Credit card client apps in iPHONES/iTouch

[rx.jeff]

So, I've been browsing through the various offerings by different credit card companies that have iPHONE apps that allow you to enter customer's credit card info and you hit ENTER and voila, their credit card is approved and you can send/give customer your product/services right there - whether you are at a conference show or at home or sitting in a train travelling 100 miles/hr.

I'm thinking to myself, so if I bring this app to any Wifi capable network where it's free, am I causing problems for that network? For example, some airports offer free Wifi. Also, is AT&T liable for PCI compliance as my app is traversing through their GSM/3G network?

How do the merchants independently verify that the app does not store cc#s? More importantly, how would QSAs verify? Short of jailbreaking the iPhone.

[jbhall56]

There are a number of issues with the iPhone.

See http://pciguru.wordpress.com/2010/02...nt-processing/ for more information.

[rx.jeff]

So, it's not a good idea for small biz to use any APPs for cc transmit in iPhones? Not able to view the link at the moment, but will review later.

[jbhall56]

iPhones have a keyboard logger, files are not deleted in real-time, etc.

I would not be comfortable recommending them.

[rx.jeff]

Quote:

Originally Posted by jbhall56

iPhones have a keyboard logger, files are not deleted in real-time, etc.

I would not be comfortable recommending them.

The link that you gave me showed a blog of someone who mentioned that there is keylogging in the iPHone/iTouch, however, the blogger did not elaborate and I couldn't find any other sources that stated as such?

In any event, if true, I would not feel comfortable using my iPhone/iTouch to do banking (Bank of America app) or access via RDP or use Logmein's app. Why isn't this documented anywhere else I wonder?

[jbhall56]

The blog I referenced is run by an individual that conducts forensic examinations of all sorts of computer systems, smartphones, PDAs, etc. The information posted there has been corroborated by a number of other computer forensic professionals and has been posted in various articles over the last few years regarding the iPhone.

I think Apple does not want to acknowledge their "dirty little secret" about their mobile systems. However, people do not realize how much information an iPhone, iPod Touch or iPad tracks on what they do on their devices. They are all the rage on forensic discussion groups regarding the amount of information that can be obtained from these devices.

And to be fair, it's not just Apple mobile devices. Windows Mobile and Symbian can apparently also leave behind a lot of information depending on the application. Google Maps for example can leave behind quite a trail of information if you use it in real-time tracking mode. There are also a number of GPS applications that will do the same thing.

The bottom line is that until these devices are properly tested and certified, I don't know as though you can trust them.

[fatal]

I was in an Apple store the other day when the sales person swiped a credit card through his modified iphone which now had a CC swipe. I asked him about it and he then informed me the CC is transmitted to the POS (points across room) they wrote themselves! I of course had a look of shock and horror on my face as I mumbled "your assesor must love you."

iphone CHECK
wireless/sat CHECK
"homegrown POS" CHECK

lol?

[ADail]

Quote:

Originally Posted by fatal

I was in an Apple store the other day when the sales person swiped a credit card through his modified iphone which now had a CC swipe. I asked him about it and he then informed me the CC is transmitted to the POS (points across room) they wrote themselves! I of course had a look of shock and horror on my face as I mumbled "your assesor must love you."

iphone CHECK
wireless/sat CHECK
"homegrown POS" CHECK

lol?

Not as much as the company officer who doesn't know he's getting fired.

[rx.jeff]

Quote:

Originally Posted by fatal

I was in an Apple store the other day when the sales person swiped a credit card through his modified iphone which now had a CC swipe. I asked him about it and he then informed me the CC is transmitted to the POS (points across room) they wrote themselves! I of course had a look of shock and horror on my face as I mumbled "your assesor must love you."

iphone CHECK
wireless/sat CHECK
"homegrown POS" CHECK

lol?

Wow! I can't believe Apple does not have a POS implementation standard in its stores! Sounds like a loosey goosey type operation! Apple with multi-billion $$ we're talking about here. I bet they're not even PCI assessed yet.

[fatal]

Quote:

Originally Posted by rx.jeff

Wow! I can't believe Apple does not have a POS implementation standard in its stores! Sounds like a loosey goosey type operation! Apple with multi-billion $$ we're talking about here. I bet they're not even PCI assessed yet.

I think that is their standard. They may be a L2 since iphones are probably mostly bought through AT&T?