IOS Press is a publishing house headquartered in Amsterdam, specialising in the publication of journals and books related to fields of scientific, technical, and medical research (via Wikipedia). It publishes papers as ebooks and hardcopies in the fields of bio chemistry, medicine, natural sciences and computer science.
I just wanted to buy an academic book and wanted to pay using a credit card. So I went through the dialog entering my personal data. Then the “Secure payment” link was provided.
So this website is loading. As every reasonable internet user, I am checking that my credit card information is not transmitted in plain text over the internet so every internet user can eavesdrop it.
Whoops? No TLS certificate is provided by the server (sorry for French language settings); hence the whole website communication is neither encrypted nor signed (Issue #1). Everybody in the hops between my computer and the server by IOS Press will be able to read my credit card data.
Okay, let’s see who is responsible for the payment service. This is the ogone service by Ingenico Payment Services.
The security link below the ingenico link yields a website advertising the security of ogone e-Commerce solutions. I cannot provide you a permalink as far as only a parameterized link gets accepted by the server.
Ogone e-Commerce is a secure payment system designed and managed by Ogone.
At Ogone, the security of your payments is our prime concern. Our team of specialists keeps itself informed of the latest developments in the field, to provide you with a safe, reliable system.
The “Ogone Security Charter” states
Ogone undertakes to implement the following security measures:
Our servers are protected by firewalls, access to our databases is strictly controlled, and sensitive information is encrypted.
All sensitive information collected by Ogone on the Internet is encrypted in accordance with the 128-bit SSL standard, bank grade.
No-one can access the Ogone payment pages unless they are connected in secure mode.
Your credit card number is sent only to the financial body making the transaction.
Communication with financial institutions is carried out in accordance with the transmission and security protocols set and certified by the institutions themselves.
Ensuring the security of cardholders’ data is one of the main priorities of the online payment sector. Therefore, in 2004, Visa and MasterCard created the Payment Card Industry Data Security Standard (PCI-DSS), specifying a series of requirements and procedures aimed at ensuring that cardholders’ sensitive data remains secure at all times.
Ogone is certified as AIS, SDP and PCI-DSS compliant.
On some browsers, this window can seem a little intimidating, but it just means that you are about to enter a secure site.
It is actually reassuring, because your financial information is collected from this site.
Even if some items are non-secure, you can enter your information safely, as the main page is secure.
So Ogone, you are telling me you are incapable of providing a payment form which only loads website components from trusted sources? (Issue #2) Actually I don’t care that much about that issue, because the website I am using does not have this issue. But I cannot take Ingenico serious stating that
the security of your payments is our prime concern if they underrate the security implications.
And IOS Press, you are selling ebooks in the field of computer security?!
Attack vector in detail
For the more technically advanced readers, I want to provide the attack vector I am talking about:
- The hacker recognizes that I am visiting the IOS Press website (pretty reasonable as far as I am in a large network of a students’ dorm)
- The hacker recognizes that I am requesting the website
- When the server
- I press “Yes, I confirm my payment”. My data gets transmitted to
https://secure.ogone.com/ncol/prod/order_Agree.aspwhich is perfectly fine, because of https this website is TLS-secured.