Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

sotied

macrumors regular
Original poster
Apr 12, 2003
116
0
Boston
I've just gotten taken for $107 by someone who grabbed my info from my iBook while I was surfing at either Panera or while I was Wijacking on someone's network.

They were able to grab my credit card info as well as all my personal stuff (likely with a sniffer that just soaked up a form I was using to buy stuff online).

I need to know what can I do to protect myself in the future.

I'm running 10.39. iBook 1.2. Safari is my browser. Mail is my mail app.

Is there a simple encryption preference I can set so this won't happen again?

Thanks,

Jeff
 

Applespider

macrumors G4
Safest way to protect yourself is not to carry out secure transactions while on a public wifi system. There was a recent article about people hijacking wifi hotspots by cloning the hotspot's ID on their laptop so they could watch all the traffic.

You can encrypt stuff that's using VPN and tunnels back to another computer but I'm not sure how you'd do it generically with the web. Would be interested to find out.
 

Blurg

Guest
May 3, 2005
49
0
Even with encryption, I still wouldn't suggest doing anything even remotely private in a public wireless hotspot, especially credit card transactions. The signals you send out can be heard by any computer within range, and encryption can be broken.
 

varmit

macrumors 68000
Aug 5, 2003
1,830
0
How are you sure that is was stolen over the Wireless. Because my mom doesn't even use the computer to buy stuff and she had her credit card stolen and used to register a domain and xbox subscription. There are many different ways to do it other than waiting and hoping that someone buys something while using their computer near you at a public Wifi.

And also, I would not be using public Wifi, or someone else's unprotected Wifi, to make purchases over the internet.
 

sotied

macrumors regular
Original poster
Apr 12, 2003
116
0
Boston
Not quite positive....but I know my risky behavior

varmit said:
How are you sure that is was stolen over the Wireless. Because my mom doesn't even use the computer to buy stuff and she had her credit card stolen and used to register a domain and xbox subscription. There are many different ways to do it other than waiting and hoping that someone buys something while using their computer near you at a public Wifi.

And also, I would not be using public Wifi, or someone else's unprotected Wifi, to make purchases over the internet.

I'm inclined to think it came from some Wijacking session while in my car parked on Newbury Street in Boston or while waiting for my girlfriend to finish work while on the streets of Portsmouth, NH, or maybe while I bogarted some wireless while on Sanibel Ilsand, FL this spring.

Yes, it could have come from the caddies at the Dominican resort I was at in April or it could have been some schmoe with a police scanner listening to me order stuff on my cordless phone.

BUT, I do buy most of my stuff via the Web. I do punch in my info and let it fly freely over the airwaves. And that's probably my trouble.

I wish there were an encryption standard that would stop sniffers from grabbing my info, and I also wish Verizon would hurry up and put their network up in Metro Boston as I think I'd be more protected using their Wifi than I am piggybacking on someone elses.

A side note. I bought the Canary WiFi Hotspotter and it is the BOMB. It's great for finding an unprotected network and has yet to be wrong. Not that I'll be using it. From now on I'll break into government and collegiate buildings and plug in my ethernet cable....but maybe that's not safe either.

Stupid Internet.

Jeff
 

Applespider

macrumors G4
sotied said:
Yes, it could have come from the caddies at the Dominican resort I was at in April or it could have been some schmoe with a police scanner listening to me order stuff on my cordless phone.

I'd blame the low-tech method first of all. It's so much easier/quicker to skim credit cards when you let them out of your sight at a restaurant/resort etc than it is to hang around a hotspot on the off chance that someone will use a credit card online.

I mean if you were a crook, which would you do? Set up a few waiters/caddies with skimmer and get hundreds of credit card details a week which you can use online or rip onto blank cards and use in person (with any signature) so you can take the goods immediately. Or hang around a hotspot to get a few cards if you're lucky.

Do you shred your bills? Could someone have grabbed a bill/receipt from your trash?
 

mad jew

Moderator emeritus
Apr 3, 2004
32,191
9
Adelaide, Australia
Applespider said:
I mean if you were a crook, which would you do? Set up a few waiters/caddies with skimmer and get hundreds of credit card details a week which you can use online or rip onto blank cards and use in person (with any signature) so you can take the goods immediately. Or hang around a hotspot to get a few cards if you're lucky.


Waaaay too much insight there Applespider. ;)

For the ignorant among us (me :p ), would turning off filesharing help in foiling the evil plights of the wijacker? Or should that be wacker?
 

Sweetfeld28

macrumors 65816
Feb 10, 2003
1,489
29
Buckeye Country, O-H
Did/Do you have your firewall turned on?
 

Attachments

  • screenshot.jpeg
    screenshot.jpeg
    66.9 KB · Views: 93

12ibookg4

macrumors regular
Dec 22, 2003
199
0
on almost every site you can use a credit card, you session will be encrypted with SSL. you can tell if the web site you are entering your card info is secure by looking at the url, it should be https:// instead of just http. Also, there will be a padlock in the corner of the brower window if you are on a secure page.
Although it is possible that someone posed as a free wifi spot but directed you to false pages where your card info was collected.
 

superbovine

macrumors 68030
Nov 7, 2003
2,872
0
kingjr3 said:
Assuming that you were using your credit card over SSL, I would find it extremely difficult to imagine that someone actually sniffed and cracked the SSL keys. See http://www.inet2000.com/public/encryption.htm


I'm with Applespider, there are many other creative ways to acquire credit card numbers. Trash,mail, receipt, or over the shoulder wandering eyes being the easiest.

FYI:
http://naughty.monkey.org/~dugsong/dsniff/
http://crypto.stanford.edu/~eujin/sslsniffer/
http://ettercap.sourceforge.net/
http://www.thoughtcrime.org/ie.html

I agree with you through. the weakest link in credit card security is the human link, and a low tech way would be a lot easier to do.
 

aswitcher

macrumors 603
Oct 8, 2003
5,338
14
Canberra OZ
12ibookg4 said:
on almost every site you can use a credit card, you session will be encrypted with SSL. you can tell if the web site you are entering your card info is secure by looking at the url, it should be https:// instead of just http. Also, there will be a padlock in the corner of the brower window if you are on a secure page.
Although it is possible that someone posed as a free wifi spot but directed you to false pages where your card info was collected.

Agreed.

Also make sure your email has the SSL enabled.
 

Agathon

macrumors 6502a
Jan 19, 2004
722
80
People are lax about this sort of thing.

Sitting at my coffee table with my PowerBook, I notice that the guy across the way has left his wireless network open to anyone. I could get on and download goat porn if I wanted to.

I will have a word with him next time I see him.
 

DeSnousa

macrumors 68000
Jan 20, 2005
1,616
0
Brisbane, Australia
CanadaRAM said:
LOL.
"I steal bandwith wherever I can by jumping on unprotected wireless networks. The schmoes have it coming to them if they don't secure their net. But someone jacked my card number. Wah."

What is with that, someone has i network not protected which i can access the net through. I don't use the connection though because i have morals.
 

sotied

macrumors regular
Original poster
Apr 12, 2003
116
0
Boston
Wijacking/Firewalls/Unprotected Chex

Ok. Here are a few answers and a comment.

Yes - firewall was on.
No - I don't share well with others, so my sharing was all off.
Yes - since it was a one-time thing (card has been cancelled and the charge took place in the smack, dab middle of my billing cycle) it was most likely a person at the resort.
Yes - I do Wijack a bit, but I never said it was nice or right or my right to do so. I'm still surprised though, that I can drive into downtown Boston and grab Wifi from NINE places while parked on Federal Street in the Financial District. Makes you wonder about the brilliant minds installing and maintaining networks at this nation's financial institutions.
No - I don't have a shredder, but my trash is picked up by a truck early on Thursday AM and since I have to run out to catch the guy each week, my trash sits in my room/office until five minutes before he comes. I also keep all my statements for too many years.
*I have started paying all my bills online.
*I have been using my card a lot more this year than ever before because I get points for purchases.
*I have noticed that some places STILL print out receipts that show the full CC number.

The thing that burns me with this issue is that the card that was stolen wouldn't even let me use it on a poker site and then they let some unknown use it on an online gaming site.

AND, what burns me even more is the company that allowed the charge (IGE.COM) won't give me any info about "MY" account so I can try and track the dirtbag down who used my card. All the info is mine except for an email address the guy (or girl) used to access their site.

Where's the justice?

Jeff
 

Foniks Munkee

macrumors member
May 15, 2005
38
0
You know, there is such a thing as credit card number generators. The credit card numbers we receive are based on a very simple algorithm (Mod 10). You may have been unlucky and they hit your number - i've seen ones (when investigating internet fraud on an e-commerce site I was responsible for), that generated the number, expiry and cvs number.

The customer was upset because she had never even used the internet (this was in 1998) - and couldn't understand why or how it had been used on our website. Of course, the reality it, the person who used the number had simply generated a random number based on a few parameters (card type for one) and kept trying until one worked. It just happened to be her number. Not much you can do about it.

Of course as the others have already said always use encryption were possible.

[EDIT] By the way, the CVS numbers that were generated were not "real" - I think they are numbers set by the merchant, but in Australia and in many other countries, they are not used, or used everywhere.
 

sotied

macrumors regular
Original poster
Apr 12, 2003
116
0
Boston
Generator? Don't think so

Foniks Munkee said:
You know, there is such a thing as credit card number generators. The credit card numbers we receive are based on a very simple algorithm (Mod 10). You may have been unlucky and they hit your number - i've seen ones (when investigating internet fraud on an e-commerce site I was responsible for), that generated the number, expiry and cvs number.

The customer was upset because she had never even used the internet (this was in 1998) - and couldn't understand why or how it had been used on our website. Of course, the reality it, the person who used the number had simply generated a random number based on a few parameters (card type for one) and kept trying until one worked. It just happened to be her number. Not much you can do about it.

Of course as the others have already said always use encryption were possible.

[EDIT] By the way, the CVS numbers that were generated were not "real" - I think they are numbers set by the merchant, but in Australia and in many other countries, they are not used, or used everywhere.


I don't think that would work because they had my name, address AND cell phone number. All the items I typically enter when buying stuff online.

Which makes me think more that it was a sniffer or a faux hotspot.

Jeff
 

MrSugar

macrumors 6502a
Jul 28, 2003
614
0
sotied said:
I don't think that would work because they had my name, address AND cell phone number. All the items I typically enter when buying stuff online.

Which makes me think more that it was a sniffer or a faux hotspot.

Jeff

Did you get your money refunded over a dispute?

I have had irraneous charges too, Netzero charged me for two months of dial up that I never even knew existed, when I called them about it I couldn't get on the phone with anyone. I disputed, got the money back, canceled the card and went on my way. How did your situation end up?
 

sotied

macrumors regular
Original poster
Apr 12, 2003
116
0
Boston
Not there yet

MrSugar said:
Did you get your money refunded over a dispute?

I have had irraneous charges too, Netzero charged me for two months of dial up that I never even knew existed, when I called them about it I couldn't get on the phone with anyone. I disputed, got the money back, canceled the card and went on my way. How did your situation end up?

It's not resolved yet because I'm waiting on IGE.COM to refund the money.

I have disputed it with my credit card company and expect that they'll do more of the legwork for me.

BUT, I did get that email address from "my" account with IGE. It's cufmouse@yahoo.com if you would like to send him a nice note.

Thanks for all your input - if it turns out badly (like no resolution) I'll post it again. If it turns out fine, there's no need to clutter the board.

Jeff
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.