0

I bought yesterday a flight from an American website. In my country, tickets are too expensive. Therefore, I used a IPVanish VPN to browse the airline website. It appears as if I visited it from New York.

Lower prices, much happiness. However, I paid with credit card and got the flight, but after 6 hours, my card was cloned in the USA and blocked.

I am not sure that my credit card was cloned yesterday. It might have been cloned months ago and by coincidence used yesterday for the first time.

So, I am asking you this question:

I browsed the website and paid all the time through HTTPS. Considering that I was using a VPN, is a "man in the middle" attack possible in this case? Could the data have been sniffed by the VPN provider or by anybody else sniffing the line?

I want to understand whether is it impossible that my credit card data were caught yesterday or there's a small chance.

IMPORTANT EDIT:

Please avoid answers like "are you sure the card was cloned?". We are 100% sure the card was cloned. In fact, what's suspicious is not the ticket purchase (which went fine and did not alert the bank), but a POS transaction in USA of 7USD which occurred 5 hours later. Considering i live in Italy it's impossible for me to physical pay with a POS in USA, so the bank blocked the card and i confirm they did good because i never bought anything for 7USD a 4.00AM on the other side of the world.

Alberto Fontana
  • 103
  • 4
  • You can check this [question](http://security.stackexchange.com/questions/41988/how-does-sslstrip-work) for sniffing https part . – dgn Nov 13 '15 at 13:08
  • HTTPS will not protect you from MITM attack. Only DNSSEC do. – Vilican Nov 13 '15 at 13:34
  • @dgn thanks, but in that question the user "sees" a HTTP connection, while i always saw HTTPS. – Alberto Fontana Nov 13 '15 at 13:37
  • @Vilican So, you confirm that IT IS POSSIBLE that using that VPN caused my card to get cloned? – Alberto Fontana Nov 13 '15 at 13:38
  • 3
    Are you sure that they card was blocked because it really was cloned? It might be simply that they blocked it because the card was used in the USA while you were outside the USA and therefore they assumed that it was cloned. – Steffen Ullrich Nov 13 '15 at 13:57
  • @SteffenUllrich Yes I am sure because my payment went fine and 5 hours later there was a 7USD POS transaction in the USA. POS means that someone used physical card in USA which is impossible because i am in Italy. And the bank immediately blocked the card once they saw that 7USD transaction. The bank said this is pretty common: they clone the card, they test its validity with a small payment and if it goes well, they go with a big payment. – Alberto Fontana Nov 13 '15 at 14:15
  • 1
    @AlbertoFontana: it might also be that the site where you bought the ticket had a data leak. Compromising shops and payment providers is not unusual and I think it is more probable then sniffing data from a HTTPS connection inside a VPN tunnel. – Steffen Ullrich Nov 13 '15 at 14:26
  • @SteffenUllrich So, we're saying: option A: American Airlines website had a data leak and my credit card number was stolen. Option B: somebody hacked one of the server of the VPN i use, for which i pay 10$/mo, and made a DNS MITM attack. Isn't option B the most likely one? – Alberto Fontana Nov 13 '15 at 14:33
  • @AlbertoFontana: I consider the hack of the VPN + HTTPS together highly unlikely, but see my answer for more possibilities what could have happened. – Steffen Ullrich Nov 13 '15 at 14:47
  • @AlbertoFontana I think you're asking the wrong questions. Many things are (strictly speaking) possible. It's possible AA got hacked. It's possible someone broke SSL just for your credit card. It's possible someone stole an AA certificate and MiTMed you. This list goes on forever. Security is often about juggling a lot of unknowns, and finding the most likely scenario. The most likely scenario is the breach has nothing to do with this purchase since it involves the most amount of security. – Steve Sether Nov 13 '15 at 18:51

2 Answers2

6

If you really used proper end-to-end HTTPS then nobody in between your client and the server could sniff it, no matter if VPN or not. Of course this means that there is a proper certificate validation and you did not skip warnings about invalid certificates.

Thus I would consider it more probably that the data were sniffed either before they got encrypted or after they got decrypted, i.e. outside the HTTPS tunnel. This could be attacks like this:

  • The server of the merchant was hacked and the card data leaked to the attacker. Or the data leak was at the card processor.
  • Or data leakage at your own computer, i.e. some browser extension or other kind of malware which grabs the credit card information before they get encrypted with HTTPS.
  • Or you got tricked into visiting the wrong site. If you are looking for the cheapest price it might be that you simply got tricked into visiting a good and trustable looking web site which was not so good and safe at the end. It might be that the shop simply could offer the cheap prices because it then used the card data in another way too.

Note that using HTTPS just make sure that nobody in between can read the data. It says nothing how trusted a site will be and how good the security at the side is. Everybody can get a certificate for it's site, even bad guys. And it does not help if your own system is insecure.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Never skipped security warnings. Also, the URL was correct and it was the official American Airlines website. The tickets are there. Option 2 and 3 are still possible, even if 2 looks unlikely to me. – Alberto Fontana Nov 13 '15 at 14:42
  • @AlbertoFontana: I recommend you read http://krebsonsecurity.com/2015/01/how-was-your-credit-card-stolen/ for typical ways how credit card data gets compromised. And hacks of merchants or credit card processors are not that unlikely unfortunately. – Steffen Ullrich Nov 13 '15 at 14:50
  • Thank you! And what if IPVanish is a scam or their software was compromised? Is it an option? Because you have to install their software on your PC to let things work... – Alberto Fontana Nov 13 '15 at 14:57
  • @AlbertoFontana: If you have installed probably malicious software on your computer this software might inject itself into the browser to grab the credit card data before they are encrypted. That's what I mean with ".. some browser extension or other kind of malware ". – Steffen Ullrich Nov 13 '15 at 15:05
1

If your connection was encrypted, as long as you haven't compromised your SSL cert chain at all, and the cert for the airline you chose wasn't compromised, and you were actually connected using HTTPS, I'd say most likely you weren't MITM'd over HTTPS.

What a VPN provider COULD DO, however, is set up a MITM attack by stripping HTTPS at their end and then having you complete the transaction through them over HTTP (this is called SSLstrip). To the airline it'd still look like you were on a secure connection, but as long as you didn't notice that you were switched over to HTTP during the checkout process, they'd be able to sniff you.

Another alternative is, your local machine could be compromised and the card number may have been taken via keylogger or browser plugin.

Justin Beale
  • 79
  • 1