Jump to content
daemondamian

'Invalid' Thwate Security Certificate & CC Fraud.

Recommended Posts

Hi folks,

I recently joined up with quickflix [in Australia] and it's been pretty good up until the point where I got an email telling me my Quickflix account was on hold because of the monthly payment not going through on my credit card.

 

So I check my credit card to find it had been used by someone somehow to buy an airline ticket with ETIHAD Emerates Dhabi airline ticket- $1200 plus a bunch of other little associated costs [conversion fees etc].

 

It still had sufficient credit for the Quickflix payment so I don't why it had bounced but of course I rang up my credit card company, to let them know the $1200 plus was unauthorised and cancelled my card so that if someone somewhere had my actual card numbers details they would no longer find them functional.

 

Fortunately I got a new card 7 days later [it happened the week before Christmas 08] and on the same day I also was refunded the whole amount from ETIHAD without any problems at all [and I learned how people are fraudently using other peoples credit cards to purchase tickets and sell them on!].

 

So with my new card details I went to the quickflix website to submit my new credit card numbers but considering that my previous credit card details/numbers had to have been obtained by hacking a site that I used them on I paid particular attention to the security of the site.

 

 

They use Thwate Security and display the certificate on the page where you enter your credit card numbers and the certificate says INVALID.

 

Additionally the gold lock icon at the bottom of the page has a red error on it and reads as connection partially encrypted.

 

Clicking on the page it brings up a Thwate Security Certificate information window which says VALID- so which is correct?

 

Also there is no security for entering your name and password to log onto the site- doesn't that make having a security certificate on the credit card payment page totally pointless if a hacker can get your details from the point at which you log in?

 

I sent an email to Quickflix regarding the Thwate Security Certificate issue, but have yet to hear back from them- no surprise really.

 

So either I risk using their site or call up their helpline but I'm a little suspicious about security of their site and whether or not they might have been the point or source where someone somehow got my details.

 

What do you think?

Share this post


Link to post
Share on other sites

At the end of the day you'll probably never find out how they obtained your details.

 

Regarding the certificate... which browser are you using? Quite often certificates are marked as invalid by a browser if they have expired or if they're being used on a server or domain different to that for which they were originally issued. In these instances they still 'work' to encrypt the data between yourself and the server however they can't reliably be used to authenticate the identity of the server itself.

 

You're right - at a glance at least, it looks as though the e-mail address and password used for authentication at Quickflix is sent unencrypted via HTTP - this is poor form but sadly isn't all that unusual. Just think of all the web sites which allow you to retrieve your password via e-mail (which is also plain text). What could you do if you had access to the mail servers in the path the message traversed?

 

Crypto certificates and HTTPS really only (somewhat) protect data in transit between your PC and the servers you're talking to. The biggest concern is the security of those servers and how the companies store your data, which are different issues entirely.

 

I take great exception to sites storing my credit card details after a transaction. There's absolutely no valid reason to do this and doing so simply exposes the company (and myself and the banks) to greater risk by making themselves a target for cracking by individuals or groups wanting that info. If the information isn't stored permanently and is only kept for the minimum duration of time necessary to process the transaction the window of risk is reduced significantly.

 

Basically once you provide your credit card details to a business (be it in person at a store, over the phone or over the Internet) you're placing trust in that business to treat those details appropriately, store or destroy them as necessary and protect them if they're to be stored. How many networks do you see run by incompetent or unskilled network staff? How many sysadmins know nothing of security? How many companies place marketing higher on their priority list than perimeter security design, software patching and sound software development and testing practices?

 

For these reasons credit cards are great. You're spending the bank's money, not your own. You're placing the bank in a position where /they/ are the ones who have something to lose every time you buy something, hence they will cooperate with the reversal of disputed charges! Direct debit from a personal account on the other hand...

Edited by segger

Share this post


Link to post
Share on other sites

At the end of the day you'll probably never find out how they obtained your details.

 

Regarding the certificate... which browser are you using? Quite often certificates are marked as invalid by a browser if they have expired or if they're being used on a server or domain different to that for which they were originally issued. In these instances they still 'work' to encrypt the data between yourself and the server however they can't reliably be used to authenticate the identity of the server itself.

 

You're right - at a glance at least, it looks as though the e-mail address and password used for authentication at Quickflix is sent unencrypted via HTTP - this is poor form but sadly isn't all that unusual. Just think of all the web sites which allow you to retrieve your password via e-mail (which is also plain text). What could you do if you had access to the mail servers in the path the message traversed?

 

Crypto certificates and HTTPS really only (somewhat) protect data in transit between your PC and the servers you're talking to. The biggest concern is the security of those servers and how the companies store your data, which are different issues entirely.

 

I take great exception to sites storing my credit card details after a transaction. There's absolutely no valid reason to do this and doing so simply exposes the company (and myself and the banks) to greater risk by making themselves a target for cracking by individuals or groups wanting that info. If the information isn't stored permanently and is only kept for the minimum duration of time necessary to process the transaction the window of risk is reduced significantly.

 

Basically once you provide your credit card details to a business (be it in person at a store, over the phone or over the Internet) you're placing trust in that business to treat those details appropriately, store or destroy them as necessary and protect them if they're to be stored. How many networks do you see run by incompetent or unskilled network staff? How many sysadmins know nothing of security? How many companies place marketing higher on their priority list than perimeter security design, software patching and sound software development and testing practices?

 

For these reasons credit cards are great. You're spending the bank's money, not your own. You're placing the bank in a position where /they/ are the ones who have something to lose every time you buy something, hence they will cooperate with the reversal of disputed charges! Direct debit from a personal account on the other hand...

Hi Segger,

thanks for your reply, you make many good points.

 

I'm wary of buying things on the internet but I do have Ebay, Paypal & Amazon.com accounts and I have brought from smaller businesses too (pet supplies, orchid supplies, computer parts etc). I would have thought the bigger companies say Paypal would be safe but when looking up the ETIHAD Emirates airline ticket issue I came across someone who I think had only used their card for Paypal.

 

It seems you can't really have trust or faith that even if a company has the best of intentions that they will be able to keep your information safe and protect you from fraud occuring as a result of doing business with them?

 

I'm using FireFox 3.05 but I did check out the site with Internet Explorer [6. something] while there was an invalid thwate image to the pages leading up to it, the actual page where you enter the credit card details has neither an invalid/valid thwate certificate or a gold lock security icon at all!

 

I have a vague unsettling feeling that the first time I did sign up with Quickflix I neglected to check the security of the site/page at that time - from now on though I will check it. What worries me is if it's possible someone could hack into the Quickflix user database & stored credit card number details then is that even if I call them to give them my details they will probably be putting those details back onto the same database?!

 

If I do give them my details again over the phone and it happens again than possibly it is Quickflix. They actually state:

Your credit card information is safe. We use SSL encryption technology to secure our commerce transactions.

 

and they mention that you should change your password often for security.

 

I try to keep my computer safe- scanning downloads, ZoneAlarm, AVG for scans, Spybot Search & Destroy, Malware Bytes, Ad-Aware, Hijack This & Mailwasher to eliminate virus/spams- I only fax credit card details or use Paypal, bank deposit or the phone if secure credit card facilities aren't available.

 

What about the newer cards that can be used like credit cards but are actually used for savings/normal accounts- if some thing happens there I wonder how likely it is that those people can get a refund when it is their own money and not the banks?

 

I will definitely be paying more attention if I ever use my card again online.

 

Regards

D.

Share this post


Link to post
Share on other sites

It seems you can't really have trust or faith that even if a company has the best of intentions that they will be able to keep your information safe and protect you from fraud occuring as a result of doing business with them?

That is true. I've seen too many /huge/ organisations outsource their IT functions to other providers who then service these organisations with substandard staff and manage systems with substandard practices so you can't even assume that a larger company will do a better job at maintaining security than a smaller company. That said, a larger company is likely also a larger target.

 

I have a vague unsettling feeling that the first time I did sign up with Quickflix I neglected to check the security of the site/page at that time - from now on though I will check it. What worries me is if it's possible someone could hack into the Quickflix user database & stored credit card number details then is that even if I call them to give them my details they will probably be putting those details back onto the same database?!

Yep - and the same applies to any other site dealing with your credit card or personal details.

 

They actually state:

Your credit card information is safe. We use SSL encryption technology to secure our commerce transactions.

SSL only secures the data from the user to the merchant. It's a tiny slice of the security pie. But it makes users feel warm and fuzzy. Or something.

 

What about the newer cards that can be used like credit cards but are actually used for savings/normal accounts- if some thing happens there I wonder how likely it is that those people can get a refund when it is their own money and not the banks?

Personally these scare me - as you point out, it'd be your own money being swiped. I imagine the complaints process would be similar but the banks would be more reluctant to process scam claims.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×