Saturday, April 2nd, 2011 - Pure Hacking
Pure Hacking, the Australian experts in helping organisations protect their information assets earlier this week demonstrated to the cards and payments industry how to think like a hacker. The security specialist outlined the prevalence of security compromises for computer networks, hand held devices, WIFI locations and data held on social media sites. Pure Hacking’s CTO, Ty Miller, confirmed in two simple steps how to use a hacked iPhone to bypass SMS 2-factor authentication to make online retail purchases with stolen information.

“Smart phones, tablet PCs and mobile devices are now being used with online payment and banking networks that require more security than a smartphone generally provides,” he outlined.

“Compromising these devices is relatively simple as most are not patched with security updates on a regular basis and most people are even unaware that an attack has taken place.”

Miller highlighted the two steps required to capture a username and password being typed into the phone, followed by acquiring the highly secure 2-factor SMS token that is used to ensure that the transaction is being made by the owner of the phone and not a hacker.

“A smartphone can be compromised in the same way that a laptop can be compromised through visiting a malicious website. As apps on phones become more sophisticated with features all intent on improving the end user experience, the security to protect this becomes more complex. Inevitably this leads to vulnerabilities being introduced. We can only expect continued increases in mobile security exploits,” Miller continued.

The prevalence of malicious software being installed on networked computers to capture ecommerce usernames and passwords, as well as credit card details remains a concern for the online payments sector.

“There is not one anti-virus system on the marketplace that can ward off a persistent hacker and phishing attack. I cannot emphasise that enough to organisations and consumers that phishing attacks are here to stay. Financial services organisations, retailers and consumers all must share joint responsibility to take the required steps to protect personal data,” he stated.

During digital forensic investigations performed by Pure Hacking, Miller released that the top three most common external attack techniques for compromising online payment systems include SQL Injection, Remote File Inclusion and System Command Injection. Each of these attacks are aimed at exploiting a web-based vulnerability in order to compromise the underlying web server operating system.

“Once a web server has become compromised, the attacker has a foothold to the internal network that allows them to gain unauthorised access to databases. This allows the attacker to compromise usernames, passwords and potentially credit card details,” said Miller.

He concluded, “Internal attacks are also one of the major concerns to ecommerce organisations these days. This is because rogue employees are able to perform much stealthier attacks to gain full access to the online payment environment. The larger successful attacks to perform fraud often originate internally via rogue employees, which maps directly to the ease of exploitation of systems from an internal attack vector”.

File Library

Contact Profile

Pure Hacking

Pure Hacking is Australia’s leading dedicated, vendor-neutral ethical hacking company in Australia. Its sole focus is risk and security. Today it provides secure development services, secure code reviews, penetration testing and training modules to a range of clients throughout the Asia Pacific region.
Cathryn van der Walt
P: 0402 327 633


hack, smartphone, security compromise, SMS 2-factor authentication, 2-factor SMS token, phishing,malicious software, rogue employees



More Formats