We’re constantly hearing stories about credit card fraud and identity theft on the Internet, so the Canadian company NetSecure has come up with a gadget called the SmartSwipe that aims to provide people with a little extra peace of mind when using their credit card online. NetSecure SmartSwipe Card sharp: NetSecure's SmartSwipe …
``thereby foiling malware such as keyloggers that might record the card number as you type it in''
Wishful thinking. Those things typically emulate keystrokes to provide input. And even if this thing does something different, which I doubt, if the keylogger looks ``deep enough'', it's still not too difficult to dig up the details. And then there's the insecure sites, the open-to-the-world databases, sloppy merchant practices, and so on and so forth.
This thing is pure convenience, and to some it may be worth the money. If sold as a security measure, it's pure snake oil, and for that reason worse than useless. That would be more than enough to stay well away from it, and in fact the entire company.
My irony meter has exploded
This is a joke review, right? I mean, even if the product is real, which I'm having difficulty believing, there's no way El Reg would run a review of it without pointing out the glaring ironies that:
. a product which claims to make shopping secure forces you to use the least secure browser on the least secure operating system to do so;
. the claim that "you are now safe to shop online" is based purely on the idea that all danger to online purchasing comes from potential keyloggers active during your first registration with a site, which is so woefully untrue as to be practically fraud in itself;
. to use the product you have to actively place your trust in an unknown company and a downloaded piece of software which connects to the internet for updates so could easily connect to log your card details too;
. literally all it does is input card numbers into a box, and uses a script to interfere with a secure website in order to "hide" the number on-screen, laying open the possibility that such a script could literally be doing anything else it wants with the data it has captured.
65%? Seriously? I'd give this 0% and a "stay away at all costs" rating.
Hang on a moment
its supposed to add security and it only supports the internet explorer!!! Thats like trying to use a colander as a bucket.
DO NOT WANT.
So this helps you foil Keyloggers, but only if you use Internet Explorer ... what a deal for 70 quid. I can really see that improving my security, just ignore those keyloggers trojans and whatever, as long as I use the 70-quid-egg and IE we are perfectly safe ...
If I were malware, I'd be scraping the HTML when the form was posted, so I'd get all the info anyway.
If I wanted a reader, I'd want a chip and pin, so my PC could set up a secure connection to the bank to authorise the transaction, and indeed verify the merchant.
Oh, they left that bit out of the chip'n'pin spec, because it would be too expensive.
It's a stupid idea - if software on your computer has access to read your keyboard, there is *no* way you'll stop it doing anything else it likes - like screen-capturing at regular intervals, browsing through your authenticated cookie caches, or just sniffing all your traffic. Keyloggers mean game-over anyway and this provides no "security" at all.
Additionally, I'd be interested in what exactly it sends over the USB cable - it's almost certainly just a plaintext copy of your card numbers anyway, just not as a HID device (one presumes) so that keyloggers don't bother to sniff it. Ironically, the only use this will see will be for people to purchase it as a normal, cheap, card reader - possibly so they can copy and/or swipe cards illegally.
This is one of the most ridiculous inventions I've heard of.
Smoke and mirrors
Will work for a while, then the next batch of loggers will target track 2 ABA encoded data on the USB port and grab the details there.
Also, the people that would use these devices are also the same people that are most likely to be hit by the sort of stealth malware that installs loggers.
Giving a false sense of security does online shopping no service.
"Will work for a while, then the next batch of loggers will target track 2 ABA encoded data on the USB port and grab the details there"
That's optimistic. I'm betting the next batch of loggers won't bother because the target market won't be worth the return on investment! Besides, as pointed out I'm betting it's implemented via the HID interface, thus only protecting against physical key loggers. Physical keyloggers aren't used to nick credit card details
"Also, the people that would use these devices are also the same people that are most likely to be hit by the sort of stealth malware that installs loggers"
Actually I'm thinking it's an oxymoron - the type of people that are most likely to need something like this, will not even realise it and would never buy it.
Ignorance is bliss!
more thorough review needed
I can see potential benefit in dedicated hardware for e-commerce authentication so long as it can't be trivially defeated. This requires more detailed review of such devices than in this article. If the manufacturer doesn't publish the design and protocol to maximise independent peer review, Kerckhoff's Law and experience of thousands of badly designed and insecure products proves vendors' "security by obscurity" claims to be worthless and such reviews need to point this out. If these details are published, a quality review needs to consider the implementation details more expertly.
How Could You...
...trust any device that allows you yo use IE6?
Horses for courses....
I'm well aware that a device like this is going to have huge buckets of scorn and contempt heaped upon it by our regular readers - who are, after all, very tech-savvy and well-informed about security issue.
However, there are still many people who are a bit intimidated by this new-fangled internet malarkey and - as I concluded in the review - the SmartSwipe might at least provide them with a bit of peace of mind.
But it should be down to you
to point out that such peace of mind would be entirely unjustified. This device will do nothing to improve online shopping security, potentially a great deal to undermine it, and so people who are intimidated by this internet malarkey would simply be taken for a ride with this SmartSwipe malarkey.
"encrypted as they’re scanned and are not displayed on the web page"
So how does the receiving web site get the card number then ?
If it's properly designed, what it must do is
read the data and then encrypt it as tight as you can get, and then send THAT to the target website, presumably supported by encryption functions in reputable merchant software at the other end. In between, it stays in code and unreadable.
Other techniques tried, I think a bank had a go at this for instance, include on-screen software where numbers dance around and you chase and click on the ones that are your card number. Quite difficult to intercept.
The article doesn't say anything about needing support from the merchant. If it does need that, double fail.
I thought most spyware these days used an SSL-intercepting proxy to get at the plain text anyway.
for what its worth
i am from the company so take what i say with a grain of salt, but i was hoping i could clear a couple of things up.
first off thank you for posting these comments, it has shown me we have done a bad job of making important information available to the public. because of this thread we are going to put up a section of our website dedicated to showing how SmartSwipe works in a more technical way.
i am not going to ramble (too much) about how great i think SmartSwipe is, but one common misconception is that we only protect from keyloggers, but we also protect from different kinds of malware, spyware, man-in-the-middle attacks, man-in-the-browser attacks and it even has some phishing protection. we do this by encrypting the information in the device before it reaches the users computer and it is not unencrypted until it reaches the merchant. the merchant receives the information in the same way they always have because SmartSwipe uses regular ssl encryption. SmartSwipe simply extends that encryption beyond the users computer. endpoint to endpoint encryption.
the reason we started with internet explorer (with Firefox coming very soon) is because it was the browser most in need of a security solution and it was the most used browser by far when we started development.
anyway, thanks for letting me post here. if you would be interested in reading about SmartSwipe security in detail visit dynamic-ssl.com (dynamic ssl is what SmartSwipe uses for security)
Hey, great, where can I find one?
It's for the MIL (as in mother-in-law, you perv). She's a bit wary of internet shopping, see, and without this gadget the chances of her credit card details being stolen online are unacceptably slim...
From the Company's founder
First of all, I should introduce myself as the guy who actually invented the technology behind the product. It seems like a lot of people have misconceptions about the technology. And that criticism is fair - to date we haven't done a good enough job about making technical details of the product available (though they are publicly available if you look - we're not hiding anything). We are in the process of changing that, and will be introducing a section of our website explaining the technology. In the meantime, I recommend you download the whitepaper from www.dynamic-ssl.com to understand exactly what the technology is and how it works.
In the meantime, to alleviate any concerns or misconceptions, I'd like to clarify exactly what the product does, and how it is, in fact, secure.
We use a new process called "Dynamic SSL" to secure the information. What Dynamic SSL does is allow externally encrypted data (e.g. from a card reader) to merge seamlessly with the browser's SSL session, using a tokenization approach to ensure that you real credit card data is never present in the browser (or even at any of the layers below it). If you use a script or HTTP proxy to check the data in the browser or the HTTP request, you'll note that your card number isn't present.
Because your card number is never present, it renders your sensitive information immune to virtually all endpoint attacks, not just keyloggers. If you don't believe me, buy one and try and hack it. I bet you'll be surprised.
As mentioned above, the one thing the device does NOT protect against is sloppy merchant practices. Your first thought may be that this is where most of the risk is. While that was true even a few years ago, it's not as much today. Industry initiatives such as PCI compliance are dramatically lowering the risk on the merchant end, which is driving most of the cyber-criminals to focus on endpoint attacks such as malware, scareware, phishing, etc.. Given that even the most effective endpoint protection is reactive (e.g. works after the fact) and only effectively stops less than 50% of emerging threats, something is needed to protect the end user. That's why this device was invented.
For the tech savvy that know how to protect themselves, it may not be so useful. However, there's a lot of people out there who don't have the knowledge or ability to effectively recognize threats and protect themselves. This product is for them.
If you have questions, let me know. I'm happy to respond to any feedback, both positive and negative.
Good stuff thanks. That answers a lot of questions that the review didn't even ask and in my opinion should have done. It deals with all but two of my original misgivings, those that remain being:
1. Using the product requires placing implicit trust in your company, essentially an unknown third party. I guess this could be ameliorated by various verification schemes which you may already have in place. Something which embeds itself in the CSP obviously already has been verified by MS but many people wouldn't view that as enough reassurance.
2. The banner "You are now safe to shop online" is still presumptive - surely there are plenty of other dangers, not least at the merchant end. Even a product which offers good security should be wary of claiming it is offering more than it does.
Kudos for coming back and setting me and others straight.
OK, fair enough. But...
But what is all this 1970s stuff about mag card swiping? I used to design card-swipe readers (magneto-resistive heads, thanks for asking) in the 1970s.
I've not swiped my card in a shop or hotel for at least 3 years. It is so easy to clone a magnetic stripe. All my cards - although amex were last - have a chip-n-pin interface, and if I don't get to use a pin terminal I don't buy. That does sometimes mean paying cash at german hotels, or using my visa instead of my amex, but I don't trust mag swipe at all.
So, once you go firefox, will it work on Macs, Linux, and android? Will it work in Opera?
So as far as I understand it, you're replacing a CSP on the host computer, and then whenever card details need to be entered, you're sending the session key to the reader and it uses it to encrypt the card data? If so, the attacker process running on the machine may subvert your CSP, so that it will send a forged session key to which the attacker has a private key, decrypt the data sent by the reader, save them in a convenient location and then re-encrypt them with a true session key ready to be sent to the server. If on the other hand your reader is doing most of the key negotiation, including the verification of certificate chain of trust (I wonder how you update the CRLs then and whether this can be exploitable?) - but then I can obtain perfectly legitimate certificate for example.com, and fool the CSP that it's establishing an encrypted link with it and not somebank.com - as I can control what the user is typing, there is no infallible way for your module to know which address the user wishes to visit.
So as long as I understand the principles of your product (as I'm getting a connection timeout whenever I try to download a whitepaper from your server - though may be just a problem with my uni's net filtering), your product's modus operandi is hackable - not to say without needing some significant time spent on coding and reverse engineering, but that shouldn't be a problem if it becomes popular enough to warrant good returns for the bad guys.
...that explains all the upvotes and downvotes to the comments here.
I never realised...
... that the three-digit security code was also present on the mag stripe. So much for the extra 'security' it provides...
contains a lot more data. I recommend reading the spec. Also, most of the data from the chip in chip&pin cards is also readable without PIN authorisation - and you can even intercept the card's "PIN correct" response to fool the terminal into belief that the transaction was authorised with PIN.
OOH, and there was this story about the contactless payments also allowing unautenthicated attacker to read the card number and calhorder's name without you even removing it from the wallet.
Thanks, Daniel, for your input.
A question: how do you get hold of the CVV2 (the 3 digit number printed on the signature strip)?
As I understand it, magstripe has the CVV, which is used to authenticate magstripe transactions. Chip and PIN (now) uses a different iCVV to prevent a chip dump being used to create a magstripe clone. But I don't recall any access to the CVV2. Are you OCRing the card printing or something like that?