[Owasp-leaders] Summit Regonline

Justin Clarke justin.clarke at owasp.org
Wed Jan 12 06:00:21 EST 2011


On 12 Jan 2011, at 08:04, Ofer Maor wrote:

> The cold and rough feeling I get is from the concept. A site that does not require a CVV is a site that makes it easier to use stolen cards (the likelihood of stealing card information without CVV is higher, due to the better security placed on CVVs).

Thats a decision for the merchant though - if they choose to have higher fraud risk thats not something that is going to cost the user.  The main downside for them there is that if they peak over the upstream processor fraud levels, they will be dropped by various card brands.
> 
>  
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jason Li
> Sent: Wednesday, January 12, 2011 6:59
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Summit Regonline
>  
> Agreed - but it's the *existence* of the CVV2 in general that provides the warm and fuzzy.
>  
> The fact that a merchant does not ask for the CVV2 doesn't make a difference from the cloning perspective, right?
>  
> In fact, I think you could argue that if a merchant does *not* ask for CVV2, a user is in fact better off from a personal security perspective.
>  
> -Jason
> 
> 
> On Tue, Jan 11, 2011 at 11:33 PM, Matthew Chalmers <matthew.chalmers at owasp.org> wrote:
> It makes users feel warm and fuzzy because it's less likely that their card can be used if cloned from the stripe only. :)
>  
> 
> On Tue, Jan 11, 2011 at 10:26 PM, Jason Li <jason.li at owasp.org> wrote:
> The CVV2 code is not technically required to make a credit card payment in the US (some European countries do require it).
>  
> From a *user* security perspective, I don't think there's a significant impact for *not* providing a CVV2 code...
>  
> But I'm sure someone will point it out if I'm wrong :)
>  
> -Jason
>  
> On Tue, Jan 11, 2011 at 6:28 PM, Ofer Maor <ofer.maor at owasp.org> wrote:
> Am I the only one who feels uncomfortable that the regonline site did not ask for my CVV when taking my credit card for the booking?
>  
> ---
> Ofer Maor
> CTO, Hacktics
> Chairman, OWASP Israel
>  
> Mobile: +972 (54) 6545406
> US: +1 (646) 7700646
> Office: +972 (9) 9565840
> Fax: +972 (9) 9500047
> LinkedIn: http://www.linkedin.com/in/ofermaor
> Web: www.hacktics.com
>  
>  
>  
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110112/df722649/attachment-0001.html 


More information about the OWASP-Leaders mailing list