Security against credit card fraud

By | December 20, 2005

In the Middle Ages, the Knights Templar invented a system to enable pilgrims to travel to the Holy Land without having to carry ‘real’ money with them. This system would perhaps be an equivalent to the bank cards we carry with us today.

Obviously we´re not saying they invented magnetic strips or synthetic polymers, but rather a document that enabled the pilgrim to withdraw money in a different location to where it had been deposited. This was a major innovation at the time.

Today, the philosophy behind credit cards is very much the same. We can move from place to place without having to carry cash, even if we´re only talking about going down to the local store. This document, the card, certifies that the vendor can charge the bearer of the card in the knowledge that it has a guarantee (of the bank, for example) up to a certain amount.

And as was the case with the Templar system, the bearer of the card needs to prove their identity. Today, such identification is a complex task (unlike the simple ring used by the Knights Templar) and this represents the main problem for bank card users: there is insufficient awareness of the importance of ID verification when using these types of cards.

There are several security systems for credit cards which users are often unaware of. The most widely used are three sets of numbers that need to be kept secret (in particular the PIN).

One hundred percent security is, as always, impossible to achieve. Regardless of the security system used, there is always a possibility of somebody cloning your card by using a magnetic strip reader or other even more complex dangers. Of these, threats related with the massive use of credit cards over the Internet are now the most costly to users.

Every time you enter your identification code to buy something on the Internet, this code travels across the Net and could be intercepted by malicious users. There are several techniques that enable them to do this:

Man-in-the-middle. This technique allows data thieves to intercept the communication between the user and the real website, acting as if they were a proxy, and potentially listening to all communication between the two. In order for such an attack to be successful, the victim must be redirected to the attacker’s proxy instead of the real server. There are several techniques for doing this, such as using transparent proxies, DNS cache poisoning and URL obscuring.

Exploits of Cross-Site Scripting vulnerabilities on a website, enabling the spoofing of the bank’s secure web page, in such a way that users will not be able to detect anomalies in the address nor the security certificate that appears on the browser.

Exploiting browser vulnerabilities that allow the address that appears in the browser to be spoofed. This means the browser can be redirected to a spoofed website, while the address in the address bar will be the URL of the trusted site. This technique also allows spoofing of pop-ups opened from an authentic website.

Leave a Reply