[Owasp-leaders] Summit Regonline

dinis cruz dinis.cruz at owasp.org
Wed Jan 12 10:53:51 EST 2011


OWASP is doing what every other customer from RegOnline is doing, we are
buying their services with no ability to make an informed decision on its
security (do you think we are the only ones in this situation?).

This is a good example of the need for solutions like the one that hopefully
will come out from this Summit's Working Session Consumer friendly labeling
of app sec metrics<http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session051>


Dinis Cruz


On 12 January 2011 15:41, Matthew Chalmers <matthew.chalmers at owasp.org>wrote:

> My concern is not them requiring CVV2, or doing billing address/phone
> verification, or anything else, because I know that my personal liability
> for fraud on my card is $0. Other people may not be in the same boat. The
> vendor doing these things doesn't make OWASPers' information more secure, it
> just helps keep them protected from fraud liability and hassle.
>
> My concern IS that as a security organization we're contracting third
> parties without checking their security. It's embarrassing that this vendor
> has an SQLI vulnerability, even if it could be demonstrated that the full
> extent of it is simply disclosure of quasi-public information (not the
> ability to change data, insert data, or reveal private info such as a credit
> card number). Even without the SQLI, the links in the confirmation email
> should probably not work for anyone but the person who got it.
>
> I understand that in this case (and perhaps other cases) it may have been
> (or will be) necessary to get the solution running quickly, but OWASP should
> consider adopting a "policy" of not giving any vendor confidential data or
> money, or sign a contract for their services, until we have either
> tested/audited them and/or included a provision in the agreement that we can
> do so whenever we like. (And the sooner the better, because the first
> OWASPer to use it might be the first to "test" it informally.)
>
> Matt
>
>
> On Wed, Jan 12, 2011 at 8:49 AM, Kate Hartmann <kate.hartmann at owasp.org>wrote:
>
>> Group, the CVV is now required for all Credit card purchases through Reg
>> Online.
>>
>> As you know, we have been using a different system for memberships and
>> registrations until this point, and that system did not require the
>> security
>> code, so I mirrored the settings we had been using for the past 4 years
>> when
>> setting up the new system.
>>
>> Please, if you have concerns, please don't assume it's a security flaw.
>>  Ask
>> first.  As in this case, it could be an issue of a back door setting.
>>
>> Development is working on the other issue reported last week.  Resolution
>> will be swift.
>>
>> Kate Hartmann
>> Operations Director
>> 301-275-9403
>> www.owasp.org
>> Skype:  Kate.hartmann1
>>
>> -----Original Message-----
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
>> Sent: Wednesday, January 12, 2011 9:36 AM
>> To: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] Summit Regonline
>>
>> For what its worth...
>>
>> When I did an organizational membership through RegOnline last week, I
>> used
>> a Amex and was asked for the CVV.
>>
>> I don't know what CC you used or your total, but I can tell you that for
>> Organizational Supporters ($5,000 USD), they required CVV for Amex (and
>> apparently all cards as it was part of the html form).
>>
>> Give Kate some time to work with RegOnline and lets see what happens on
>> this
>> and other issues.  My understanding from talking with Kate multiple times
>> is
>> that they have been open and eager when working with us in the past.  Lets
>> get a response from them before we take them to task.
>>
>> Also remember that getting the Summit setup is taking 99% of much of
>> OWASP's
>> volunteer and employees time and that won't change until after its done.
>>
>> Cheers!
>>
>> --
>> -- Matt Tesauro
>> OWASP Board Member
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>>
>> On 01/12/2011 02:04 AM, Ofer Maor wrote:
>> > I think that at the "moment" of buying you are right - sure, if I
>> > don't give my CVV, it won't be compromised.
>> >
>> >
>> >
>> > The cold and rough feeling I get is from the concept. A site that does
>> > not require a CVV is a site that makes it easier to use stolen cards
>> > (the likelihood of stealing card information without CVV is higher,
>> > due to the better security placed on CVVs).
>> >
>> >
>> >
>> > Hence, I always flinch when sites don't ask for CVV, especially when
>> > those are sites that allow for purchases of hundreds or thousands of
>> > dollars.
>> >
>> >
>> >
>> > (Btw - in the US, u have another security mechanism which is not
>> > enabled worldwide - which is billing address confirmation. This is
>> > especially useful when purchasing online goods to be shipped to you,
>> > as in such case the potential abuse of cards is very low. However, for
>> > non US issued cards, this is not verified as in the US, and, even if
>> > so, this was purchased for something that is not shipped, so the value
>> is
>> low).
>> >
>> >
>> >
>> > Just my .02
>> >
>> >
>> >
>> > Ofer.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > *From:*owasp-leaders-bounces at lists.owasp.org
>> > [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Jason Li
>> > *Sent:* Wednesday, January 12, 2011 6:59
>> > *To:* owasp-leaders at lists.owasp.org
>> > *Subject:* Re: [Owasp-leaders] Summit Regonline
>> >
>> >
>> >
>> > Agreed - but it's the *existence* of the CVV2 in general that provides
>> > the warm and fuzzy.
>> >
>> >
>> >
>> > The fact that a merchant does not ask for the CVV2 doesn't make a
>> > difference from the cloning perspective, right?
>> >
>> >
>> >
>> > In fact, I think you could argue that if a merchant does *not* ask for
>> > CVV2, a user is in fact better off from a personal security perspective.
>> >
>> >
>> >
>> > -Jason
>> >
>> > On Tue, Jan 11, 2011 at 11:33 PM, Matthew Chalmers
>> > <matthew.chalmers at owasp.org <mailto:matthew.chalmers at owasp.org>> wrote:
>> >
>> > It makes users feel warm and fuzzy because it's less likely that their
>> > card can be used if cloned from the stripe only. :)
>> >
>> >
>> >
>> > On Tue, Jan 11, 2011 at 10:26 PM, Jason Li <jason.li
>> > <http://jason.li>@owasp.org <http://owasp.org>> wrote:
>> >
>> > The CVV2 code is not technically required to make a credit card
>> > payment in the US (some European countries do require it).
>> >
>> >
>> >
>> > From a *user* security perspective, I don't think there's a
>> > significant impact for *not* providing a CVV2 code...
>> >
>> >
>> >
>> > But I'm sure someone will point it out if I'm wrong :)
>> >
>> >
>> >
>> > -Jason
>> >
>> >
>> >
>> > On Tue, Jan 11, 2011 at 6:28 PM, Ofer Maor <ofer.maor at owasp.org
>> > <mailto:ofer.maor at owasp.org>> wrote:
>> >
>> >     Am I the only one who feels uncomfortable that the regonline site
>> >     did not ask for my CVV when taking my credit card for the booking?
>> >
>> >     * *
>> >
>> >     *---*
>> >
>> >     *Ofer Maor*
>> >
>> >     *CTO, Hacktics*
>> >
>> >     *Chairman, OWASP Israel*
>> >
>> >
>> >
>> >     Mobile: +972 (54) 6545406
>> >
>> >     US: +1 (646) 7700646
>> >
>> >     Office: +972 (9) 9565840
>> >
>> >     Fax: +972 (9) 9500047
>> >
>> >     LinkedIn: http://www.linkedin.com/in/ofermaor
>> >
>> >     Web: www.hacktics.com <http://www.hacktics.com/>
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >     _______________________________________________
>> >     OWASP-Leaders mailing list
>> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org
>> >
>> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110112/ec6a1f09/attachment.html 


More information about the OWASP-Leaders mailing list