By-passing SSL security in credit card transactions
Vincent L Gilbert
 
This document is provided as a linked outline to documents published by professionals in the security field. As the location of referenced documents changes, these links may be updated to reference alternate but similar material. In some cases, separate links may be provided directed at differing levels of expertise
 
[1] ssl as it is used in securing card transactions
1.1 Overview
 
1.11 RFC 4346 (professional user)
 
     
1.2 Network architecture as implemented
 


[2] Detailing the flaw
2.1 The client
  
 
2.11 The glaring flaw in the SSL process as it relates to the gathering of client information, is the lack of control on the clients pc. Simply put, there is no need to breach the SSL process, only to circumvent it by accessing the data BEFORE it is encrypted. This is accomplished simply using a combination of existing techniques. See 2.12 , 2.13
 
2.12 Spyware (all users)
 
2.13 Keystroke Loggers (all users)
 
2.2 Proof of concept  
 
The proof of concept was first detailed in 2005, here substituted by details of actual malicious code designed to exploit the disclosed flaw.
 
2.21 fizzer
 
[3] Solutions
3.1 Current solutions
 
   
Image selection is based on the idea, that memorizing passwords can be surplanted by the memorization of a pre-selected graphic. This is ineffective in an online application as it is a simple matter to intercept mouse cursor position instead.
 
3.12 Keystroke logging detection and interception
   
Most major manufacturers have incorporated some form of keystroke logging detection and interception into their suites, however these are NOT effective against hardware devices, and they have a common flaw that makes the average home user even more vulnerable to attack. The use of automatic update systems in a non controlled network environment makes the security suite itself a vector for the installation of trojans through the implelentation of ARP spoofing.
3.2 Proposed solution
 
The proposed solution is to use an application to enter the numeric (or in an expanded application alpha numeric) data. This completely neutralizes the threat of software, or hardware based keystroke loggers, and as the screen position of the application is random, greatly increases the complexity involved in extrapolating the numeric data by calculating the mouse position and key click data.
privacy policy | terms & conditions | about us
copyright © 2005 r.i. software developers. all rights reserved.