1. Regarding the wireless POS devices – that use a GPRS / EDGE connection – is there any security involved in sending data (is a secure data transfer between the device and bank)? If so, can you give me one example of a secure protocol you use?

2. What’s the mobile provider used by your devices?

Results can only worry you:

- for the first question, all of the banks replied saying that they can’t provide such information due to it’s confidential classification.

- for the second question, all of them just told me the operator used.

Why their reply came as a surprise to me is because I consider that the second question is something that the banks should not disclose at all. If someone finds a vulnerability in the mobile network of an operator, then it’s just a matter of seconds until you know the target. Not answering about if there is any security involved during the payment process makes you think if your payment is really secure. And it’s not even something confidential because PCI (Payment Card Industry) compliance is mandatory for merchants.

Considering that the GPRS is now broken, do you feel safe paying with your credit card since the bank has no interest in letting their customers know that payment is secure?

1. You call yourself “Carrefour“, you put up a marketing campaign and ask your customers to fill in a form where one of the fields is the Numerical Personal Code. Of course, you are not registered as a company who deals with private data (according to ANSPDCP‘s website). There are a lot of people out there that give their personal information just to get 10$.  I really wonder if it was to give their credit card info and PIN, would they really give it?

2. What about if you are a bank? Or a customer of a bank? Theoretically your private details like bank account, CNP, address, etc should be safe. Well…that’s the theory. There is one bank out there (you’ll discover the name below) that allows you to find protected info about any of its customers. Let’s say you have an i-banking account with them and you get the IBAN account of one of their customers. As soon as you try to make a money transfer to that person, you will get that person’s name. What’s wrong with that you will say. Well, you can just play around with the IBAN account and discover other valid accounts along with the holder’s name. Ok, I agree, maybe that’s not a serious security problem. Once you continue with the money transfer, you can see more: in the details of the transfer you also get the CNP of that someone. And yes, the bank is registered as a private company who deals with confidential data and obeys the law. Right!

See a demo for yourself. I have blurred some details, but that’s the only edit on the video.