IOS Press is a publishing house headquartered in Amsterdam, specialising in the publication of journals and books related to fields of scientific, technical, and medical research (via Wikipedia). It publishes papers as ebooks and hardcopies in the fields of bio chemistry, medicine, natural sciences and computer science.
I just wanted to buy an academic book and wanted to pay using a credit card. So I went through the dialog entering my personal data. Then the “Secure payment” link was provided.
IOS Press Secure Payment dialog
So this website is loading. As every reasonable internet user, I am checking that my credit card information is not transmitted in plain text over the internet so every internet user can eavesdrop it.
IOS Press Secure Payment offers no TLS certificate
Whoops? No TLS certificate is provided by the server (sorry for French language settings); hence the whole website communication is neither encrypted nor signed (Issue #1). Everybody in the hops between my computer and the server by IOS Press will be able to read my credit card data.
IOS press payment option’s security properties
Okay, let’s see who is responsible for the payment service. This is the ogone service by Ingenico Payment Services.
The security link below the ingenico link yields a website advertising the security of ogone e-Commerce solutions. I cannot provide you a permalink as far as only a parameterized link gets accepted by the server.
Ogone e-Commerce is a secure payment system designed and managed by Ogone.
At Ogone, the security of your payments is our prime concern. Our team of specialists keeps itself informed of the latest developments in the field, to provide you with a safe, reliable system.
The “Ogone Security Charter” states
Ogone undertakes to implement the following security measures:
Our servers are protected by firewalls, access to our databases is strictly controlled, and sensitive information is encrypted.
All sensitive information collected by Ogone on the Internet is encrypted in accordance with the 128-bit SSL standard, bank grade.
No-one can access the Ogone payment pages unless they are connected in secure mode.
Your credit card number is sent only to the financial body making the transaction.
Communication with financial institutions is carried out in accordance with the transmission and security protocols set and certified by the institutions themselves.
Ensuring the security of cardholders’ data is one of the main priorities of the online payment sector. Therefore, in 2004, Visa and MasterCard created the Payment Card Industry Data Security Standard (PCI-DSS), specifying a series of requirements and procedures aimed at ensuring that cardholders’ sensitive data remains secure at all times.
Ogone is certified as AIS, SDP and PCI-DSS compliant.
Followingly the website shows two screenshots. The first one is security alert #1 and the second is security alert #2. Underneath it claims
On some browsers, this window can seem a little intimidating, but it just means that you are about to enter a secure site.
It is actually reassuring, because your financial information is collected from this site.
Even if some items are non-secure, you can enter your information safely, as the main page is secure.
So Ogone, you are telling me you are incapable of providing a payment form which only loads website components from trusted sources? (Issue #2) Actually I don’t care that much about that issue, because the website I am using does not have this issue. But I cannot take Ingenico serious stating that the security of your payments is our prime concern
if they underrate the security implications.
And IOS Press, you are selling ebooks in the field of computer security?!
Attack vector in detail
For the more technically advanced readers, I want to provide the attack vector I am talking about:
- The hacker recognizes that I am visiting the IOS Press website (pretty reasonable as far as I am in a large network of a students’ dorm)
- The hacker recognizes that I am requesting the website
http://ebooks.iospress.nl/Cart/CheckoutWithProvider. - When the server
ebooks.iospress.nlresponds with the “Secure payment form”, the hacker injects malicious javascript. - (Issue #3:) Leaving the website besides the injection untouched, Google Analytics (Javascript at line 253 in the source code) is loaded. Hence Google now knows that I am buying products at IOS Press. My ghostery plugin blocks that (thank you!), but for most customers this information will be shared.
- As I type, the hacker’s javascript logs all the characters I am typing and sends them to a malicious server. In conclusion the malicious server stores all my credit card data.
- I press “Yes, I confirm my payment”. My data gets transmitted to
https://secure.ogone.com/ncol/prod/order_Agree.aspwhich is perfectly fine, because of https this website is TLS-secured.