Forum Thread: Can VPN Server Eavesdrop Secured Communication?

Can VPN Server Eavesdrop Secured Communication?

I used VPN server (Hola Better Internet) to change my IP address to US IP address to overcome regional restrictions. I wanted to buy something in USD istead of EUR. So my question is. Could the VPN server log my credit card informations? The connection was secured and I checked certificate. But I don't feel very strong in this area of expertise so I can't tell whether I'm in danger or not. What do you think guys?

22 Responses

It smells that its a stolen CC, Whatever.

It smells like this is forum is a hacking forum and of course people are using stolen CC's...

If you're stealing CCs that doesnt mean that ppl on this website use a stolen one's..

The credit card is mine and I wrote here to find out whether am I in danger or not. So sniff and smell whatever you want but you're wrong.

Most of the VPN's will log all the information, But I would go for it.

But what about SSL connection? Can VPN server see information unencryted? So could VPN server log my CC informations despite using site with SSL certificate for payment?

Not sure because I am not that familiar with VPN's, Maybe you should google and see how VPN works and I think common sense can solve the problem.

I said whatever, If you knew what I meant you wouldn't say that..

You are drunk

I would be more worried about the 420,000 websites that had data stolen on Monday.
"Russian gang stole 1.2 billion Net passwords"

I would use a pre paid card that allows you to logon to your acct and make CC numbers on the fly when needed.

They do have this with some companies. Make a number use it on the web and delete it afterwards when the transaction is complete.

The short answer and last post. :

"VPN is a Virtual Private Network: it isolates a group of machines from the rest of the world, so that these machines can talk to each other undisturbed by outsiders. If the isolation is reasonably thorough (it uses encryption, and it uses it properly), then communications between any two machines in the VPN will be protected from eavesdropping and alteration from machines which are not in the VPN.

But the VPN will not do anything against attackers who are already inside the VPN. Your desktop system is in the VPN; so is the server you are talking to. But there may be other machines as well. In fact, it is typical, in enterprise contexts, that all remote employees join the VPN, which will therefore contain many people as well as a bunch of corporate servers, and other systems of questionable security (e.g. printers).

Another point is that the VPN is between machines. In the "mainframe model", a given machine may run process from distinct users, with distinct rights. With SSL, the security is from one specific process on the client machine, to one specific process on the server. Even if the VPN uses authentication, it would be inconvenient for the client to get some accurate information on the identity of the server, and vice versa, because the VPN authentication is not made available to the individual process on the involved machines.

Therefore, in the presence of a VPN, SSL is redundant only if all the following characteristics are met:

the VPN provides confidentiality and integrity as well as SSL would (i.e. with correctly used cryptography);
all machines which may connect to the VPN are trusted;
authentication can be delegated to the VPN layer.
If unsure, use SSL and consider the network as hostile. This is the safe way."

Does it mean I do not need to be worried? Because even by my own knowledge SSL certificate would be invalid or changed in the case of MITM attack. So by checking certificate you can tell whether you are eavesdropped or not, am I right?

VPN has enter and exit nodes that you are not safe at . SSL is encrypted end to end. Both have weakness tho.

Certs are your friend, most of the time.

Weaknesses, right. So how likely is that someone managed to exploit that weaknesses and has seen my CC informations? In percentage.

If someone has/had the CC info you would know cause you will have strange charges showing up.

If you are that paranoid about it. Join Life lock or something along those lines and have the bank issue new cards.

You could make the buy and have the bank cancel the card and issue a new one. Most cases CC are protected by the bank for theft.

I would not yet because I used that VPN server yesterday and I believe most of stolen CC informations are sold on black market not used immediately. I could block my card in internet banking but it's quite pain in the ass to get new one and get it delivered takes some time. So I would do that only if the threat was real. That is why I asked how likely is that.

Let me see if I understand your question. You are using a VPN server to obscure your IP address and you want to use your credit card or have used your credit card while using the VPN? Do I understand you correctly?

If I do, the answer is "yes", the VPN server is capable of decrypting your credit card number, if they so choose. This begs the question, though, why are you using a VPN that you don't trust?

I don't use VPN server. Not normaly. I used it yesterday. Once. I wanted to buy something for US dollars and I needed US IP address. Otherwise the payment would be in euros which would make it more expensive. The easiest for me was to use Hola Unblocker / Hola Better Internet. I don't know whether that server can be trusted or not, but which one can be? It's issue of all free VPN servers. You can only trust to your own server. And in most of cases you can also trust paid services operated by known provider. But because of one time deal there is no point to pay for VPN server. Especialy when you try to save money.

So... am I in real danger? Should I block my credit card?

Personally, I wouldn't worry about it unless had reason to believe my CC was stolen.

For such purposes I usually use, these guys don't keep logs and credit card info. You need just to chose payment system (e.g. pay pall) and only this system will receive the number of your credit card ( will receive money on its account but not your financial info).

  1. I would have thought that the message would be encrypted by the application BEFORE it is sent via the proxy/vpn/hola extension. And therefore as safe as any encrypted message.
  2. How do you know you can trust the website (or any website) you are sending information to via HTTPS, just because they have a valid certificate does not mean they are 'good people'.
  3. Unless you are in one of those consume unfriendly countries - the credit card company will refund you if you are ripped off (as long as you have shown some care ) - the process is called chargeback.

Share Your Thoughts

  • Hot
  • Active