# How much private CC info is it possible to intercept...??



## [email protected] (Nov 16, 2004)

*Retired computer consultant* self employed for 16 years at it, specialized in hardware but of course had to know software. Most of my clients were businesses with networks, Wifi APs, and separate CC readers. 

I've been retired for 14 years now and back when I was much more active doing consulting, the CC readers were on a separate network so I seldom had anything to do with that part of a clients business when I worked on their system.

Now days though, a CC/DC reader can be setup in a dedicated android with one of those swipers, or in a DVD rental box, and either or both can be connected with Cat5 directly to the modem.

These days as I travel around the country, Canada and Mexico, I occasionally help out with the Wifi systems at RV parks as they are often in bad condition. And now I'm here at one where there's two CC readers connected via their own Cat5 links to a CenturyLink Zyxel C1100z model MODEM which serves as a Wifi AP too. It's connected to the internet via DSL. The CC readers don't have their own phone line.

Anyway, I've been helping out advising and configuring when the owner put a stop to every improvement I was trying to make because, "How do I know you're not collecting CC info to pass onto someone else?"

And I have no answer. Of course I don't know of any way, been retired too long plus I'm ethical, and I'm not even sure if it's possible!

I can mention the point of transaction equipment does encrypt and I can't read encrypted data streams but is that a fact?

Is it possible for someone with direct access to a DSL modem to somehow gather CC info traveling through it? And then ship it off? Like a back door approach? I don't believe so, but don't know for sure.

I don't want to know how, I just want some knowledge, maybe a link to a white paper on it, so I can alleviate the owners fears that I _could_ do something like that. I know I can't, but he isn't sure.

Any business computer systems or CC systems experts around to help?

Thanks! :thumb:


----------



## SpywareDr (Jun 15, 2013)

Payment Tokenization Explained


----------



## Corday (Mar 3, 2010)

IMO you'd have to install malware. That won't help with convincing the owner.


----------



## [email protected] (Nov 16, 2004)

Corday said:


> IMO you'd have to install malware. That won't help with convincing the owner.


Can malware be installed on a business type DSL modem? Managed by the ISP? With their own backdoor setup?

The firmware in the modem is locked and I don't know the key so I can't write my own firmware and substitute it.

Is there another way to insert malware?


----------



## tristar (Aug 12, 2008)

There is no way for you as a tech to collect the CC data and there is no way for the owner to collect this data either after the transaction is completed, unless he is manually storing it through the App, which is illegal in my country, the CC info should not be collected....As mentioned by SDR they work on token systems, so information is only passed through as a token not actual cc/Account information. Hence the Transaction IDs are used for any charge backs or reversals.. Sites store CC info as a matter of convenience, not for an actual requirement..

There are a lot of ways the data can be captured, but the Token is meaningless unless they have the actual phrase/key which will be used to decrypt it, this is highly unlikely.. So even if a packet was trapped in the network through a logger, the data cannot be decrypted..

The hack would have to be performed at the machine/data entry point/POS where the CC information is entered into the system.. For App, a key logger and for hard, something like a skimmer.. and more creative way would be to actually setup another wireless cam to actually see the CC info..
@Corday / @SpywareDr, if this post has more information than is required, please hash it out..


----------



## [email protected] (Nov 16, 2004)

Thanks, Tristar. Your explanation goes along with what I was thinking. 

Took a while to digest the information from the link SpywareDr posted about tokens in apps and readers these days and it seems to me that since the data from the card is immediately tokenized in an CC scanning app or scanner, a hacker would have to have a camera to get the card number. And a skimmer + camera for the DVD rental box (which uses older tech). And I believe a skimmer would only be able to gather hackable info from a 'stripe' type card, but not with one of the newer computerized cards. Since the USA is still a long way from completely switching over to computerized cards, small businesses like this one will have to be aware of this kind of thing for a while longer.

Any other thoughts?


----------



## tristar (Aug 12, 2008)

When you say computerized you mean the chip enabled cards ? Skimmers exploit both, they're just a means of recording info & keystrokes, I think you're talking more about the cloning/copying of the card by replacing the strip.... Think of it more like a record of the entire credit card info and logs the keystrokes, that is the reason they're dangerous.. The Chip provides an added security of asking for the PIN at the POS to complete the transaction..

If the hacker is dedicated, he can exploit all means necessary.. However the hack has to be more hands on.. Cannot be done remotely.. Unless the POS is hacked remotely..

In India, any online transaction goes through 2FA, so an OTP is also generated on the user's cell phone which has to be keyed in to Authorize the transaction.. Offline transactions done through the Chip cards require a separate Pin which needs to be keyed in..


----------



## SpywareDr (Jun 15, 2013)

*Krebs*on*Security* >* All About Skimmers*


?


----------



## [email protected] (Nov 16, 2004)

Well, thanks for the input...I give up though. 

I gathered the info showing there's no way I could steal any CC or DC info from his modem, condensed it and printed it out on one sheet of paper, and he refuses to even read it, and then launches into several stories of how people have gotten their personal SS #'s and CC #'s stolen.

There's just no convincing the guy. So I'm done trying.


----------



## Corday (Mar 3, 2010)

You're 95% right. He's 5%. In this case 5% wins.


----------

