Confidential information sent to PinPay.net and SoftCard.biz is exposed
Technorati Tag: Security Breach
UPDATED INFORMATION: The PinPay and SoftCard sites have been modified to no longer accept personal information. Please see comments from the company in the "Comments" section below.
Date Reported:
4/29/08
Organization:
ACAP Security Inc.
Contractor/Consultant/Branch:
PinPay
SoftCard
Victims:
Merchants, Agents and customers
Number Affected:
Unknown
Types of Data:
Name, mailing address, phone number, email address, date of birth, city of birth, sex, and one or more of the following (chosen from drop-down):
Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store." The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.
Reference URL:
Merchant 911 Blog
Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911
Response:
From the online source cited above and my own cursory investigation:
Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.
Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.
The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..
I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.
their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure. Neither are their respected login pages.
“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.
The form also requires a full name and DOB.
I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.
The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.
If a company official can’t use his company’s domain for email, I’m not going to talk to him.
I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.
I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.
Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago. I've been a little busy lately, but was finally able to check it out. Let me recap what I found.
First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.
The flash home page forwards visitors to a static index (indexaa.html) page. The first paragraph on the page informs visitors about PinPay.
"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."
See where the page says, "Register for your FREE card HERE!!"? This is a link to the sign-up page that Tom was referring to.
No "https" in the URL. Tom was right on that. The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").
The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card
SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information! First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard". Second, no encryption?! Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?
Let's dig a little (public) information about ACAP Security. According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network. ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content". Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption.
I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular. This is not a new topic, but I will take some time to demonstrate the risk.
In order for my information to be compromised, someone (or something) will need to capture the traffic. In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server). My information doesn't travel directly from my computer to the server. There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.
As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz. The final few hops are not reported due to filtering. So where could my traffic be captured? At the very least:
txtfname=Billy&txtmname=J&txtlname=Madison&txtaddress=123+Main+Street&txtcity=Anywhere&
txtstate=MA&txtzip=87451&txtcountry=United+States&mob_phone=NONE&txtphone=18006218200&
txtemail=&txtdob=04%2F20%2F1988&txtbirthcity=Boston&
txtbirthcountry=United+States&txtgender=M&identity1=Social+Security+Card&txtcardno1=123-45-6789&
txtissuedate1=04%2F20%2F1988&identity2=Driving+License+card&txtcardno2=M-1234567890&
txtissuedate2=04%2F20%2F2006&submit=Accept+Card+Agreement-Submit
This is a very simplistic demonstration about why it is important to encrypt sensitive information. If the communication had been encrypted, none of the data would have been visible without access to the private key.
We could go deeper into the server application and SQL, but I think that this is enough.
A Quote from the ACAP Security CEO:
“The right of privacy is a fundamental and very important right of American society. A right our Nation’s founders fought the American Revolution to obtain and a right many brave American soldiers have fought and continue to fight and die to preserve. As this Nation continues to advance into cyberspace, we have expanded the right of privacy to include the right to electronic privacy. The elements of cyber-crime and cyber-vulnerabilities have begun to seriously erode and destroy this important right of electronic privacy.”
Past Breaches:
Unknown
UPDATED INFORMATION: The PinPay and SoftCard sites have been modified to no longer accept personal information. Please see comments from the company in the "Comments" section below.
Date Reported:4/29/08
Organization:
ACAP Security Inc.
Contractor/Consultant/Branch:
PinPay
SoftCard
Victims:
Merchants, Agents and customers
Number Affected:
Unknown
Types of Data:
Name, mailing address, phone number, email address, date of birth, city of birth, sex, and one or more of the following (chosen from drop-down):
- Passport
- Voting ID card
- PAN card
- Driving License card
- Government issued ID card
- Social Security Card
- Military ID card
- Consular ID card
- Postal ID card
- Government Employee ID Card
- Credit Card
- Debit Card
Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store." The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.
Reference URL:
Merchant 911 Blog
Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911
Response:
From the online source cited above and my own cursory investigation:
Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.
Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.
The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..
I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.
their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure. Neither are their respected login pages.
“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.
The form also requires a full name and DOB.
I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.
The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.
If a company official can’t use his company’s domain for email, I’m not going to talk to him.
I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.
I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.
Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago. I've been a little busy lately, but was finally able to check it out. Let me recap what I found.
First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.
The flash home page forwards visitors to a static index (indexaa.html) page. The first paragraph on the page informs visitors about PinPay.
"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."
See where the page says, "Register for your FREE card HERE!!"? This is a link to the sign-up page that Tom was referring to.
No "https" in the URL. Tom was right on that. The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").
The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card
SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information! First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard". Second, no encryption?! Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?
Let's dig a little (public) information about ACAP Security. According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network. ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content". Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption.
I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular. This is not a new topic, but I will take some time to demonstrate the risk.
In order for my information to be compromised, someone (or something) will need to capture the traffic. In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server). My information doesn't travel directly from my computer to the server. There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.
As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz. The final few hops are not reported due to filtering. So where could my traffic be captured? At the very least:
- Between my computer and my router (or firewall)
- Between my firewall and the ISP hand-off
- Between all the traversed devices within my ISP's network
- Between all the traversed devices through the internet
- Between all the traversed devices within the destination ISP's network
- Between all the traversed devices within the destination organization's network and the server itself.
txtfname=Billy&txtmname=J&txtlname=Madison&txtaddress=123+Main+Street&txtcity=Anywhere&
txtstate=MA&txtzip=87451&txtcountry=United+States&mob_phone=NONE&txtphone=18006218200&
txtemail=&txtdob=04%2F20%2F1988&txtbirthcity=Boston&
txtbirthcountry=United+States&txtgender=M&identity1=Social+Security+Card&txtcardno1=123-45-6789&
txtissuedate1=04%2F20%2F1988&identity2=Driving+License+card&txtcardno2=M-1234567890&
txtissuedate2=04%2F20%2F2006&submit=Accept+Card+Agreement-Submit
This is a very simplistic demonstration about why it is important to encrypt sensitive information. If the communication had been encrypted, none of the data would have been visible without access to the private key.
We could go deeper into the server application and SQL, but I think that this is enough.
A Quote from the ACAP Security CEO:
“The right of privacy is a fundamental and very important right of American society. A right our Nation’s founders fought the American Revolution to obtain and a right many brave American soldiers have fought and continue to fight and die to preserve. As this Nation continues to advance into cyberspace, we have expanded the right of privacy to include the right to electronic privacy. The elements of cyber-crime and cyber-vulnerabilities have begun to seriously erode and destroy this important right of electronic privacy.”
Past Breaches:
Unknown
Posted by Evan Francen at 5/8/2008 12:57 PM 
Categories: ACAP Security, PinPay, Poor Design, SoftCard
Categories: ACAP Security, PinPay, Poor Design, SoftCard
Posts Atom 1.0
Thank you for drawing attention to these web forms that were copied to a marketing site in error. Mr. Long is not a principal of the company, but is evidently an outside agent who will be marketing the product when it becomes available. Compliance and regulation are the key final issues being addressed before the final (secure) site is made public. We would welcome "the Breach Blog" contributers to fully inspect and comment on SoftCard/PinPay system and its security when it is finally released.
Note: We do write our own security certificates - so the certificate will need to be installed as "trusted"
To see the current corrected (non SSL) pages please visit
http://www.pinpay.net/agent_application.php
http://www.pinpay.net/merchant_acc_application.php
http://www.softcard.biz/cardholder_registration.php
PinPay is regulated by the United States Treasury, and operates as a money service business under license and certification.
Thank you again for drawing attention to this error.
Ian Clyne,
CTO, ACAP Security Inc
Also contact
Glenn Gearhart,
CEO, ACAP Security Inc
for further information, call (714) 843 0099
Reply to this
Thank you for your honest and well articulated response. I wish more companies were as open as you have been.
The sites are corrected as you state in your response, and I look forward to your production launch.
Thank you for taking care of this.
- Evan
Reply to this
The PinPay Company is not open for business as of May 28, 2008. They are not issuing any soft cards nor taking any customers. As I understand the websites that are up now are only for educational purposes only for training their potential sales representatives not for active business. I have been told the ready for business website will be very secure once the company goes into business. I feel sure the company leadership would welcome any evaluation by your experts of the actual very secure PinPay website once it is placed online. I know that the owner Glenn Gearhart is an attorney who has been registered and in good standing with the California Bar Association for about thirty years as a securities lawyer and that the company is certified with the United States Treasury and has obtained its license as a money service business. You may reach the leaders of the company in America at .
Reply to this
I agree with you. I respect the company leadership for their quick response to the original post. Other companies could stand to learn from the way PinPay handled this situation.
Do you know if anyone actually completed the online form and submitted their personal information?
- Evan
Reply to this