The Device and Installation
The Smart Swipe really is a very simple device. It’s a magnetic card reader which connects to a computer via USB.
When connecting the device, it shows up in Windows 7 as a normal USB Input Device, however a 62.1 MB driver required from Smart Swipe’s web site. The software installs a driver for the operating system and a toolbar in Internet Explorer.
Windows users who prefer another browser such as Firefox or Chrome cannot use the Smart Swipe, nor can Mac OS X or Linux users.
Use
I am an infrequent on-line shopper, mostly because I don’t really spend money very often. Most of the sites at which I shop frequently (Amazon, NewEgg, GoDaddy, etc.) have my credit card information safely and securely stored (hopefully). So, to this end, I used the payment portal of a former employer and knew that I could cancel the transaction after entering my credit card details.
I also whipped up a little test to see if I could get my credit card information once swiped. My test asked for the name on the card, number, expiration, and card type.
When you come to a page where you need to enter credit card information, you click on the chain link icon in the the Smart Swipe toolbar (hint: it’s the only icon in the toolbar). It’ll check to ensure that the conditions are good for entering payment information: that the connection is secure and encrypted using SSL (HTTPS), that the SSL certificate identifying the website is authentic and valid, and that the Smart Swipe reader is attached. If these and other conditions are met, a window asking for you to swipe your card will appear. Once swiped and verified using the 3- or 4-digit CVV2 number on the back of the card, you’ll be able to point and click on the fields into which information from the card should be entered.
This is where the Smart Swipe excels. Normally, when entering card details, the inputs aren’t protected against reading by Javascript. In my test, I filled out the first form using Smart Swipe, then pressed the “copy to other form” button to try to read the inputs using Javascript. It came across as encrypted gobbledygook. My guess is that Smart Swipe fills in this crap to satisfy client-side, Javascript-based validation and to fool cross-site scripting attacks, but actually submits the correct information when advancing to the next page.
I blurred out a lot of information here so that if there is some kind of reversable attack on the gobbledygook, my credit card won’t be compromised.
