[Owasp-leaders] Summit Regonline

Ofer Maor ofer.maor at owasp.org
Wed Jan 12 03:04:05 EST 2011


I think that at the "moment" of buying you are right - sure, if I don't give
my CVV, it won't be compromised. 

 

The cold and rough feeling I get is from the concept. A site that does not
require a CVV is a site that makes it easier to use stolen cards (the
likelihood of stealing card information without CVV is higher, due to the
better security placed on CVVs). 

 

Hence, I always flinch when sites don't ask for CVV, especially when those
are sites that allow for purchases of hundreds or thousands of dollars. 

 

(Btw - in the US, u have another security mechanism which is not enabled
worldwide - which is billing address confirmation. This is especially useful
when purchasing online goods to be shipped to you, as in such case the
potential abuse of cards is very low. However, for non US issued cards, this
is not verified as in the US, and, even if so, this was purchased for
something that is not shipped, so the value is low). 

 

Just my .02

 

Ofer.

 

 

 

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jason Li
Sent: Wednesday, January 12, 2011 6:59
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Summit Regonline

 

Agreed - but it's the *existence* of the CVV2 in general that provides the
warm and fuzzy.

 

The fact that a merchant does not ask for the CVV2 doesn't make a difference
from the cloning perspective, right?

 

In fact, I think you could argue that if a merchant does *not* ask for CVV2,
a user is in fact better off from a personal security perspective.

 

-Jason



On Tue, Jan 11, 2011 at 11:33 PM, Matthew Chalmers
<matthew.chalmers at owasp.org> wrote:

It makes users feel warm and fuzzy because it's less likely that their card
can be used if cloned from the stripe only. :)

 

On Tue, Jan 11, 2011 at 10:26 PM, Jason Li <jason.li at owasp.org> wrote:

The CVV2 code is not technically required to make a credit card payment in
the US (some European countries do require it).

 

>From a *user* security perspective, I don't think there's a significant
impact for *not* providing a CVV2 code...

 

But I'm sure someone will point it out if I'm wrong :)

 

-Jason

 

On Tue, Jan 11, 2011 at 6:28 PM, Ofer Maor <ofer.maor at owasp.org> wrote:

Am I the only one who feels uncomfortable that the regonline site did not
ask for my CVV when taking my credit card for the booking? 

 

---

Ofer Maor

CTO, Hacktics

Chairman, OWASP Israel

 

Mobile: +972 (54) 6545406

US: +1 (646) 7700646

Office: +972 (9) 9565840

Fax: +972 (9) 9500047

LinkedIn: http://www.linkedin.com/in/ofermaor 

Web:  <http://www.hacktics.com/> www.hacktics.com

 

 

 

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110112/e39433bb/attachment.html 


More information about the OWASP-Leaders mailing list