from the fight! dept.
Submitted via IRC for SoyCow0824
E-commerce site is infected not by one, but two card skimmers
Payment card skimming that steals consumers’ personal information from e-commerce sites has become a booming industry over the past six months, with high-profile attacks against Ticketmaster, British Airways, Newegg, and Alex Jones’ InfoWars, to name just a few. In a sign of the times, security researcher Jérôme Segura found two competing groups going head to head with each other for control of a single vulnerable site.
The site belongs to sportswear seller Umbro Brasil, which as of Tuesday morning was infected by two rival skimmer groups. The first gang planted plaintext JavaScript on the site that caused it to send payment card information to the attackers as customers were completing a sale. The malicious JavaScript looked like this: [image]
A second gang exploited either the same or a different website vulnerability as the first. The second group then installed much more advanced JavaScript that was encoded in a way to prevent other programs from seeing what it did. This is what it looked like: [image]
The obfuscated JavaScript actively tampered with the less-sophisticated payment skimmer installed by the first gang. Specifically, it replaced the last digit of a credit card number with a randomly generated digit before being sent to the first group. As a result, there was a 90 percent chance that the number obtained by the first group would be incorrect. Because the first group used unobfuscated JavaScript, the skimmer is much more vulnerable to tampering by rivals.
(Score: 4, Interesting) by bob_super on Wednesday November 21, @11:52PM (2 children)
I just want my bank to generate a unique 2^n-bit code (n>8) to send to a vendor to authenticate one transaction, for a given amount, between me and a designated party.
Go to the bank's website, tell them who should get how much, copy-paste the code into the vendor's website. The code only works for that transaction to that website's bank, per some key they provide, and the vendor gets my address from the bank. Once the transaction is over, the code is useless.
This way, anyone who gets a bunch of codes from a random database can't use them to get anything. Yes, it would still allow shenanigans via hijacking the vendor's page to change the codes, but that's a lot easier to notice than obfuscated scripts, obviously...
Of course, that would put the responsibility on the banks, who seem oddly okay with the current frauds instead.
(Score: 0) by Anonymous Coward on Thursday November 22, @12:16AM (1 child)
So basically you wanna use bitcoin with chargebacks?
(Score: 2) by bob_super on Thursday November 22, @12:18AM
Not even close.
Using bitcoin would still require putting my shipping info on the vulnerable front-end.