
5900 online stores found skimming - knivek
https://gwillem.github.io/2016/10/11/5900-online-stores-found-skimming/
======
mrweasel
As the article points out, if someone can inject Javascript into your checkout
page, you're most likely also having other security issues.

Still, and I'm pretty much being called an idiot every time I point this out:
You should NEVER have the user enter credit card information on your site.
That is something that is best left to your PSP. If you're Amazon or similar
size, fine, I can accept that you most likely have the need resources. Anyone
smaller should never interact with credit card information, leave it to
Stripe, BrainTree, Paypal, someone trusted, with the resources to handle it.

Also I'm not really surprised to see that it seem to be affecting Magento
shops. Similarly to not accepting credit card directly: If you don't have the
technical resource, don't run Magento. It's big and complicated, and you need
to react fast when there's a problem. Contracting is an option, but expensive
and the turn around time is a lot higher, especially if there's a critical
error in Magento and everyone need the issue fixed right then and there.

~~~
notmything
I work in ecommerce consulting - most of my clients take CC info on their
site, the forms on the checkout POST (over SSL) to the PSP who then return a
token to the site, all future transactions use the token.

Most people don't want to bounce customers to a third party site for payment,
it really hurts conversions.

~~~
cillian64
I don't understand this at all. I really, really don't want to give my credit
card details to some random webshop who are exceedingly unlikely to have solid
security. If I can use PayPal or another well known payment provider, great, I
don't even have to type in my details. But even a less well known PSP is more
likely to get it right than a small business webshop.

A slightly jarring user interface seems a small price to pay for a much lower
chance of my payment details being compromised. Is this a minority view?

~~~
4ad
I am not liable for credit card fraud. The last thing in the world I want is
inconvenience for _me_ , when it's _other people 's_ money at risk (bank,
merchant, CC company, whoever), not mine.

On the other hand, Paypal itself is a liability. Blocking your account (and
your money!) for months without recourse, randomly reducing expense limits to
nothing (50 EUR) are not just some Internet stories, but things that have
happened to me personally multiple times.

When my card was stolen (debit card even!), I didn't lose a dime, nor time.
Bank just sent me a new card the same day. I didn't even have to report the
fraud, they detected it themselves, as they are really good at that. They just
called me to tell me about it, and that they sent me a new card.

~~~
MrTonyD
Some years ago I had a Bank of America credit card. My new card never arrived
in the mail, and I discovered 3,000 in charges. When I reported it, Bank of
America insisted that they had mailed me the card and that I was responsible
for its use. I appealed, and they still insisted that I pay the bill. I don't
know their logic - was it just some employees trying to increase profit - like
Wells Fargo today? And what choice did I have? Hire a lawyer for $400/hour?
Lose hours of work time fighting them? Allow my credit to be wrecked? So I
paid them and got a different credit card. (They even fined me and charged me
interest for the months I was contesting the charges.)

In the end, they hold an unfair power over those who they can extort. I wish
we had much better consumer laws - to actually protect us.

~~~
4ad
> I wish we had much better consumer laws

We have excellent consumers laws in this particular regard. If only consumers
fought for their rights instead of paying the mafia!

> Hire a lawyer for $400/hour?

You don't need a lawyer for small claims court.

------
catshirt
"We don’t care, our payments are handled by a 3rd party payment provider"

"Thanks for your suggestion, but our shop is totally safe. There is just an
annoying javascript error."

please share the stores sending these negligent and insulting responses. they
don't deserve any sort of protection.

~~~
0xmohit
There were a couple of occasions quite some time back (circa 2010) when I
reported issues to e-commerce sites:

\- trivial enumeration attacks that could be used to retrieve customer
information (name, address, order, payment details, ...)

\- XSS issues that could be exploited by sending crafted URLs to customers

In all cases, I received rather lame responses as if the person in question
was completely nonchalant about the issues.

All I could do was to avoid those stores myself.

------
KhalilK
Archived link of the censored list:
[https://archive.is/8u0iB](https://archive.is/8u0iB)

~~~
Rexxar
Does anyone know why the list has been censored ? Does it violate any law ?

~~~
jwilcoxson
Not that I know of. My guess is that somebody on that list threw a DMCA
takedown notice at Github/Gitlab to get it pulled. Knee jerk reaction is to
pull first, verify later.

~~~
qwertyuiop924
That may have been the case with GitHub. Gitlab claimed that it fell into the
same category as zero-day exploits (which is ridiculous), and that as such
posting it wasn't responsible disclosure and it thus violated their ToS.

~~~
jwilcoxson
Sounds like he contacted some of the sites in the article and they blew him
off ("We are 100% secure, don't you see the Verisign badge?!"). But yeah, that
still makes sense that it could be pulled for that reason.

~~~
qwertyuiop924
It's not just that it makes sense, that's what GitLab said. I can't find the
link right now, but it's on the earlier HN post about Github/lab taking it
down.

------
nmc
The Gitlab clone of this post is already being discussed here:
[https://news.ycombinator.com/item?id=12712648](https://news.ycombinator.com/item?id=12712648)

Note that both GitHub and GitLab took down the list already.

------
zxv
This is not responsible disclosure [1], which raises an ethical issue.

For victims added to the list and published within days, the victim is not
allowed adequate time time to fix their vulnerability. That does real harm to
the victims by inviting attacks before they can avoid the harm the disclosure
invites.

[1]
[https://en.wikipedia.org/wiki/Responsible_disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure)

~~~
allendoerfer
Wrong. The report is not about an open exploit but about an actively used
exploit spreading malware.

~~~
zxv
The sites are victims of xploit as well. That is the issue I am raising.

------
anondon
I constantly see various posts regarding credit card skimming and find it
curious why 2 factor authentication is not enforced for all transactions. It's
a simple solution, having someone's credit card info is not sufficient to make
a transaction.

Note: I am not from the USA. The 2FA solution is the default in my country,
and I have literally never heard anyone lose money because of skimming.

~~~
kalleboo
There's a lot of hate against 3DSecure around here because a lot of banks and
stores (seems primarily in the US and U.K.) have extremely poor
implementations of it.

Horror stories on here range from having the 3DSecure in an iframe to having
horrible "secret question" style inline enrollment

My banks implement it decently - weird third party URLs (albeit with the banks
name on the EV certs), but using mobile 2FA apps or hardware card readers for
the verification. One of my banks enforces 3DSecure for their debit cards (but
not credit cards) since all domestic stores support it.

~~~
anondon
3DSecure and the Visa equivalent (don't remember the name) are not really what
I meant by 2FA.

To make a transaction:

-add items to cart

-enter card details

-you are redirected to 3DSecure if it's enabled

-you are redirected to a page of your bank where you enter a One time Password(OTP). It's a simple 6 digit number sent to your mobile phone and is unique for every transaction.Enter OTP.

-transaction is confirmed.

So even if someone has my card details they can't make any transaction (unless
they also managed to steal my phone).

Sorry if my original comment was not clear.

~~~
bluesign
Almost all banks i am working with implementing 3Dsecure like this

~~~
anondon
Thank you far clarifying, I was not sure if it was the same in the USA.

Follow up question, how widespread is the adoption of 3DSecure in the USA and
if it's not available, is it easy to get 3DSecure activated?

------
BenedictS
I think this is a bad generalization, that doesn't even stand in more than 50%
of the cases: _If someone can inject Javascript into your site, your database
is most likely also hacked._

~~~
jerf
There's a lot of PHP and similar technologies on the web, where the mechanism
for hacking a site such that you can insert something into the HTML template
also implies full code execution abilities. These technologies are still very
popular and multiple large projects that are widely deployed by many sites are
implemented with them.

It depends on the details, because there are also technologies where the
templates are separated and you can add text to them without execution rights.
But for all that people on HN may tend to prefer that, in the great big real
world, thinking separation of execution and data is a requirement for a
template language is a niche view. Even here you can start up a rollicking,
free-wheeling debate on the topic, and I'm not even sure where I come down
myself.

Unsurprisingly, the scammers use scanners that look for the soft targets
first, so, statistically, I'd suspect the claim could be modified to a true
statement with "If someone can inject Javascript into your site, they _could_
have hacked your database with just a bit more effort on your site." It's
easier to write something that sprays a script tag across a whole bunch of
sites that can scrape off anything that gets submitted that looks like a
credit card number than it is to write something to go dump databases across
all those same sites, because the database is more likely to be customized or
have quirky local rules that would make your automated code fail, or draw
attention to itself when it froze the database for half an hour, or some other
issue like that. But if someone paid _personal_ attention to your site, they
could probably grab the whole thing. At this scale, clearly personal attention
is not being paid to these sites.

------
maherbeg
I can't wait until Apple Pay and company are more widely deployed. It's
significantly more secure and way faster than manual entry. Tokenization can't
come fast enough.

------
hbcondo714
I'm surprised this article does not mention the use of virtual credit card
numbers in their list of solutions. I use one-time / temporary card numbers
with expirations and dollar limits from my issuer[1] for both online and over
the phone transactions

[1] [https://www.cardbenefits.citi.com/Products/Virtual-
Account-N...](https://www.cardbenefits.citi.com/Products/Virtual-Account-
Numbers)

~~~
initram
I tried to do this with Citibank a few years ago and couldn't get it to work.
I don't know if the issue was something in my browser, or what, but it just
wouldn't generate the numbers for me. After that, I gave up. Maybe it works
better now?

------
callesgg
Those stores need to be reported to some entity. Maby VISA?

~~~
Perixoog
The FBI.

~~~
callesgg
Are you serious? Do they handle these kinds of things?

In any case the only operate in USA.

~~~
nommm-nommm
Yes, the FBI handles criminal investigations.

------
codedokode
The only reason this is possible is because card payment systems still are
using transistor era technologies with zero cryptography. You get someone's
card number and you can pay with it. All VISA security is based on trust. With
Internet it doesn't work anymore because you never know who your customer is,
you don't know what merchant does with card numbers and the laws are different
in different countries.

They also lack privacy: your name is written on a card and in every
transaction you use the same card number so merchants can collect person's
shoppping history (and using a name they can find customer's page in social
networks). And maybe they even share this information among themselves.

Not in every country there are laws protecting clients. In US there is a law,
but in other countries if your card number got stolen you might never get the
money back and even be left with a debt if it was a credit card (because it is
client's responsibility to keep his card info secure).

When you are buying something online with a card there is no way to check
whether it is a real shop or just a fake site to collect card numbers.

As a result merchants make their own sophisticated antifraud system and you
never know whether your card would work or not. For example once I was unable
to pay for a Digital Ocean server with virtual prepaid card (of course I would
never pay with a real card on the Internet) so I chose another cloud hosting
and they lost a customer.

~~~
the_mitsuhiko
> The only reason this is possible is because card payment systems still are
> using transistor era technologies with zero cryptography.

Cryptography does not help here. The problem is that better transaction types
(3d secure) are badly implemented by banks and as such not deployed because
it's seen as an unnecessary second step.

------
the_mitsuhiko
And this is exactly why I do not understand why there is such a huge
opposition against 3D Secure. It prevents this exact issue. Card fraud on 3D
Secure pages that are well implemented (2nd factor with SMS or hardware device
token) is non existent.

~~~
initram
Here in the US, users avoid Verified by Visa (which I believe is the same
thing) because it moves the burden of fraud onto the end user. Whenever that
VBV page comes up, I immediately abort. I don't trust companies to keep my
card data safe, so if the burden is suddenly on me, I'll just go without
whatever I was going to buy if I can't get it elsewhere. It's that big of a
deal. This is before we even get to technical issues or the UI/UX flow.

~~~
the_mitsuhiko
That's misinformation. It only shifts for 3d secure transactions work require
another info that is not sent to your merchant. So the only way this fails if
your bank had a bad 3d secure page or your fucked up.

------
projektfu
I'm surprised merchants don't care because they're ultimately responsible for
chargebacks, right? Isn't that the way things still work?

------
dpweb
Won't solve the problem completely, but what about removing eval from the
spec? Or making us obfuscation more difficult?

~~~
jerf
I'm not sure what eval has to do with the specific problem, but you actually
can nuke eval from your website in most browsers now with a header:
[https://en.wikipedia.org/wiki/Content_Security_Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)

You could also prevent this problem in general with Content Security Policy,
by whitelisting only the domains you know JS should come from. Then, even if
they do in fact get a script tag on to your page pointing at a hostile domain,
it won't execute unless they also nuke your CSP headers. You can even set up
your CSP such that it notifies you upon violations. In theory a hacker could
still penetrate all that in one shot by disabling your CSP and then adding
their script, but it means if they miss the CSP even briefly that you have at
least a chance to be notified before they square it away. It at least raises
the bar.

But the real problem here is that we're not generally talking about people who
know about CSP, nor is it generally reasonable to expect they would or could,
at least right now. It's pretty niche stuff in general. I'm sure if I gave a
quiz on CSP here, a ton of people could reply with the correct answers, some
of them even without Googling, but in general if I talk to my coworkers about
that I'm doing well to get a vague "Yeah, I've heard of that I think..."

~~~
nateberkopec
In this case, since the attacker has access to the source code, they could
easily disable a site's Content Security Policy.

~~~
jerf
"Raises the bar", I did say. They have access but if they're only accessing it
through an automated system they may miss it.

Plus, I should have pointed out that CSP can be applied at higher layers,
including nginx itself or a WAF, that the attacker may not be able to access
or modify. I didn't think of it at the time.

~~~
nateberkopec
Great point, I didn't think of that either.

------
solotronics
the solution is a push model for digital money ie. bitcoin

with credit cards it's like there is only a pubkey and no private key needed
to steal!

------
rurban
added them with 0.0.0.0 to my local /etc/hosts file

