Click here to get back home

Credit card security and AJAX
 HomeNewsGroups | Search | About
Login Password
Register Now! Lost Password?
 alt.www.webmaster    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Credit card security and AJAX HC 06-20-2006
Get Chitika Premium
Posted by HC on June 20, 2006, 1:15 pm
Please log in for more thread options

I've been thinking a lot lately about how to make it as difficult as
possible for someone to intercept credit cards on an e-commerce site.
If a server is root exploited, and it's the hacker's intent to collect
as much information as possible without the knowledge of the site owner,
there's an obvious way to do it.

1) Locate the script that processes the credit cards and simply alter it
to email yourself the sensitive data.

This could be combatted by encoding the script with Zend or somesuch so
that a hacker can't edit it. S/he could make a new script, but not
without any competent webmaster noticing. However, here's a new technique:

2) <input type='text' name='CreditCardNumber'
onchange='UseAjaxToSendThisSomwehere();' />

Using this technique, a purely static HTML site could be hacked. I
can't think of a good way around this, and if it were done, it could sit
there for ages before someone noticed. What do you all think? Am I
overly paranoid?

Thanks,
HC

Posted by Philip on June 20, 2006, 2:52 pm
Please log in for more thread options
> I've been thinking a lot lately about how to make it as difficult as
> possible for someone to intercept credit cards on an e-commerce site.
> If a server is root exploited, and it's the hacker's intent to collect
> as much information as possible without the knowledge of the site owner,

I'd say this last sentence means "game over" no matter what you do.

--
Philip
http://NikitaTheSpider.com/
Bulk HTML validation, link checking and more

Posted by Charles Sweeney on June 20, 2006, 3:13 pm
Please log in for more thread options
HC wrote

> sit there for ages before someone noticed. What do you all think? Am
> I overly paranoid?

I think you're overly paranoid.

Worst case scenario, credit cards are insured, and the world still spins.

--
Charles Sweeney
http://CharlesSweeney.com

Posted by HC on June 20, 2006, 4:01 pm
Please log in for more thread options
> HC wrote
>>sit there for ages before someone noticed. What do you all think? Am
>>I overly paranoid?

Charles Sweeney wrote:
> the world still spins.

Thanks Charles, I must think of that more often :-)

-HC

Posted by Nik Coughlin on June 21, 2006, 3:45 am
Please log in for more thread options
HC wrote:
> I've been thinking a lot lately about how to make it as difficult as
> possible for someone to intercept credit cards on an e-commerce site.
*snip*
> However, here's a new
> technique:
> 2) <input type='text' name='CreditCardNumber'
> onchange='UseAjaxToSendThisSomwehere();' />
>
> Using this technique, a purely static HTML site could be hacked. I
> can't think of a good way around this, and if it were done, it could
> sit there for ages before someone noticed.

You can run a script daily against all of your static pages to see if
they've changed



Similar ThreadsPosted
Credit Card to AG, LR, EB August 25, 2008, 12:08 am
Credit Card to AG, LR, EB August 25, 2008, 7:33 am
Credit card payments July 2, 2005, 8:45 pm
Credit Card processing August 23, 2005, 4:23 pm
Credit card processor July 13, 2008, 5:07 pm
credit card recommendation December 21, 2008, 10:00 pm
How to Accept Credit Card Payments? June 1, 2005, 7:12 pm
Online credit card processing September 25, 2006, 5:14 am
No Annual Fee Credit Card Offers April 22, 2007, 1:27 am
Storing Credit Card numbers securely? March 15, 2005, 9:15 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap