I've been asked by Raymond Sundland to forward this reply to my post. He has an alternative (and very clever) way this security issue can be "exploited". Nobody from CSI has been in any further contact with me, and I think they've pretty much ignored my phone call from last week. Anyone on this list have any ideas on how we can persuade CSI to listen? Anyone know any CSI employees, or better yet, CSI executives? -- Tolga ----- Forwarded message from Raymond Sundland <rtsundlandat_private> ----- Date: Mon, 16 Jul 2001 16:16:13 -0400 From: "Raymond Sundland" <rtsundlandat_private> To: ttarhanat_private Subject: RE: Card Service International / LinkPoint API Security Concerns Please feel free to forward this to Bugtraq for me (as I cannot send it from the account which I am subscribed to bugtraq too). Thanks. /--snip--/ I don't think the problem exists are you have proposed it, however there is still a severe security problem with their setup... "man in the middle". Example below: Because the information is sent in plain text, it would allow a hacker to alter the e-mail before it gets to it's final recepient (the merchant). He would do this by either hacking CSI's mail server or maybe the recepient's mail server. At this point he could alter the e-mail in such a way that makes the merchant think he has a valid account with CSI. The hostname could be changed to something else (something as simple as processing.csi-merchants.com or another legitimate-looking hostname) and the hacker would also regenerate a key pair and send it within the email. Upon the merchant accepting the information, he would set up his account. The hacker would have set up an application to catch information on the "fake" hostname sent to the merchant. The application would decrypt the data (with the host key generated by the hacker), save the data into a text file, and then re-encrypt the data with the legitimate CSI key and send it to the CSI server. By doing this, the hacker could remain undetected as the merchant would think the charge was legitimately going through. Of course, as you said, the hacker would need some knowledge of how the system worked. The hacker, who has now collected who knows how many cards, can use them for whatever he likes (use your imagination). This method does take a little more work than yours, however people will go out of their way for "free money". I will not propose an exact solution (not for less than $150/hr), but there are numerous ways you can fix this problem. Comments are, of course, welcome ;) Ray Sundland
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 15:07:34 PDT