Michael Horowitz

How safe is ismycreditcardstolen.com? A lesson in pessimism and technology.

July 22, 2011 7:04 PM EDT

I have previously written here that the most important aspect to Defensive Computing is pessimism. Someone who is always on guard and always doubting what they are told, is better protected than a trusting person with lots of security software on their computer.

I bring this up regarding the website ismycreditcardstolen.com, which lets someone enter their credit card information to see if it has been stolen.

At first glance, it seems to be a great pessimism testing site; anyone who enters their credit card information needs a boost of pessimism.

The site seems to be designed for techies wanting to do their non-techie friends a favor by teaching them a lesson in trust. In the words of the site developers "The purpose of this site is to educate users about the dangers of phishing."

And, that's exactly how Steve Gibson and Leo Laporte portrayed it in the July 7th episode of the excellent Security Now podcast. Gibson looked at the underlying HTML and verified that data entered in the site is not transmitted back to any server. Both Gibson and Laporte gave it their seal of approval. I probably would have too. 

The burden of being truly pessimistic fell to podcast listener.

Are you a techie? A pessimist? Take a look at the website and see what Gibson and Laporte missed before reading on...


There are three issues with the website:

1. Gibson and Laporte said more than once that the site was safe because it was from the Anti-Phishing Working Group. This is not true. The site plainly states both on the About page and on the gotcha page that "ismycreditcardstolen.com is not in any way affiliated with the Anti-Phishing Working Group." A surprising oversight.

 
2. My hat is off to the seriously pessimistic Allan Hoiberg in Denmark who pointed out that just because a site is safe today does not mean it will be safe tomorrow.  

It is entirely possible that the site starts out as legit for a few weeks to get publicity. Then, a few times a day, it could well serve up different content that actually does save any entered credit card information. Who would know?

How likely is this? Probably not very likely, but, then again, see point one.

3. Even if the site is 100% legitimate, both now and in the future, that still does not mean that people are safe entering credit card numbers into it. Why? HTTP.

The site only works over the insecure HTTP protocol. It is not available via HTTPS. The safety associated with HTTPS is usually focused on encrypted transmissions. But HTTPS also insures that what was sent is exactly what is received. HTTP doesn't do this.

This means that the HTML sent out by the site could be changed in transit. What your computer receives may not be exactly what was sent. Your computer may receive malicious HTML that transmits the entered data to a bad guy.

As an example of this, there is Newstweek, a small device that injects fake news stories over public WiFi networks. According to Computerworld blogger Darlene Storm

If a device called Newstweek is plugged in at a wireless hotspot, then people connected to that Wi-Fi can have all media content modified, changed or otherwise edited by a hacker who is operating from a remote location.

(more here).

The idea behind ismycreditcardstolen.com is, of course, excellent. If it worked exclusively over HTTPS and it came from a known trustworthy organization it would be a great thing.