RE: Card Service International / LinkPoint API Security Concerns

[Tolga Tarhan <ttarhan () basxcorp com>]

I've been asked by Raymond Sundland to forward this reply to my post.

He has an alternative (and very clever) way this security issue can
be "exploited".  

Nobody from CSI has been in any further contact with me, and I think
they've pretty much ignored my phone call from last week.  Anyone on this
list have any ideas on how we can persuade CSI to listen?  Anyone know any
CSI employees, or better yet, CSI executives?

--
Tolga

----- Forwarded message from Raymond Sundland <rtsundland () hotmail com> -----

Date: Mon, 16 Jul 2001 16:16:13 -0400
From: "Raymond Sundland" <rtsundland () hotmail com>
To: ttarhan () basxcorp com
Subject: RE: Card Service International / LinkPoint API Security Concerns


   Please feel free to forward this to Bugtraq for me (as I cannot send
   it from the account which I am subscribed to bugtraq too). Thanks.
   
   /--snip--/
   
   I don't think the problem exists are you have proposed it, however
   there is still a severe security problem with their setup... "man in
   the middle". Example below:
   
   Because the information is sent in plain text, it would allow a hacker
   to alter the e-mail before it gets to it's final recepient (the
   merchant). He would do this by either hacking CSI's mail server or
   maybe the recepient's mail server. At this point he could alter the
   e-mail in such a way that makes the merchant think he has a valid
   account with CSI. The hostname could be changed to something else
   (something as simple as processing.csi-merchants.com or another
   legitimate-looking hostname) and the hacker would also regenerate a
   key pair and send it within the email.
   
   Upon the merchant accepting the information, he would set up his
   account. The hacker would have set up an application to catch
   information on the "fake" hostname sent to the merchant. The
   application would decrypt the data (with the host key generated by the
   hacker), save the data into a text file, and then re-encrypt the data
   with the legitimate CSI key and send it to the CSI server. By doing
   this, the hacker could remain undetected as the merchant would think
   the charge was legitimately going through. Of course, as you said, the
   hacker would need some knowledge of how the system worked.
   
   The hacker, who has now collected who knows how many cards, can use
   them for whatever he likes (use your imagination).
   
   This method does take a little more work than yours, however people
   will go out of their way for "free money".
   
   I will not propose an exact solution (not for less than $150/hr), but
   there are numerous ways you can fix this problem.
   
   Comments are, of course, welcome ;)
   
   Ray Sundland