Credit Card authorization from FC3

Brian Fahrlander brian at fahrlander.net
Wed Mar 2 16:59:37 UTC 2005 

On Wed, 2005-03-02 at 11:23 -0500, AragonX wrote:

> You could always trust your customers and just let them run over and pay
> the balance when they are finished.  If I remember correctly, Kinkos
> required me to pay in advance.  I just put more money on the card than I
> thought I would need.

    Yeah, but then we burden the store with another task, so they'll
want a cut of the money.  If I can find the technology that will work
this way, I want to keep it simple.

> The problem is your customers.  They will have physical access to a
> general purpose machine.  These types of machines are a little more
> difficult to secure.  Gaining root access to a machine is much easier when
> you are local.

   Yeah, I'm aware of that; the machine will have a lock on the box, the
box (and monitor) wil be secured to the table, and ctrl-alt-delete will
be re-mapped, the virtual terminals will be disabled, and the
reset/power switches out of reach, with grub using no delay to boot.
(Pardon the pun) I'll also look at the perms for the console with an eye
to removing special privelages.

    These are just off the top of my head, but did I forget anything?

> Imagine I am a customer who wants to steal credit card information.  My
> only major challenge with your system would be to gain root access.  Then
> I setup a network traffic sniffer and harvest everyone's credit card
> information.  I can then come back later to retrieve the data I've
> collected.

    Sure.  If you can interpret the encrypted link to the server, you've
paid a great deal of money already to get that far.  :)  Actually, this
shouldn't be very easy to do...

> I also have other options.  I could try to compromise the server storing
> the data.  I could access all the other clients and install a program
> locally.  I could charge the card as soon as it's entered...

    Right; that's why it's built like Fort Knox. But that'd be just like
hackers hitting on any other internet box; access to this machine
doesn't offer any help.

> Like I said, if you use this method, you should spend a good amount of
> time checking logs and network traffic.

    Like a hawk, yeah.

> Security seems to be where my job is heading.  I'm not sure I like it, but
> I don't have much of a choice.  lol

    Yeah, the number of malcontents by virtue of the MS operating
systems has never been larger.  Just about everyone at every point has
to be security-aware now...

-- 
------------------------------------------------------------------------
Brian Fahrländer                 Christian, Conservative, and Technomad
Evansville, IN                                http://www.fahrlander.net 
ICQ: 5119262                                          AIM: WheelDweller
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050302/ea744e1c/attachment-0001.sig>

More information about the fedora-list mailing list