[Owasp-leaders] Summit Regonline

dinis cruz dinis.cruz at owasp.org
Wed Jan 12 06:03:55 EST 2011


Well, I wouldn't worry too much about the CVV in RegOnline, a little OWASP
bird (not sure if he wants his name on this public list) found a much worse
'critical/top-10' security issue in that website (which I believe has
already been reported)

To debate this and many other ideas I've just set-up this Summit 2011
Working Session which I invite you to join How to report known security
vulnerabilities (for
websites)<http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session093>

Btw, if you want to see my thinking on this topic, take a look at
http://www.owasp.org/images/0/0d/Dcruz.pdf (which is the Keynote I presented
at OWASP IBWAS conference in Portugal last December)

Dinis Cruz

On 12 January 2011 08:04, Ofer Maor <ofer.maor at owasp.org> wrote:

> I think that at the “moment” of buying you are right – sure, if I don’t
> give my CVV, it won’t be compromised.
>
>
>
> The cold and rough feeling I get is from the concept. A site that does not
> require a CVV is a site that makes it easier to use stolen cards (the
> likelihood of stealing card information without CVV is higher, due to the
> better security placed on CVVs).
>
>
>
> Hence, I always flinch when sites don’t ask for CVV, especially when those
> are sites that allow for purchases of hundreds or thousands of dollars.
>
>
>
> (Btw – in the US, u have another security mechanism which is not enabled
> worldwide – which is billing address confirmation. This is especially useful
> when purchasing online goods to be shipped to you, as in such case the
> potential abuse of cards is very low. However, for non US issued cards, this
> is not verified as in the US, and, even if so, this was purchased for
> something that is not shipped, so the value is low).
>
>
>
> Just my .02
>
>
>
> Ofer.
>
>
>
>
>
>
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Jason Li
> *Sent:* Wednesday, January 12, 2011 6:59
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Summit Regonline
>
>
>
> Agreed - but it's the *existence* of the CVV2 in general that provides the
> warm and fuzzy.
>
>
>
> The fact that a merchant does not ask for the CVV2 doesn't make a
> difference from the cloning perspective, right?
>
>
>
> In fact, I think you could argue that if a merchant does *not* ask for
> CVV2, a user is in fact better off from a personal security perspective.
>
>
>
> -Jason
>
> On Tue, Jan 11, 2011 at 11:33 PM, Matthew Chalmers <
> matthew.chalmers at owasp.org> wrote:
>
> It makes users feel warm and fuzzy because it's less likely that their card
> can be used if cloned from the stripe only. :)
>
>
>
> On Tue, Jan 11, 2011 at 10:26 PM, Jason Li <jason.li at owasp.org> wrote:
>
> The CVV2 code is not technically required to make a credit card payment in
> the US (some European countries do require it).
>
>
>
> From a *user* security perspective, I don't think there's a significant
> impact for *not* providing a CVV2 code...
>
>
>
> But I'm sure someone will point it out if I'm wrong :)
>
>
>
> -Jason
>
>
>
> On Tue, Jan 11, 2011 at 6:28 PM, Ofer Maor <ofer.maor at owasp.org> wrote:
>
> Am I the only one who feels uncomfortable that the regonline site did not
> ask for my CVV when taking my credit card for the booking?
>
> * *
>
> *---*
>
> *Ofer Maor*
>
> *CTO, Hacktics*
>
> *Chairman, OWASP Israel*
>
>
>
> Mobile: +972 (54) 6545406
>
> US: +1 (646) 7700646
>
> Office: +972 (9) 9565840
>
> Fax: +972 (9) 9500047
>
> LinkedIn: http://www.linkedin.com/in/ofermaor
>
> Web: www.hacktics.com
>
>
>
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110112/5b3b4184/attachment.html 


More information about the OWASP-Leaders mailing list