, 23 tweets, 4 min read Read on Twitter
<<THREAD>>

A few days ago I requested a rug sample from a cute little online homewares retailer based here in Melbourne. They have really adorable stuff. They responded asking me to provide my credit card details for a security deposit. [1/23] #infosec #opsec
The PDF also requested a bunch of personal identification data such as name, age, and address. They wanted me to fill out the PDF and email it back to them. [2/23]
As the default s̶u̶c̶k̶e̶r̶ sys-admin for my parents and extended family, I've seen them become vulnerable to some pretty nasty phishing attacks and malware in recent years. Heck, I've been a target myself. [3/23]
I'm constantly trying to help them develop their 'sniff test' for suspect interactions. But I'd argue that there's more to be gained by educating businesses on better op-sec than mopping up messes at the individual end. [4/23]
So next time you come across a small business accepting or requesting credit card details on an insecure channel here's just a quick round-up of some of the obvious arguments against this particular practice: [5/23]
To start with the bleeding obvious, we don't share credit card details over unencrypted or insecure channels. Ever. You wouldn't pay for a product on a site without HTTPS. [6/23]
You shouldn't capture credit card details on a Google form (it's against their TOS). Encryption and SSL helps us know who's sending, who's receiving, and hashes (scrambles) the information while it's in transit to make sure no one can snoop. [7/23]
Even if your email gets lucky and transits from sender to receiver without incident, that information will be likely stored in-perpetuity on the servers of the email client. [8/23]
If you're with Google, for example, that means Google having that information available to them and trusting them not to misuse it or share it, ever. [9/23]
Let's examine the PDF container more closely. Many users, especially digital natives will likely fill out a PDF using a text annotation tool and type in the details on their computer. [10/23]
In this case you get the plaintext credit card numbers stored in a nice, easy-to-capture format alongside a bunch of additional personal identifiable data. It's a gift to identity thieves. [11/23]
Even in the instance of bothering to print out the PDF, fill out the info by hand, taking a photo and attaching that to the email, it's still insecure because if that data is intercepted, attackers can use their eyeballs. [12/23]
If you're thinking about fraud at-scale, OCR is pretty good these days. [13/23]
Let's say nothing goes wrong at all - you successfully receive your customers' details via email or PDF and there are no negative repercussions. You are still responsible for materially weakening your customers' security. [14/23]
You're essentially grooming them to be comfortable with the insecure transmission of their sensitive data. Put another way, you're teaching them to accept candy from strangers. [15/23]
If they were to provide their details in the same way to an unscrupulous online retailer, for example, they might be at risk of that information being passed onto third parties for identity theft. This is called merchant collusion. [16/23]
And there are lots of nasty ways to snare the unsuspecting online shopper. Other vectors of attack include... [17/23]
Triangulation fraud:
radial.com/insights/under… [18/23]
Site cloning:
abc.net.au/news/2018-07-0… [19/23]
False merchant sites:
trulioo.com/blog/fake-merc… [20/23]
Asking for credit card data capture on insecure channels is also a violation of your credit card merchant agreements. All credit card merchants are required to conform to PCI-DSS which spells out rules for handing credit card data. [21/23]
If you check the PCI DSS standards, you'll find the following:

"Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.)." (PAN = Primary Account Number) [22/23]
<<FIN>>

Hopefully that's enough ammunition to help convince your online retail friends to get serious about their security procedure. Let's gently retire the PDF credit card capture form, please. [23/23]
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Laura Summers
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!