[Owasp-board] FW: [Owasp-leaders] Summit Regonline

Kate Hartmann kate.hartmann at owasp.org
Wed Jan 12 15:49:58 UTC 2011


I need some help here.  I don't have the vocabulary to address the community
concerns.  I have copied you all on the email I sent as a follow up to our
account representative which hopefully conveys the urgency of the situation.

 

Kate Hartmann

Operations Director

301-275-9403

 <http://www.owasp.org/> www.owasp.org 

Skype:  Kate.hartmann1

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthew Chalmers
Sent: Wednesday, January 12, 2011 10:42 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Summit Regonline

 

My concern is not them requiring CVV2, or doing billing address/phone
verification, or anything else, because I know that my personal liability
for fraud on my card is $0. Other people may not be in the same boat. The
vendor doing these things doesn't make OWASPers' information more secure, it
just helps keep them protected from fraud liability and hassle.

 

My concern IS that as a security organization we're contracting third
parties without checking their security. It's embarrassing that this vendor
has an SQLI vulnerability, even if it could be demonstrated that the full
extent of it is simply disclosure of quasi-public information (not the
ability to change data, insert data, or reveal private info such as a credit
card number). Even without the SQLI, the links in the confirmation email
should probably not work for anyone but the person who got it.

 

I understand that in this case (and perhaps other cases) it may have been
(or will be) necessary to get the solution running quickly, but OWASP should
consider adopting a "policy" of not giving any vendor confidential data or
money, or sign a contract for their services, until we have either
tested/audited them and/or included a provision in the agreement that we can
do so whenever we like. (And the sooner the better, because the first
OWASPer to use it might be the first to "test" it informally.)

 

Matt

 

On Wed, Jan 12, 2011 at 8:49 AM, Kate Hartmann <kate.hartmann at owasp.org>
wrote:

Group, the CVV is now required for all Credit card purchases through Reg
Online.

As you know, we have been using a different system for memberships and
registrations until this point, and that system did not require the security
code, so I mirrored the settings we had been using for the past 4 years when
setting up the new system.

Please, if you have concerns, please don't assume it's a security flaw.  Ask
first.  As in this case, it could be an issue of a back door setting.

Development is working on the other issue reported last week.  Resolution
will be swift.

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype:  Kate.hartmann1


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org

[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
Sent: Wednesday, January 12, 2011 9:36 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Summit Regonline

For what its worth...

When I did an organizational membership through RegOnline last week, I used
a Amex and was asked for the CVV.

I don't know what CC you used or your total, but I can tell you that for
Organizational Supporters ($5,000 USD), they required CVV for Amex (and
apparently all cards as it was part of the html form).

Give Kate some time to work with RegOnline and lets see what happens on this
and other issues.  My understanding from talking with Kate multiple times is
that they have been open and eager when working with us in the past.  Lets
get a response from them before we take them to task.

Also remember that getting the Summit setup is taking 99% of much of OWASP's
volunteer and employees time and that won't change until after its done.

Cheers!

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 01/12/2011 02:04 AM, Ofer Maor wrote:
> I think that at the "moment" of buying you are right - sure, if I
> don't give my CVV, it won't be compromised.
>
>
>
> The cold and rough feeling I get is from the concept. A site that does
> not require a CVV is a site that makes it easier to use stolen cards
> (the likelihood of stealing card information without CVV is higher,
> due to the better security placed on CVVs).
>
>
>
> Hence, I always flinch when sites don't ask for CVV, especially when
> those are sites that allow for purchases of hundreds or thousands of
> dollars.
>
>
>
> (Btw - in the US, u have another security mechanism which is not
> enabled worldwide - which is billing address confirmation. This is
> especially useful when purchasing online goods to be shipped to you,
> as in such case the potential abuse of cards is very low. However, for
> non US issued cards, this is not verified as in the US, and, even if
> so, this was purchased for something that is not shipped, so the value is
low).
>
>
>
> Just my .02
>
>
>
> Ofer.
>
>
>
>
>
>
>
>
>
> *From:*owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Jason Li
> *Sent:* Wednesday, January 12, 2011 6:59
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Summit Regonline
>
>
>
> Agreed - but it's the *existence* of the CVV2 in general that provides
> the warm and fuzzy.
>
>
>
> The fact that a merchant does not ask for the CVV2 doesn't make a
> difference from the cloning perspective, right?
>
>
>
> In fact, I think you could argue that if a merchant does *not* ask for
> CVV2, a user is in fact better off from a personal security perspective.
>
>
>
> -Jason
>
> On Tue, Jan 11, 2011 at 11:33 PM, Matthew Chalmers
> <matthew.chalmers at owasp.org <mailto:matthew.chalmers at owasp.org>> wrote:
>
> It makes users feel warm and fuzzy because it's less likely that their
> card can be used if cloned from the stripe only. :)
>
>
>
> On Tue, Jan 11, 2011 at 10:26 PM, Jason Li <jason.li
> <http://jason.li>@owasp.org <http://owasp.org>> wrote:
>
> The CVV2 code is not technically required to make a credit card
> payment in the US (some European countries do require it).
>
>
>
> From a *user* security perspective, I don't think there's a
> significant impact for *not* providing a CVV2 code...
>
>
>
> But I'm sure someone will point it out if I'm wrong :)
>
>
>
> -Jason
>
>
>
> On Tue, Jan 11, 2011 at 6:28 PM, Ofer Maor <ofer.maor at owasp.org
> <mailto:ofer.maor at owasp.org>> wrote:
>
>     Am I the only one who feels uncomfortable that the regonline site
>     did not ask for my CVV when taking my credit card for the booking?
>
>     * *
>
>     *---*
>
>     *Ofer Maor*
>
>     *CTO, Hacktics*
>
>     *Chairman, OWASP Israel*
>
>
>
>     Mobile: +972 (54) 6545406
>
>     US: +1 (646) 7700646
>
>     Office: +972 (9) 9565840
>
>     Fax: +972 (9) 9500047
>
>     LinkedIn: http://www.linkedin.com/in/ofermaor
>
>     Web: www.hacktics.com <http://www.hacktics.com/>
>
>
>
>
>
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110112/905e405e/attachment-0002.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Untitled attachment 00526.txt
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110112/905e405e/attachment-0002.txt>


More information about the Owasp-board mailing list