kind of
> liability.
> --
> William
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20130923/e76f883b/attachment.html>
More information about the Legacy
mailing list