I have a hard time buying from a company that can't spell words correctly on their website...

(From http://www.smartswipe.ca/en/how-it-works) "...With strong, up to date anit-virus /anti malware coupled with Smartswipe you can now shop on line with peace of mind."

That being said, I'm really interested if I could use this to process my clients' credit cards on my computer, without the need for pricey credit card processing equipment/software. Anyone have an idea how I could do that? Thanks in advance!

Wow, this is exciting. I have been working for NetSecure Technologies since before SmartSwipe was released to consumers. Seeing it on here, with all of you people commenting and asking questions is an unbelievable start to my Friday.

I'm going to try to answer any questions you have, and I encourage you to keep asking them!

dovy6 wrote:
Also, I dont see how this device is even supposed to work! It seems like all it does is stop YOU from seeing your credit card numbers in plaintext on YOUR computer screen. It doesn't stop the vendor from getting the numbers, right? Cause otherwise how would the vendor charge you for what you are purchasing?

Warning - this answer is rather technical. I'll do my best to try and keep things a little more accessible, but if I fail miserably, feel free to say, "Reading that felt like rubbing my eyes with sandpaper." :-)

This will be easiest to answer if I give you a bit of information on how security on a web page works. Let's say that you go to some-store-on-the-web.com to buy something. You pick an item, and start the checkout process.

After you enter your address and everything, the web page asks you for a credit card number. You notice there is a lock in your browser and the address starts with https, so you know that the page is encrypted (or scrambled). You type your information and hit submit.

Sounds pretty simple, hey?

From a security point of view, there is a big problem. Your credit card information is very vulnerable as you key it in - cyber criminals write things called keystroke loggers that will silently steal from you as you type in your information. And your credit card information is not actually encrypted until after you hit submit - so lots of malicious software (viruses, etc) can steal it as it sits (in plain text) in your computer's memory.

(My inner Star Wars fan sort of wants to play the Imperial March, it seems fitting)

If you use SmartSwipe, your credit card information is actually encrypted as you swipe your card through the device. So, in other words, your card information is already scrambled before it even reaches your computer. Consequently, you can have keystroke loggers, or other kinds of malicious stuff on your computer and the criminals still can't get your real credit card information.

Then, it joins up with the regular encryption stream and reaches the web site in the exact same format that they expect it. If you're interested, I can post a really good video that a reporter in Utah made about SmartSwipe. They say that a picture is worth a thousand words, well, a video is significantly better than ten thousand of my words!

Oh brevity....an ability I wish I had....:-)

Does this make any more sense? If not, it was -25 degrees Fahrenheit when I came to work this morning, so maybe give me a few hours for my brain to thaw out.....

Can I use this thing as a regular credit card reader? I'm building a POS system and have been looking for a card-swipe solution.

I think I saw a few posts to this effect but I'm a loudmouth so here are my thoughts anyway:

This would protect against a keylogger or basic packet capture and forwarding because the CC info is SSL encrypted on the device and forwarded to the merchant.
This would NOT protect against a TrojanWormVirus(tm) that infects the Windows network stack at the lowest possible layer as it would essentially perform a man-in-the-middle attack and spoof the device end of the SSL tunnel. E.G. they would take yo' numbaz anyway.
People saying that having a firewall and up-to-date antivirus is a cure are not correct; it's certainly helpful, but as someone who cares for way too many workstations and servers in a distributed environment I can tell you that the most insane, tightened network security is still no match for the person at the keyboard. "Hey what's this cool Flash advertisement OH NOZ!" etc.

Essentially what I'm saying is buy this if you want to feel secure in the same way that a software firewall and antivirus package make you feel secure.

Alternatively you could only shop online using a completely separate bank account with it's own card number and only transfer exactly the amount needed for each purchase, and change your online banking password every month or so.

scifiak wrote: ... it appears that it's going to accomplish the same this as Roboform.

So if you have a keylogger present, it won't get your CC info because you didn't 'type' it, SmartSwipe will have just filled the forms for you.

I think they just grey out the fields and put a little padlock there to make it look more secure. No software is included, because none is needed ... only issue is possibly having some malware like a keylogger present that is going to catch you physically typing ...

So if you have Roboform on a USB drive, you've got the same thing, only with a hell of a lot more features.

There seems to be a lot of miswootformation today. I don't mean to pick on scifiak, but I'll try to address some of it.

I should probably mention that I'm no expert, but after reading the whitepaper it looks like this device is quite clever from a technical point of view, and certainly more secure than Roboform or other software-only solutions.

Normally, you type your CC into a browser. With Roboform, it "types" your CC into a browser (which could protect you against some keyloggers that only log your physical keystrokes). Your browser then encrypts the information (or asks the OS to encrypt it, depending on the browser). The potential problem here is that a browser plugin could (easily!) intercept this information after it's been entered in a form and before it's been encrypted, even with Roboform.

With the SmartSwipe, your CC number is never entered into your browser. This deserves repeating: your browser, its plugins, your OS, and everything running on your computer never sees or has access to your CC number.

Instead, when you hit submit, the entire form (which doesn't have any CC info yet) is redirected (by SmartSwipe software installed on your PC) to the SmartSwipe device unencrypted. Inside the SmartSwipe itself, your CC number is added to the form, the data is then encrypted, and the encrypted data is passed back to you computer. So for this one form, it's the SmartSwipe device instead of your computer that does all the encryption. By the time your computer sees any CC-related data, it's already encrypted.

This part is interesting: remember when I said above the SmartSwipe software redirects your data? If SmartSwipe can redirect your data, so could any other clever piece of malware installed on your PC using similar techniques. (Sorry if this confuses you; it's still true that with the SmartSwipe installed, malware never has access to any unencrypted CC data.)

As technically clever as all of this is, I'm not making any claims that this is or is not a good buy, given all of the other posts pointing out what little liability you probably have if your CC number is stolen. You can draw your own conclusions on that topic, but from a technical point of view, this does offer a nicely secure solution.

roadhunter wrote:That's actually a myth. In reality, you aren't liable for even the first $50...not even a penny. It's happened to me twice, so I know.

'Tis not a myth, 'tis the law:

http://www.fdic.gov/regulations/laws/rules/6500-300.html#fdic6500133

See section 133.B.

But most credit card companies are good enough to credit you the full amount.

grimor wrote:... While it's super awesome cool that it theory if the website decides to waste time adding support for this one device, it's just not going to happen...

Like tagging the input element with something like "cardnumber"? Already done.


Where the company that makes them could really make out is if they could standardize a custom attribute that would indicate that the device was actually used. Then they could go to the processors and get them to offer a slight fee discount on transactions that use them. Big etailers would be sending them to all their best customers.

I bought one of these about a year ago and I paid $89 + shipping. I LOVE it! I pay bills and order items online and it works great. It can be used with the Microsoft browser OR the Firefox browser.

This would make a great xmas gift!

jedwoffinden wrote:I have a hard time buying from a company that can't spell words correctly on their website...

(From http://www.smartswipe.ca/en/how-it-works) "...With strong, up to date anit-virus /anti malware coupled with Smartswipe you can now shop on line with peace of mind."

Darn, I'm going to get fired now....;-)

Thanks a whole lot for pointing that out, I just made the fix. I'm always amazed, I can proofread something three hundred times and still miss a particularly embarrassing spelling error.

My coworkers are going to mock me something fierce for this one...

jedwoffinden wrote:
That being said, I'm really interested if I could use this to process my clients' credit cards on my computer, without the need for pricey credit card processing equipment/software. Anyone have an idea how I could do that? Thanks in advance!

Would you really trust my answer? I managed to let anit virus slip onto our web site! ;-)

If you would trust 'anit virus Greg', I can give you a really solid answer, but I would need to ask you some questions about how your currently process credit cards and if you have a credit card processing account right now. That information is quite personal, so I don't terribly want to put you on the spot and ask you questions in public.

Would you like to have the discussion over the forum, or is there a private messaging thing-a-ma-jig that I can use to give you my personal email address?

Sorry for the silly question, I'm new here!

Greg who can't spell

SUEATLESRO wrote:It simply works on the check out page on all web sites. The beauty of it is you dont have to type in your information, in the required fields, (name on card, card type, billing address, card number ect...)

Instead, you have to go through the much longer process of finding your CC in your wallet (and in my case, first finding my wallet itself, which means finding where I left my pants) and then swiping it.

Oh, and that's "don't" and "etc."

SUEATLESRO wrote:The card reader reads it all and sends to vendor without posting it in cyber world.

That would be a completely incorrect statement. It most certainly does POST your data to the cyber worldactly the same way it would have been POSTed if you typed it in manually -- and then it reaches the server hosting the online vendor's CC database, which is where the vast majority of CC hacks occur.

jedwoffinden wrote:I have a hard time buying from a company that can't spell words correctly on their website...

(From http://www.smartswipe.ca/en/how-it-works) "...With strong, up to date anit-virus /anti malware coupled with Smartswipe you can now shop on line with peace of mind."

Strange, looks like they "fixed" it already!

sdc100 wrote:American Express offered a free scanner many years ago for home online purchases. It was so long ago that they had a serial port version. The device was a massive failure. Many people ordered it because it was free but few actually used it. Basically, it did nothing to increase the use of Amex cards, and they wasted a lot of money buying and mailing the thing. Mine is still in the box.

I still have one of these and it's still in the box as well. Why? Because I was never able to get it to work and AMEX quit putting any effort into it shortly after I received it.
This device was completely different than today's woot though. This was a smartcard reader and worked in conjunction with the AMEX Blue card. The Blue card was a smartcard that had an application to generate 'one time use' card numbers, similar to what you would do today using your card provider's web site. In this case, when you wanted to buy something online you inserted your card into the device and it would automatically generate a one time use card number that was based on your card. AMEX could calculate the real card number from that and could authorize/settle the transaction.
That was the theory at least. I never could get the application to work right. Oh well.

aramintamd wrote:I'm about to take our theatre box office (kicking and screaming) into the digital age, and this thing's a heck of a lot cheaper than any of the card scanners I've seen advertised for the purpose. Works for me. Now I just need to convince the rest of them that taking credit cards at point of sale isn't TEH EBIL!

This is NOT a POS card reader. It is used to quasi-permanently store your personal CC number after scanning it the first time and entering the CCV code to verify that it's yours. It appears to be designed to store ONLY ONE credit card's data, and there is likely no software which can be used to use this as a POS scanner.

jvanderb wrote:If anyone else was curious as to how the thing works exactly...here you go:

http://www.smartswipe.ca/en/how-it-works

Thanks for posting that link, it is a little more accessible than our white paper and it is now (hopefully) spelling error free....:-)

phertiker wrote: ... This would NOT protect against a TrojanWormVirus(tm) that infects the Windows network stack at the lowest possible layer as it would essentially perform a man-in-the-middle attack and spoof the device end of the SSL tunnel. E.G. they would take yo' numbaz anyway. ...

I think you're wrong; I think it would protect you against this. I'm not positive, though, maybe you could help me out with this?

If TrojanWormVirus(tm) (Do I have to pay you for using your trademark?) spoofed the server side with a MITM attack, surely the SmartSwipe would check that TrojanWormVirus(tm)'s cert chain doesn't end in a trusted root, and reject the SSL connection?

If TrojanWormVirus(tm) tried to insert itself between the browser and the SmartSwipe, it would capture the unencrypted order information, but not the CC info since it hasn't been added yet.

And if TrojanWormVirus(tm) tried to insert itself between the SmartSwipe and the Internet, it would only be able to view the encrypted stream as created by the SmartSwipe with no access to the session keys (which are only stored on the SmartSwipe).

Does this sound correct?

I'll keep using PayPal, thank you very much. The seller never even SEES your card or account number.

Spectral wrote:Their software installs a browser plugin that decrypts the card number and injects it into the purchase request.

If someone were to reverse engineer that browser plugin, they'd likely find out how to decrypt the number. A malicious program could just as easily attach to the browser and monitor for all HTTP POST requests, rendering this device completely useless.

It's false security at best.

No, this device installs a browser plugin which intercepts the POST before the browser encrypts it, inserts the previously-stored CC number, expire date, and CCV code into the fields you left blank, encrypts the data with the key negotiated by your browser for this SSL session, and then submits the POST just as your browser would have if this device did not exist and you had entered it manually.

It's designed to prevent CC theft ONLY by keyloggers and POST-sniffer browser plugins which have already been installed on your PC -- and this product makes no bones about that, although it argues that these vectors are a significant enough risk to warrant purchasing this device. I disagree; CC theft occurs primarily when online vendors do not meet PCI and PA-DSS standards -- which is frightenly common.

qwertyasd wrote:Not likely. Processors that exceed a certain dollar volume must abide by PCI regulations and there are hefty fines for non compliance.

And yet such non-compliance is common, especially with internationally-hosted vendors.

gregsmartswipe wrote:Wow, this is exciting. I have been working for NetSecure Technologies since before SmartSwipe was released to consumers. Seeing it on here, with all of you people commenting and asking questions is an unbelievable start to my Friday.

I'm going to try to answer any questions you have, and I encourage you to keep asking them!

So here are my questions so far:
1. Are all of my SSL sessions in the browser now managed by this device?
2. If the device is not present, does it revert to the build in SSL engine?
3. How do I know that I can trust the SSL engine used by this device? Is it based on open source or is it open source itself?

Thanks.
Brian

BonziBuddy is faster at filling out my credit card information. I'll pass on this one

gurnec wrote:I think you're wrong; I think it would protect you against this. I'm not positive, though, maybe you could help me out with this?

If TrojanWormVirus(tm) (Do I have to pay you for using your trademark?) spoofed the server side with a MITM attack, surely the SmartSwipe would check that TrojanWormVirus(tm)'s cert chain doesn't end in a trusted root, and reject the SSL connection?

If TrojanWormVirus(tm) tried to insert itself between the browser and the SmartSwipe, it would capture the unencrypted order information, but not the CC info since it hasn't been added yet.

And if TrojanWormVirus(tm) tried to insert itself between the SmartSwipe and the Internet, it would only be able to view the encrypted stream as created by the SmartSwipe with no access to the session keys (which are only stored on the SmartSwipe).

Does this sound correct?

The session keys are still stored in RAM by the browser; this could be a point of vulnerability.

escalante wrote:Strange, looks like they "fixed" it already!

Actually, you've got Jedwoffinden to thank for that. He/she found the error and was kind enough to point it out!

gregsmartswipe wrote:Wow, this is exciting. I have been working for NetSecure Technologies since before SmartSwipe was released to consumers...

...

If you use SmartSwipe, your credit card information is actually encrypted as you swipe your card through the device...

Then, it joins up with the regular encryption stream and reaches the web site in the exact same format that they expect it...

You must work for their marketing department because you got it all wrong. You can't just concatenate chunks of encrypted data. It doesn't work that way. The way your software works is that it convinces the browser to use your device as the encryption provider for post methods instead of the OS encryption provider on what it suspects are CC transactions. Also, the device doesn't encrypt the data as it is being read. It has to buffer and parse it first. What if the user swipes on reverse? Would you encrypt the number backwards?

lethargicmass wrote:The session keys are still stored in RAM by the browser; this could be a point of vulnerability.

I was having trouble figuring out if the SmartSwipe starts up its own SSL session with the server, or if it just encrypts everything using the browser's / OS's session keys. If it's the latter then that would be a weak point....

The whitepaper claims that a hardware device would not be vulnerable to keyjacking, which to me implies the former option, but it's not very clear...

jedwoffinden wrote:I have a hard time buying from a company that can't spell words correctly on their website...

(From http://www.smartswipe.ca/en/how-it-works) "...With strong, up to date anit-virus /anti malware coupled with Smartswipe you can now shop on line with peace of mind."

I know what you mean! I hate it when people don't use hyphenation to correctly construct a multi-word adjective phrase; especially in public-facing marketing communications! It should of course be "With strong, up-to-date..."

jedwoffinden wrote:That being said, I'm really interested if I could use this to process my clients' credit cards on my computer, without the need for pricey credit card processing equipment/software. Anyone have an idea how I could do that? Thanks in advance!

I posted my entirely negative opinion of whether this could be done in an earlier response.

gregsmartswipe wrote:Actually, you've got Jedwoffinden to thank for that. He/she found the error and was kind enough to point it out!

*bows* Thanks Greg for your lightheartedness and quick fix to the spelling error. Currently I am just getting my business up and running so I do not have any POS system in place, and it sounds like this may not work out for my needs. Still this is a great product for those that are worried about not only keyloggers/malware installed on their computer, but maybe big brother at work watching your screen.

Here we go again, I sighed. Another woot that I might want, but first I have to do a bunch of research to figure out exactly what it is and how it works. I wish they would replace their tragically hip vignettes with some useful product info…

The video says it uses "the same level of protection found in bank machines."

Yeah... they never get hacked.

lethargicmass wrote:No, this device installs a browser plugin which intercepts the POST before the browser encrypts it, inserts the previously-stored CC number, expire date, and CCV code into the fields you left blank, encrypts the data with the key negotiated by your browser for this SSL session, and then submits the POST just as your browser would have if this device did not exist and you had entered it manually.

From what I have read so far, the device actually replaces the SSL engine used by the browser with its own SSL engine. The SSL key generation, negotiation, and encryption of traffic is offloaded to the device. When you do something on the page to submit your data (such as hitting the submit button), the browser formats a POST message to be sent to the server. This message is passed down the network stack to be sent out. At the point where it would normally be encrypted, the device takes over. It takes the data that was gathered from the card and inserts it at what it thinks are the appropriate points in the POST message, then encrypts the entire message. This is going to be dependent on the plugin's ability to identify the correct fields on the card entry page also. If the web designer named the credit card field 'field1' and the expiration date 'field2' the device probably won't work.
I'm guessing that the device also has a data table internally that matches fields and names for well known sites to help with this. Periodic updates to the device will be needed to keep that in sync with website designs though.

BTW I wonder if this device has been examined and/or certified in any way as a tamper resistant security device?

tj111 wrote:Anyone know if all the required components run in wine (h/w driver + firefox plugin)? Searches for "NetSecure" and "SmartSwipe" on the Wine AppDB turned up 0 results. Also, would the plugin work with other USB card swipers?

Good morning!

Great question, though you might not like the answer so much. I work for the company that makes this product and I think Ubuntu is a lot of fun, so I tried out an older version of SmartSwipe on Wine. After many hours of messing around, I got a test transaction through. The experience wasn't so good - at one point, I remember having the distinct feeling that someone walked in and replaced my computer with one with a 286 processor and about 4mb of RAM....:-)

But then, we moved to .Net 3.5 and problems began anew. I can't, for the life of me, get .Net 3.5 to install within Wine.

I'm glad to see another Wine user on here. Have you ever had any luck getting .Net 3.5 to run on Wine? If so, let me know - I need a fun weekend project! :-)

In response to your second question, sadly, no, the plugin is dependent on our hardware. :-(

aramintamd wrote:I'm about to take our theatre box office (kicking and screaming) into the digital age, and this thing's a heck of a lot cheaper than any of the card scanners I've seen advertised for the purpose. Works for me. Now I just need to convince the rest of them that taking credit cards at point of sale isn't TEH EBIL!

aramintamd

Better start creating that ebay listing. To use this as a POS device you'll have to serve up your own e-commerce site and then run the transactions through a browser. Easy enough. Here's the catch. The device is designed only to insert the card number, not the card holder name. This means that either your ticket agents or your customers would need to type that in. I'm thinking that won't go over well. Besides, it's designed for home use, so it would probably fall apart after a few months. You do know that you can buy keyboards with built in readers, right?

gurnec wrote:I was having trouble figuring out if the SmartSwipe starts up its own SSL session with the server, or if it just encrypts everything using the browser's / OS's session keys. If it's the latter then that would be a weak point....

The whitepaper claims that a hardware device would not be vulnerable to keyjacking, which to me implies the former option, but it's not very clear...

From everything that I have read so far, I'm pretty sure this device actually replaces the built in SSL engine in the browser with a stub routine. That stub probably checks to see if the device is present and if so, hands off all of the crypto work to the device. If not (because you unplugged it for instance) it defers to the browser's built in crypto. Ultimately nothing that needs protecting even flows across the wire from your computer to the device. The unencrypted POST message is sent to the device, but at that point the card number, expiration date, and CVV are not in the messge yet. The plugin has inserted placeholder tags for that data. The device inserts the actual data, then SSL encrypts the whole thing before sending it back across the wire to the PC to be sent to the vendor. All of the SSL management and encryption is done in the device.

bowlingb wrote: ... All of the SSL management and encryption is done in the device.

This is what I thought was going on, but lethargicmass brought up the (good) point that the SmartSwipe might only be doing the encryption using a session key negotiated by the Browser / OS (and thus present in the PC). This would make it vulnerable to keyjacking. The unanswered question (at least in my mind) is if this is true, or if the SmartSwipe negotiates its own SSL session (which is what I'm leaning towards believing, I'm just not sure).

2 words: Roboform

gurnec wrote:This is what I thought was going on, but lethargicmass brought up the (good) point that the SmartSwipe might only be doing the encryption using a session key negotiated by the Browser / OS (and thus present in the PC). This would make it vulnerable to keyjacking. The unanswered question (at least in my mind) is if this is true, or if the SmartSwipe negotiates its own SSL session (which is what I'm leaning towards believing, I'm just not sure).

Not sure if anyone has posted this link yet.
http://www.smartswipe.ca/fr/dynamic-ssl/600-dynamic-ssl-a-practical-solution-for-endpoint-to-endpoint-encryption
This goes into a good bit of detail on SSL offloading. Based on this I believe that all of the SSL handling is being offloaded to the device.

Greg - Any chance you would care to share which chip is being used to handle the SSL operations?

phertiker wrote:I think I saw a few posts to this effect but I'm a loudmouth so here are my thoughts anyway:

This would protect against a keylogger or basic packet capture and forwarding because the CC info is SSL encrypted on the device and forwarded to the merchant.
This would NOT protect against a TrojanWormVirus(tm) that infects the Windows network stack at the lowest possible layer as it would essentially perform a man-in-the-middle attack and spoof the device end of the SSL tunnel. E.G. they would take yo' numbaz anyway.
People saying that having a firewall and up-to-date antivirus is a cure are not correct; it's certainly helpful, but as someone who cares for way too many workstations and servers in a distributed environment I can tell you that the most insane, tightened network security is still no match for the person at the keyboard. "Hey what's this cool Flash advertisement OH NOZ!" etc.

Essentially what I'm saying is buy this if you want to feel secure in the same way that a software firewall and antivirus package make you feel secure.

Alternatively you could only shop online using a completely separate bank account with it's own card number and only transfer exactly the amount needed for each purchase, and change your online banking password every month or so.

I am very happy to see knowledgeable members sharing their thoughts and benefiting other members with their valuable opinions. I've had the privilege of working with NetSecure through the design and implementation of SmartSwipe.

I would like to mention here that this product utilizes quite a complicated technology, namely Dynamic-SSL, which might need to be explained in a simpler language for end-users. One main design criteria in Dynamic-SSL was to be secure by design and not by obscurity. In other words, even revealing Dynamic-SSL implementation would not compromise its offered level of security.

Dynamic-SSL assures that your CC# will not ever reach your computer in plain text format. Now you might ask what about the encryption keys and encryption process? How do we protect the keys and the code used to encrypt CC# before reaching your computer? It is simple: the encryption keys are generated inside the device and the encryption process happens in there as well. So any Trojan, malware or key logger residing on your computer will see your CC# only in encrypted format.

Dynamic-SSL technology also protects the end-users CC# against man-in-the-middle and man-in-the-browser attack. If you are just using your browser and depend on "HTTPS", you might get trapped by published man-in-the-[browser/middle] attacks on SSL protocol. However, Dynamic-SSL prevents these attacks which are usually based on a combination of social engineering and SSL protocol alterations. This is accomplished by: 1) Dynamic-SSL will not let your CC# number leave the device if there is any sign of social engineering (i.e. SSL warnings, weak SSL cipher suites, phishing attacks, ..) and 2) Based on Dynamic-SSL, your whole SSL engine is hosted on a tamper-resistant device (i.e. encryption/decryption, key/certs management) which protects you against any SSL alterations.

Happy Wooting

grimor wrote:ok, I watched the video, I will admit I was wrong about how it works, BUT I would still have to say it is pointless. It defeated the trojan in the video because it the trojan used a screen shot to capture the page. This could be defeated by simply making the form field a "password" type, granted that would be annoying to the person entering it.

So the device stores your field (cc) information in the popup window until you hit submit... still a pointless device. Your CC info is more likely to be stolen enmass from the merchant than in the transaction.

I think you are missing the point. There are many ways to snoop your cc on your PC. What they are doing is rather that patch countless holes, the never let the number enter your PC in clear text.

What they conveniently fail to mention is that you still need to type in other validation information like expiration and CCVC. However, if they can get accepted as a defacto standard by the processors, they may be able to process without the validation. It's a bit tricky because, unlike a card in hand transaction, they can't collect a signature.

lethargicmass wrote:This is NOT a POS card reader. It is used to quasi-permanently store your personal CC number after scanning it the first time and entering the CCV code to verify that it's yours. It appears to be designed to store ONLY ONE credit card's data, and there is likely no software which can be used to use this as a POS scanner.

Thanks for jumping in and talking about our product. I like your insight into what we do, primarily because it shows me that we need to make our web site a little more clear!

You're partially right. The SmartSwipe is meant to be used with a browser on web pages. The software is designed with online shopping in mind, so this product really isn't meant for use in a point of sale environment.

However, certain credit card processors offer something called a virtual terminal. A virtual terminal is a secure web page that can be accessed with a browser - these are typically contained in the back-end of a merchant account. They are used so that people with merchant accounts can process orders over the phone, or while they are on the road.

Since virtual terminals can be accessed through a browser, you can use SmartSwipe with them and turn this product into an almost, sort of, but not quite a point of sale system.:-)

In response to the second part of your response, we don't actually store any credit card numbers, and SmartSwipe can be used with as many credit cards as you would like.

Thanks for writing about our product - please feel free to ask me any other questions you have! :-)

nimasmartswipe wrote:I am very happy to see knowledgeable members sharing their thoughts and benefiting other members with their valuable opinions. I've had the privilege of working with NetSecure through the design and implementation of SmartSwipe.

I would like to mention here that this product utilizes quite a complicated technology, namely Dynamic-SSL, which might need to be explained in a simpler language for end-users. One main design criteria in Dynamic-SSL was to be secure by design and not by obscurity. In other words, even revealing Dynamic-SSL implementation would not compromise its offered level of security.

Dynamic-SSL assures that your CC# will not ever reach your computer in plain text format. Now you might ask what about the encryption keys and encryption process? How do we protect the keys and the code used to encrypt CC# before reaching your computer? It is simple: the encryption keys are generated inside the device and the encryption process happens in there as well. So any Trojan, malware or key logger residing on your computer will see your CC# only in encrypted format.

Dynamic-SSL technology also protects the end-users CC# against man-in-the-middle and man-in-the-browser attack. If you are just using your browser and depend on "HTTPS", you might get trapped by published man-in-the-[browser/middle] attacks on SSL protocol. However, Dynamic-SSL prevents these attacks which are usually based on a combination of social engineering and SSL protocol alterations. This is accomplished by: 1) Dynamic-SSL will not let your CC# number leave the device if there is any sign of social engineering (i.e. SSL warnings, weak SSL cipher suites, phishing attacks, ..) and 2) Based on Dynamic-SSL, your whole SSL engine is hosted on a tamper-resistant device (i.e. encryption/decryption, key/certs management) which protects you against any SSL alterations.

Happy Wooting

Presumably this means that it will only work for sites whose certificate has been signed by a CA recognized by the device then? Is there a published list of CAs that are recognized by the device? Is there any way to remove a CA from the list for my device? The reason I ask is that in my personal browser I have removed certain CAs because I do not trust that they are diligent enough about verification before signing certs.

This is actually a pretty cool product, definitely considering getting one. I bet it's made in China, though. :-(