Two of my credit cards were hacked last month, so I would like to install and use a vpn to purchase items on the 'net. I downloaded and printed out a paper called YaST VPN module. It says to install the latest stable version us zypper: sudo zypper install yast2-vpn. I did that, and after a page full of error messages, it says: The following NEW package is going to be installed: ` yast2-vpn 1 new package to install. Overall download size: 32.1 KiB. Already cached: 0 B. After the operation, additional 110.0 KiB will be used. Continue? [y/n/v/...? shows all options] (y): y Retrieving package yast2-vpn-4.3.0-1.98.noarch (1/1), 32.1 KiB (110.0 KiB unpacked) Retrieving: yast2-vpn-4.3.0-1.98.noarch.rpm ............................................................[done] Checking for file conflicts: ...........................................................................[done] (1/1) Installing: yast2-vpn-4.3.0-1.98.noarch ..........................................................[done] I then invoked /usr/sbin/yast2 vpn and got a "VPN Gateway and Client page which asked me to name the vpn, so I called it newvpn. The page recognizes Connection name: newvpn. At this point, I don't know how to g further. Will some kind soul please help? --doug
On 29/10/2021 02.49, Douglas McGarrett wrote:
Two of my credit cards were hacked last month, so I would like to install and use a vpn to purchase items on the 'net. I downloaded and printed out a paper called YaST VPN module.
I suspect that module purpose is to create an VPN *SERVER*, and that is not what you want. Start here: https://en.opensuse.org/Portal:VPN Then this: <https://doc.opensuse.org/documentation/leap/reference/single-html/book-reference/index.html> Search for the word "vpn" here. You also need some type of contract with an VPN server out there somewhere. Anyway, I suspect none of that will help you. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 10/28/21 5:49 PM, Douglas McGarrett wrote:
Two of my credit cards were hacked last month, so I would like to install and use a vpn to purchase items on the 'net.
Sorry to hear about your credit cards. You weren't out any money, were you? But why do you think that using a VPN will help in this context? Surely any on-line purchases you've made were encrypted with TLS in your web browser. This would imply that your compromise happened either at the on-line merchant end, or on your local computer. Are your merchants reputable? They might have been hacked themselves. Myself, I've purchased hundreds of thousands of dollars worth of stuff on the Internet, and I was "hacked" only once about 20-years ago. A purchase showed up on my statement for $750 worth of electronic connectors shipped to Vladivostok. A quick phone call to the bank canceled my card and the charge went away. No muss, no fuss. Regards, Lew
* Lew Wolfgang <wolfgang@sweet-haven.com> [10-28-21 22:08]:
On 10/28/21 5:49 PM, Douglas McGarrett wrote:
Two of my credit cards were hacked last month, so I would like to install and use a vpn to purchase items on the 'net.
Sorry to hear about your credit cards. You weren't out any money, were you?
But why do you think that using a VPN will help in this context? Surely any on-line purchases you've made were encrypted with TLS in your web browser. This would imply that your compromise happened either at the on-line merchant end, or on your local computer. Are your merchants reputable? They might have been hacked themselves.
Myself, I've purchased hundreds of thousands of dollars worth of stuff on the Internet, and I was "hacked" only once about 20-years ago. A purchase showed up on my statement for $750 worth of electronic connectors shipped to Vladivostok. A quick phone call to the bank canceled my card and the charge went away. No muss, no fuss.
likewise, although I never had a false charge of that magnitude. the farce that vpns solve this type of situation is hard to understand. vpns are not security solutions. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode What sort of day was it? A day like all days, filled with those events that alter and illuminate our times... all things are as they were then, but were you there?
On 10/28/21 10:16 PM, Patrick Shanahan wrote:
* Lew Wolfgang <wolfgang@sweet-haven.com> [10-28-21 22:08]:
On 10/28/21 5:49 PM, Douglas McGarrett wrote:
Two of my credit cards were hacked last month, so I would like to install and use a vpn to purchase items on the 'net. Sorry to hear about your credit cards. You weren't out any money, were you?
But why do you think that using a VPN will help in this context? Surely any on-line purchases you've made were encrypted with TLS in your web browser. This would imply that your compromise happened either at the on-line merchant end, or on your local computer. Are your merchants reputable? They might have been hacked themselves.
Myself, I've purchased hundreds of thousands of dollars worth of stuff on the Internet, and I was "hacked" only once about 20-years ago. A purchase showed up on my statement for $750 worth of electronic connectors shipped to Vladivostok. A quick phone call to the bank canceled my card and the charge went away. No muss, no fuss. likewise, although I never had a false charge of that magnitude. the farce that vpns solve this type of situation is hard to understand. vpns are not security solutions. Perhaps I don't understand the use of vpn, in that case. What do you suggest? --doug
On 10/28/21 10:07 PM, Lew Wolfgang wrote:
On 10/28/21 5:49 PM, Douglas McGarrett wrote:
Two of my credit cards were hacked last month, so I would like to install and use a vpn to purchase items on the 'net.
Sorry to hear about your credit cards. You weren't out any money, were you?
But why do you think that using a VPN will help in this context? Surely any on-line purchases you've made were encrypted with TLS in your web browser. This would imply that your compromise happened either at the on-line merchant end, or on your local computer. Are your merchants reputable? They might have been hacked themselves.
Myself, I've purchased hundreds of thousands of dollars worth of stuff on the Internet, and I was "hacked" only once about 20-years ago. A purchase showed up on my statement for $750 worth of electronic connectors shipped to Vladivostok. A quick phone call to the bank canceled my card and the charge went away. No muss, no fuss.
Regards, Lew I've also purchased a lot of stuff on the 'net. This is almost the only time I've had a problem, and it was a big one. Many purchases from as little as a railroad ticket on the local commuter line (LIRR) to some large items which were not described on the credit-card bill to an extent that would identify them. I don't know if this problem existed on the local computer-- running Linux, as it is--or if so, how to delouse it. I can't even imagine how American Express could be used remotely to purchase train tickets at stations I've never even been to. AFAIK, such tickets are only sold at the station at the time of departure, or on the train itself after departure. I have only one credit card for AmEx, and it never left my possession! As you are probably aware, many charges reported on a credit-card bill are unidentifiable, but fortunately, I was able to get them all removed, since they showed up as suppliers I was absolutely sure I never used for anything!
I don't know what TLS is. I use Firefox as my browser. If it requires some input from me to "harden" it, please advise what and how. It would be inconvenient, and in many cases impossible, to purchase items via land-line telephone. --doug
On 10/29/21 8:39 AM, Douglas McGarrett wrote:
I've also purchased a lot of stuff on the 'net. This is almost the only time I've had a problem, and it was a big one. Many purchases from as little as a railroad ticket on the local commuter line (LIRR) to some large items which were not described on the credit-card bill to an extent that would identify them.
It sounds to me as if your card was compromised remotely, and it might not have even happened at one of your known vendors. It could have been one of the third-party payment processors. Amex did cancel your card and send a new one, right? You didn't give your credit card to to any of the many spam/scam telephone callers, did you?
I don't know what TLS is. I use Firefox as my browser. If it requires some input from me to "harden" it, please advise what and how. It would be inconvenient, and in many cases impossible, to purchase items via land-line telephone.
(this is probably too long) TLS is "Transport Layer Security". It's a method to establish a connection between a server and a client where each end of the connection is authenticated. For example, you have cryptographic proof that the web site you've connected to is really the one you think it is. TLS also provides for encryption of all traffic between the ends. The TLS protocol works regardless of your having a VPN connection, or not. All browsers, and some other things, support TLS. A web site address that supports TLS will begin with "https" instead of "http". Once the connection is established, Firefox will show a little padlock on the left side of the URL field. If the connection isn't encrypted or if the remote end isn't authenticated, the padlock will have a red line drawn through it. You can click on the padlock to discover more information about the remote server. But as another poster (Carlos) offered, TLS is subject to a man-in-the-middle attack where "if" you can be persuaded accept a root certificate from an evil source, you could connect to their server with you thinking you were connecting directly to your bank, for example. The evil site would decrypt your traffic, pull out what they want, then finish your connection to your bank's site. The key is that you will have to actually accept their root certificate for this to work. There are ways to see if you've been affected, but that's beyond the scope of this simple note. Google it if you're interested. "mitm detection" But note that some companies and governments could require that you accept their root CA certificate, they want to examine your traffic. I remember reading about one whole country, I forget which, that required all their citizens to accept their cert. They wanted to examine everything, looking for subversive traffic. Regards, Lew
On 2021-10-29 6:59 p.m., Lew Wolfgang wrote:
It sounds to me as if your card was compromised remotely, and it might not have even happened at one of your known vendors. It could have been one of the third-party payment processors. Amex did cancel your card and send a new one, right? You didn't give your credit card to to any of the many spam/scam telephone callers, did you?
I use Paypal when I can to avoid those risks.
On 10/29/21 5:56 PM, James Knott wrote:
On 2021-10-29 6:59 p.m., Lew Wolfgang wrote:
It sounds to me as if your card was compromised remotely, and it might not have even happened at one of your known vendors. It could have been one of the third-party payment processors. Amex did cancel your card and send a new one, right? You didn't give your credit card to to any of the many spam/scam telephone callers, did you?
I use Paypal when I can to avoid those risks.
(I hope this isn't too far off-topic, but there is a computer tie-in with the credit card services) I try to avoid payment methods that have direct access to my bank checking account. I avoid bank debit cards too. Your entire bank account can all to easily be completely emptied, with any recourse being difficult. With credit cards, at least here in the US, your liability for fraudulent use is limited by law to $50. But from experience they didn't even charge the $50. There are also ways to create unique credit card numbers for use on web sites, etc. Capital One has a service called ENO, and another company called privacy.com allows even greater control of virtual credit cards. You can configure them to be used only one time, at one place, or for limited amounts, etc. Capital One's is linked to your real credit card account, which then gives you the legal protection. Privacy.com is linked to a bank account, but you could link it to a "burner" account with limited funding, then transfer funds as needed using Zelle or equivalent. Both services can be accessed with openSUSE Leap. (there, it's now on-topic!) As long as the topic is security, just this afternoon I received a valid-looking email from Capital One saying that I could claim a $100 reward if I clicked this big red button in the email. Off go the alarms in my head and I looked closer. The mail was sent from a gmail.com address, and by right clicking on the red button I got a bit.ly url. I submitted the url to virustotal.com and it came up with two hits identifying the link as "malware". Doug: You didn't click on any email links, did you? Regards, Lew
On 2021-10-29 9:20 p.m., Lew Wolfgang wrote:
I try to avoid payment methods that have direct access to my bank checking account. I avoid bank debit cards too. Your entire bank account can all to easily be completely emptied, with any recourse being difficult. With credit cards, at least here in the US, your liability for fraudulent use is limited by law to $50. But from experience they didn't even charge the $50.
I have 3 payments that are taken from my chequing account, mortgage, condo fees & insurance. Everything else I pay when I make the transaction, either from chequing account or charge card. I have a debit card, but almost never use it.
On 2021-10-29 9:20 p.m., Lew Wolfgang wrote:
As long as the topic is security, just this afternoon I received a valid-looking email from Capital One saying that I could claim a $100 reward if I clicked this big red button in the email. Off go the alarms in my head and I looked closer. The mail was sent from a gmail.com address, and by right clicking on the red button I got a bit.ly url. I submitted the url to virustotal.com and it came up with two hits identifying the link as "malware". Doug: You didn't click on any email links, did you?
I often check the URL. Also, when I receive real mail from Capitol One, it goes right into recycling.
On 10/29/21 9:20 PM, Lew Wolfgang wrote:
On 10/29/21 5:56 PM, James Knott wrote:
On 2021-10-29 6:59 p.m., Lew Wolfgang wrote:
It sounds to me as if your card was compromised remotely, and it might not have even happened at one of your known vendors. It could have been one of the third-party payment processors. Amex did cancel your card and send a new one, right? You didn't give your credit card to to any of the many spam/scam telephone callers, did you?
I use Paypal when I can to avoid those risks.
(I hope this isn't too far off-topic, but there is a computer tie-in with the credit card services)
I try to avoid payment methods that have direct access to my bank checking account. I avoid bank debit cards too. Your entire bank account can all to easily be completely emptied, with any recourse being difficult. With credit cards, at least here in the US, your liability for fraudulent use is limited by law to $50. But from experience they didn't even charge the $50.
There are also ways to create unique credit card numbers for use on web sites, etc. Capital One has a service called ENO, and another company called privacy.com allows even greater control of virtual credit cards. You can configure them to be used only one time, at one place, or for limited amounts, etc. Capital One's is linked to your real credit card account, which then gives you the legal protection. Privacy.com is linked to a bank account, but you could link it to a "burner" account with limited funding, then transfer funds as needed using Zelle or equivalent. Both services can be accessed with openSUSE Leap. (there, it's now on-topic!)
As long as the topic is security, just this afternoon I received a valid-looking email from Capital One saying that I could claim a $100 reward if I clicked this big red button in the email. Off go the alarms in my head and I looked closer. The mail was sent from a gmail.com address, and by right clicking on the red button I got a bit.ly url. I submitted the url to virustotal.com and it came up with two hits identifying the link as "malware". Doug: You didn't click on any email links, did you?
Regards, Lew I think I'm pretty well aware of these kind of scams. Nothing that says it comes from a bank is real, afaik! And I certainly do not do ANY banking business over a computer link--they don't even know my email address-- I hope! And Chase has an email address to forward "their" spam to: abuse@chase.com. --doug
On 10/29/21 6:59 PM, Lew Wolfgang wrote:
On 10/29/21 8:39 AM, Douglas McGarrett wrote:
I've also purchased a lot of stuff on the 'net. This is almost the only time I've had a problem, and it was a big one. Many purchases from as little as a railroad ticket on the local commuter line (LIRR) to some large items which were not described on the credit-card bill to an extent that would identify them.
It sounds to me as if your card was compromised remotely, and it might not have even happened at one of your known vendors. It could have been one of the third-party payment processors. Amex did cancel your card and send a new one, right? You didn't give your credit card to to any of the many spam/scam telephone callers, did you?
I most certainly did not! I would have to say that the AMEX card really surprised me. I practically never use it except at restaurants, and I'm not a frequent eater out. Amex has promised a new card. Discover has come thru already. I think I will have to keep a log of card use! (Sort of lowers the value of having the card!) Does everybody trust eBay? --doug
I don't know what TLS is. I use Firefox as my browser. If it requires some input from me to "harden" it, please advise what and how. It would be inconvenient, and in many cases impossible, to purchase items via land-line telephone.
(this is probably too long)
TLS is "Transport Layer Security". It's a method to establish a connection between a server and a client where each end of the connection is authenticated. For example, you have cryptographic proof that the web site you've connected to is really the one you think it is. TLS also provides for encryption of all traffic between the ends. The TLS protocol works regardless of your having a VPN connection, or not.
All browsers, and some other things, support TLS. A web site address that supports TLS will begin with "https" instead of "http". Once the connection is established, Firefox will show a little padlock on the left side of the URL field. If the connection isn't encrypted or if the remote end isn't authenticated, the padlock will have a red line drawn through it. You can click on the padlock to discover more information about the remote server.
But as another poster (Carlos) offered, TLS is subject to a man-in-the-middle attack where "if" you can be persuaded accept a root certificate from an evil source, you could connect to their server with you thinking you were connecting directly to your bank, for example. The evil site would decrypt your traffic, pull out what they want, then finish your connection to your bank's site. The key is that you will have to actually accept their root certificate for this to work. There are ways to see if you've been affected, but that's beyond the scope of this simple note. Google it if you're interested. "mitm detection"
But note that some companies and governments could require that you accept their root CA certificate, they want to examine your traffic. I remember reading about one whole country, I forget which, that required all their citizens to accept their cert. They wanted to examine everything, looking for subversive traffic.
Regards, Lew
W dniu 29.10.2021 o 02:49, Douglas McGarrett pisze:
Two of my credit cards were hacked last month, so I would like to install and use a vpn to purchase items on the 'net. I downloaded and printed out a paper called YaST VPN module. It says to install the latest stable version us zypper: sudo zypper install yast2-vpn.
If you want to configure a VPN connection, it's better to use NetworkManager for that. But here's a good explanation why VPN is not a solution to your problem: https://www.youtube.com/watch?v=WVDQEoe6ZWY
Am 2021-10-29 02:49, schrieb Douglas McGarrett:
Two of my credit cards were hacked last month, so I would like to install and use a vpn
To put it bluntly: Using a VPN protects you from identity theft / online credit card theft/fraud as much as wearing a clown suit in public will protect you from being mugged, that is NOT AT ALL. Your credit cards were most likely hacked either by a phishing attack (fake website and the likes advertized by spam, as in YOUR OWN FAULT) or by a break in into a shop system. There's NOTHING a vpn could do to prevent that. If you want to use a VPN to "hide your identity", don't. They don't do that. All a VPN does is connect you to a remote lan. If you really want to hide your identity: use tor. Comes as a package for openSUSE. Install it with yast, enable the service, and after a reboot, have any software that supports using socks use 127.0.0.1:9050 as socks server. If your software only supports HTTP/HTTPS: layer privoxy on top of tor. Also comes as package for openSUSE. Install, enable, edit the configuration file to chain it to your tor service (it's documented in comments in the config file), start it, and point your clients at 127.0.0.1:8118 as http/https proxy. And... have patience. TOR slows things down. Quite a lot. Cheers Mathias -- Mathias Homann Mathias.Homann@openSUSE.org telegram: https://telegram.me/lemmy98 irc: [lemmy] on freenode and ircnet obs: lemmy04 gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 29/10/2021 08.54, Mathias Homann wrote:
Am 2021-10-29 02:49, schrieb Douglas McGarrett:
Two of my credit cards were hacked last month, so I would like to install and use a vpn
To put it bluntly:
Using a VPN protects you from identity theft / online credit card theft/fraud as much as wearing a clown suit in public will protect you from being mugged, that is NOT AT ALL.
Your credit cards were most likely hacked either by a phishing attack (fake website and the likes advertized by spam, as in YOUR OWN FAULT) or by a break in into a shop system. There's NOTHING a vpn could do to prevent that.
I seem to recall he suspect his internet provider. It has happened to him before.
If you want to use a VPN to "hide your identity", don't. They don't do that. All a VPN does is connect you to a remote lan.
If you really want to hide your identity: use tor. Comes as a package for openSUSE. Install it with yast, enable the service, and after a reboot, have any software that supports using socks use 127.0.0.1:9050 as socks server.
If your software only supports HTTP/HTTPS: layer privoxy on top of tor. Also comes as package for openSUSE. Install, enable, edit the configuration file to chain it to your tor service (it's documented in comments in the config file), start it, and point your clients at 127.0.0.1:8118 as http/https proxy.
And... have patience. TOR slows things down. Quite a lot.
I agree, but TOR usually breaks the geolocation done by the web server, and some are that stupid as use this to adjust what they sell. They may even refuse selling because of wrong country. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-10-29 7:25 a.m., Carlos E. R. wrote:
I seem to recall he suspect his internet provider. It has happened to him before.
One thing to bear in mind is those transactions will be encrypted, which means it's extremely unlikely the ISP can collect data, other than from any transactions with them.
On 29/10/2021 14.48, James Knott wrote:
On 2021-10-29 7:25 a.m., Carlos E. R. wrote:
I seem to recall he suspect his internet provider. It has happened to him before.
One thing to bear in mind is those transactions will be encrypted, which means it's extremely unlikely the ISP can collect data, other than from any transactions with them.
There are methods on routers, used on some sites, to open https traffic and reencapsulate with another certificate. I can not explain how, though. But I would evaluate many other possibilities first. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-10-29 8:53 a.m., Carlos E. R. wrote:
There are methods on routers, used on some sites, to open https traffic and reencapsulate with another certificate. I can not explain how, though.
If a router can do it, any computer can do it and that would defeat the entire purpose of encryption.
On 29.10.2021 15:53, Carlos E. R. wrote:
On 29/10/2021 14.48, James Knott wrote:
On 2021-10-29 7:25 a.m., Carlos E. R. wrote:
I seem to recall he suspect his internet provider. It has happened to him before.
One thing to bear in mind is those transactions will be encrypted, which means it's extremely unlikely the ISP can collect data, other than from any transactions with them.
There are methods on routers, used on some sites, to open https traffic and reencapsulate with another certificate. I can not explain how, though.
No special method is needed, just certificate that is trusted by client. Unless client is using certificate pinning or you manually verify certificate each time you access this site you never notice this. And even certificate pinning may not detect it if you always access your "secure" site from the same client and location.
But I would evaluate many other possibilities first.
participants (8)
-
Adam Mizerski -
Andrei Borzenkov -
Carlos E. R. -
Douglas McGarrett -
James Knott -
Lew Wolfgang -
Mathias Homann -
Patrick Shanahan