Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 3 123 LastLast
Results 1 to 15 of 32
  1. #1
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,910
    Thanks
    203
    Thanked 2,531 Times in 2,509 Posts

    Is the internet really insecure?

    I would be grateful for authoritative views or comment on the following:-

    It is widely believed that the internet is insecure and that geeks and criminals are somehow able to pluck email transmissions out of the ether, and in particular are able to alter messages and/or steal unencrypted credit card data. I believe that this is an urban myth, and that it requires the vast technical resources of the CIA or GCHQ to intercept emails (and 300,000 emails a second are sent in the UK!).

    Does anyone know of any instance (within say the last 10 years) where this has actually happened (other than to "a friend of a friend")?

    I have a small business which receives about 5 orders a day via the internet. I do accept that the risks are far higher for a (say) a bank or a major retailer which may be targetted by sophisticated criminals, but I do not believe that the internet is any more insecure than telephone, fax or ordinary letter mail. Of course, I accept that in theory a dishonest employee might conceivably intercept a communication, just as in theory an engineer might
    tap your telephone line or a postal employee might steal your letter mail.

    Would anyone care to convince me that I am wrong?

    I do appreciate that there are many scams involving credit cards, but is email interception really one of them?

  • #2
    Regular Coder
    Join Date
    Jun 2002
    Location
    North East England
    Posts
    853
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Emails can be nabbed "out of the ether". Do not use email for anything such as credit/debit card transactions, even if they're disguised or weakly encrypted.

    SSL 128bit encryption - which is what you should be doing with credit card payments etc. - is not unbreakable, no encryption is, but it'd take a multinational company with mahoosive cpu(s) power to break, even then taking weeks rather than hours.



    * mahoosive is a technical term btw
    [+] Computer/PC issues [+] Silverpaw3D
    ------------------------------------------------
    Never buy a dwarf with learning disabilities...

    ...it's not big, and it's not clever.

  • #3
    New Coder
    Join Date
    Oct 2002
    Location
    Canada (eh)
    Posts
    53
    Thanks
    0
    Thanked 0 Times in 0 Posts
    1.21 Mahoosive?! 1.21 Mahoosive?!

    What the heck is a Mahoosive?!

    ** as Majik_Dance attempts to continue a thread from elsewhere in this forum **

    On a more serious note, I echo what mouse has stated; no encryption is unbreakable - just a matter of time and resources.
    Listen! You smell that?

  • #4
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    ...and if you actually think 300,000 emails are sent every second in the UK, then you'll believe anything. I have some killer beachfront property in Arizona I'd like to sell you...It's beautiful...complete with elephants and martians.
    Last edited by zoobie; 01-24-2003 at 04:39 AM.
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #5
    Regular Coder
    Join Date
    Jun 2002
    Location
    North East England
    Posts
    853
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Dunno about 300k per second, it might be more than that... but I do know MI5 have a center monitoring all internet transmission and encrypted email can get you two years doing porridge if you don't give them the key.

    I never order online unless I see the padlock. Neither should you
    [+] Computer/PC issues [+] Silverpaw3D
    ------------------------------------------------
    Never buy a dwarf with learning disabilities...

    ...it's not big, and it's not clever.

  • #6
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by mouse
    encrypted email can get you two years doing porridge if you don't give them the key.

    Except that RIP is legally unenforceable, as they'll discover when the first test case appears .... RIP puts the onus of proof on you - prove you haven't got a key. But how can you do that?

    An organisation (I forget the name) sent the then Home Secretary Jack Straw an encrypted document which contained a confession to a crime - then destroyed the key. Now the onus of proof is on him to prove he hasn't got the key, which of course he can't - there could be a key anywhere; on a disk in his office; squirelled away on the internet; anywhere.

    Ridiculous ... just another example of knee-jerk legislation based on ignorance and media frenzy. If government policy was on /. I'd mark it "-5: demonstrably incorrect, and laughably so"

  • #7
    Senior Coder
    Join Date
    Jul 2002
    Posts
    1,628
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by zoobie
    I have some killer beachfront property in Arizona I'd like to sell you...It's beautiful...complete with elephants and martians.
    ooh ooh over here!
    a beach in Arizona that must be a nice place!

    Moderator: General web building

    Get out from under them, resist and multiply.
    Get out from under precipice and see the sky.

  • #8
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,910
    Thanks
    203
    Thanked 2,531 Times in 2,509 Posts
    Originally posted by mouse
    Emails can be nabbed "out of the ether". Do not use email for anything such as credit/debit card transactions, even if they're disguised or weakly encrypted.
    I am afraid that unless you can give me some hard information about how the interception is done, I do not believe you. As I say, I think that it is an urban myth. Possibly manufactured by people who would like to sell solutions to non-existent problems (such as the Y2K scare).

    I do agree that almost any encryption can be cracked if enough resources are applied to it, but who is going to spend hours to get just one lousy credit card number, when he could make it up. There are far more rewarding credit card scams than that!

    E.g. 5400 0000 0000 0500 is a "valid" number which I have just this minute manufactured.

    Here is a genuinely valid credit card number (mine!) "weakly" encrypted by my order form (average of 5 orders a day):-

    e279c573247b84692a6bd71ad399d27058a96e4

    As I say, that encrption CAN be broken but I'll bet that no-one here will be willing to devote the time required to decypher it.

    But in any case I am saying that I believe that in the real world no-one can intercept the communication anyway.

    A I say, please don't simply assert that emails are insecure - that is just repeating the urban myth. I am willing - eager almost - to be convinced otherwise, but I will not believe it unless someone can specify an instance where an email (properly addressed of course) HAS actually been intercepted by a criminal or fraudster.

    Every time you visit a petrol station the clerk gets a copy of your credit card details and your signature as well. In a restaurant your card may be taken away to be processed, and may be swiped twice - this has actually happened to me. This and other scams seem to me to be infinitely more probable than interception of emails or order forms.

    If I understand it correctly, SSL provides very secure encryption as between the customer and the server (ISP) at which point the message is decrypted, and consequently no security at all as between the server and the remote merchant's computer, the message being sent on this stage as plain text. Or have I misunderstood?

    Zoobie - the 300000 emails a second which I quoted probably includes text messages. In any case, there surely are a very large number of them! But I agree that people will believe any silly assertion if it is made by a so-called expert (or in a newspaper!), which brings us back full circle!
    Last edited by Philip M; 01-24-2003 at 07:17 PM.

  • #9
    Regular Coder Feyd's Avatar
    Join Date
    May 2002
    Location
    Los Angeles, CA Maxim: Subvert Society
    Posts
    403
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Philip, it is no problem to intercept packets and piggyback transmissions from specific ISP subscribers and users or a cross-section of traffic on a node, which includes emails...I did it all the time when I was younger, and far too many other things to remember now...
    Moderator, Perl/CGI Forum
    shadowstorm.net - subvert society

  • #10
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    There are ways to monitor the server and when the email is sent, intercept. Also, there are warez available to hack into existing accounts. Sending yourself the credit-card number encrypted in which only you have the key seems pretty secure but not as good as SSL. You can always change the key once or twice a month, too.

    I discovered a huge flaw in Paypal big enough to drive a lorrie through. As a matter of fact, I downloaded some software last night for the first time testing this method without paying and it worked. I am contacting the webmaster after this post.

    But Covers is right...Letting your users know you've spent the time and effort for SSL security will instantly lead to more sales. With the cost of certificates coming down to $15-25, it only makes good business sense.

    For a good source of links, news, and facts, try www.emailtoday.com
    Last edited by zoobie; 01-24-2003 at 07:52 PM.
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #11
    Regular Coder
    Join Date
    Jul 2002
    Location
    Las Vegas, NV - USA
    Posts
    104
    Thanks
    0
    Thanked 0 Times in 0 Posts
    To answer your question: Most of the gloom and doom you hear about Internet security (or lack thereof) is media hype BUT it is not an urban myth -- stealing of unencrypted data on the Internet can and has happened.

    I know there are case examples around but I do not have the time to look them up right now. I can tell you this though; by sending sensitive data unencrypted via e-mail you are SIGNIFICANTLY increasing the chances of a fraudster getting the information. Just because a hole is not exploited does not mean that you don't have a hole! Can you or the merchant you are developing/maintaining a site for afford the bad press if and when it does get exploited?

    While I don't promote sending sensitive data by any means unencrypted, HTTP has less chances of being sifted than e-mail messages. Reason being, most e-mail servers write incoming messages to log files before forwarding the messages while HTTP traffic is usually routed directly without logging (or at least not in the same detail as e-mail messages). Give me 10 minutes of access to your primary e-mail server and I will show most, if not all, the orders you processed over the last month, including full credit card info.

    As Coverz stated, I'm surprised that you have 5 orders a day via e-mail -- unless the customers don't know that their information is being sent via insecure means (SSL to web server to e-mail message to merchant).
    Last edited by Shift4Sms; 01-24-2003 at 09:42 PM.
    Steven Sommers (blog)
    Shift4 Corporation -- www.shift4.com

    Creators of $$$ ON THE NET(tm) payment processing services.

  • #12
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    & there are lots of little Feyd's out there

    realistically though there is more chance of your server being compromised and data stolen from that than by someone intercepting your email ...

    but you only need to get sued once for it to matter

    One of the sites I work on has no SSL yet takes credit-card information, the owners know exactly what I think about this but the customer is always right '!'

    however of all the sites I work on this has by far the biggest number of transactions ! , I think its a question of trust, the site in question is the web-front end of a magazine, its readers I assume know and trust it and don't appear to think twice about submitting thier CC details ! (though I am sure it would be busier if they did)

    For my part I split the CC num & char data, store half of it encrypted on the server and send the other half encrypted via email. - the encryption is weak but never having the full CC data in one place makes it harder for someone to get lucky.

    For anyone to get all the data required they would need to compromise the server, which again is the most likely starting point for anyone trying to get at ya.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #13
    Regular Coder
    Join Date
    Jul 2002
    Location
    Las Vegas, NV - USA
    Posts
    104
    Thanks
    0
    Thanked 0 Times in 0 Posts
    One of the sites I work on has no SSL yet takes credit-card information, the owners know exactly what I think about this but the customer is always right '!'
    Don't worry, I'm not a credit card G-man but technically, the merchant is not "right". It is against VISA and MasterCard regulations to accept credit card information over the Internet unencrypted.

    It's rare to hear of VISA or MasterCard pro-actively enforcing this rule but if a cardholder complains about being a fraud victim (whether or not the web site is responsible for the fraud), be assured that they do re-active enforcement which usually results in a fine and/or immediate suspension of the merchant account.
    Steven Sommers (blog)
    Shift4 Corporation -- www.shift4.com

    Creators of $$$ ON THE NET(tm) payment processing services.

  • #14
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    Originally posted by Shift4Sms
    be assured that they do re-active enforcement which usually results in a fine and/or immediate suspension of the merchant account.
    Of that I have no doubt and I have told them that more than once - + the cost of doing SSL is minimal ... one day I will get them there.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #15
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,910
    Thanks
    203
    Thanked 2,531 Times in 2,509 Posts
    Thank you, everyone. I am obliged for all the information and I understand the technicalities better now.

    "......realistically though there is more chance of your server being compromised and data stolen from that than by someone intercepting your email ... "!

    I use a very well-known UK ISP, and I find it hard to believe that their server can be "compromised"! It seems as far-fetched as to suggest that my telephone is constantly being tapped by a criminal.

    With the utmost deference and respect, I do have the vague sensation that Shift4sms (Creators of $$$ ON THE NET(tm) credit card processing services) could possibly have an axe to grind!

    I have made the point that the credit card information on
    my order form is encrypted as I described. The form is submitted via FormMail.cgi (is this the same as email? - the form is sent to me from the ISP server as email). To make it crystal clear, I am not claiming that the encryption cannot (relatively easily but still with difficulty) be broken - I am saying that it is not possible for a criminal to intercept the data in the first place.

    Although I have no technical expertise at all, and respect the information you have all given, I have to say that I still feel that there is a an element of the Loch Ness Monster about this - it is widely believed to exist, and quite a few claim to have actually seen it. But no-one can produce a photograph or one of its scales! ("....... I know there are case examples around but I do not have the time to look them up right now......."). This suggests that email interception cannot be widespread.

    "I think its a question of trust". Quite so. In my very specialised business I am sure that applies. In any case one ought never supply credit card information to merchants you do NOT trust, whether encrypted or not!

    For those who prefer it I offer a paper order form which the customer can print out and send in by street mail. A few people take advantage of this. But we get quite a lot of orders in addition to those submitted by the (semi-secure) on-line order form by simple email, so not everyone is paranoid. And I ought to add that we get another 15-20 orders a day by street mail, fax and telephone.

    "....the cost of certificates coming down to $15-25..." But I have been quoted £400 a year by my ISP to have SSL and https. To be blunt, I cannot afford this additional overhead. I see it as overkill.

    Thank you again for your various comments. As I say, I am still not convinced that geeks and criminals really can target and intercept emails or form submissions, but I accept that it might have happened. If it really can be done, why is it not done more often by all the little Feyds out there, and why can no-one here (surely the most knowledgeable people) point to an actual instance?

    A final thought - if it was possible to intercept emails, the potential pickings (confidential financial information, blackmail or embarrassment opportunities etc.) would be far more than the odd credit card number.
    Last edited by Philip M; 01-25-2003 at 10:35 AM.


  •  
    Page 1 of 3 123 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •