Credit Card authorization from FC3
AragonX
aragonx at dcsnow.com
Wed Mar 2 16:23:08 UTC 2005
<quote who="Brian Fahrlander">
> Wow; that wouldn't be very enjoyable for the customers, either- when
> their time is nearing expiration I need to invent a new infrastructure
> to alert them, pause the session while they go get change (involving the
> otherwise busy resturant personnel, introducing human error, etc) and
> then they come sit down at their session again. Each time they run over
> their time.
You could always trust your customers and just let them run over and pay
the balance when they are finished. If I remember correctly, Kinkos
required me to pay in advance. I just put more money on the card than I
thought I would need.
> I don't see what's so insecure about the system; another server
> does, in fact maintain a list of cards and their user-ids, reached by a
> secure channel in a highly secure NOC. The numbers/etc are never written
> down anyplace locally, just used for the authentication process and
> tossed.
The problem is your customers. They will have physical access to a
general purpose machine. These types of machines are a little more
difficult to secure. Gaining root access to a machine is much easier when
you are local.
> There should be no way a previous user's credit card information
> _exists_ on the local machine, so as to be revealed. Sure, they can
> peek and poke into memory (if they were root) and eventually find it, or
> remnants of it, but with 1/2G of ram, that's a lot to search....and it'd
> be gone in seconds.
Imagine I am a customer who wants to steal credit card information. My
only major challenge with your system would be to gain root access. Then
I setup a network traffic sniffer and harvest everyone's credit card
information. I can then come back later to retrieve the data I've
collected.
I also have other options. I could try to compromise the server storing
the data. I could access all the other clients and install a program
locally. I could charge the card as soon as it's entered...
Like I said, if you use this method, you should spend a good amount of
time checking logs and network traffic.
> The aim of the idea was to avoid the classic get-up-and-pay and
> require-local-assistance problems the other packages have. I understand
> the danger of exposed CC info; I didn't have to work at CheckPoint or
> Bank of America to learn that. :>
There is a good reason those packages require that.
> But I seriously appreciate the conversation on all this; you seem to
> be ahead of the game in this area. Do you handle this kinda info for
> your dayjob?
Security seems to be where my job is heading. I'm not sure I like it, but
I don't have much of a choice. lol
More information about the users
mailing list