[Owasp-leaders] Summit Regonline

Matt Tesauro matt.tesauro at owasp.org
Wed Jan 12 09:35:30 EST 2011


For what its worth...

When I did an organizational membership through RegOnline last week, I
used a Amex and was asked for the CVV.

I don't know what CC you used or your total, but I can tell you that for
Organizational Supporters ($5,000 USD), they required CVV for Amex (and
apparently all cards as it was part of the html form).

Give Kate some time to work with RegOnline and lets see what happens on
this and other issues.  My understanding from talking with Kate multiple
times is that they have been open and eager when working with us in the
past.  Lets get a response from them before we take them to task.

Also remember that getting the Summit setup is taking 99% of much of
OWASP's volunteer and employees time and that won't change until after
its done.

Cheers!

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 01/12/2011 02:04 AM, Ofer Maor wrote:
> I think that at the “moment” of buying you are right – sure, if I don’t
> give my CVV, it won’t be compromised.
> 
>  
> 
> The cold and rough feeling I get is from the concept. A site that does
> not require a CVV is a site that makes it easier to use stolen cards
> (the likelihood of stealing card information without CVV is higher, due
> to the better security placed on CVVs).
> 
>  
> 
> Hence, I always flinch when sites don’t ask for CVV, especially when
> those are sites that allow for purchases of hundreds or thousands of
> dollars.
> 
>  
> 
> (Btw – in the US, u have another security mechanism which is not enabled
> worldwide – which is billing address confirmation. This is especially
> useful when purchasing online goods to be shipped to you, as in such
> case the potential abuse of cards is very low. However, for non US
> issued cards, this is not verified as in the US, and, even if so, this
> was purchased for something that is not shipped, so the value is low).
> 
>  
> 
> Just my .02
> 
>  
> 
> Ofer.
> 
>  
> 
>  
> 
>  
> 
>  
> 
> *From:*owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Jason Li
> *Sent:* Wednesday, January 12, 2011 6:59
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Summit Regonline
> 
>  
> 
> Agreed - but it's the *existence* of the CVV2 in general that provides
> the warm and fuzzy.
> 
>  
> 
> The fact that a merchant does not ask for the CVV2 doesn't make a
> difference from the cloning perspective, right?
> 
>  
> 
> In fact, I think you could argue that if a merchant does *not* ask for
> CVV2, a user is in fact better off from a personal security perspective.
> 
>  
> 
> -Jason
> 
> On Tue, Jan 11, 2011 at 11:33 PM, Matthew Chalmers
> <matthew.chalmers at owasp.org <mailto:matthew.chalmers at owasp.org>> wrote:
> 
> It makes users feel warm and fuzzy because it's less likely that their
> card can be used if cloned from the stripe only. :)
> 
>  
> 
> On Tue, Jan 11, 2011 at 10:26 PM, Jason Li <jason.li
> <http://jason.li>@owasp.org <http://owasp.org>> wrote:
> 
> The CVV2 code is not technically required to make a credit card payment
> in the US (some European countries do require it).
> 
>  
> 
> From a *user* security perspective, I don't think there's a significant
> impact for *not* providing a CVV2 code...
> 
>  
> 
> But I'm sure someone will point it out if I'm wrong :)
> 
>  
> 
> -Jason
> 
>  
> 
> On Tue, Jan 11, 2011 at 6:28 PM, Ofer Maor <ofer.maor at owasp.org
> <mailto:ofer.maor at owasp.org>> wrote:
> 
>     Am I the only one who feels uncomfortable that the regonline site
>     did not ask for my CVV when taking my credit card for the booking?
> 
>     * *
> 
>     *---*
> 
>     *Ofer Maor*
> 
>     *CTO, Hacktics*
> 
>     *Chairman, OWASP Israel*
> 
>      
> 
>     Mobile: +972 (54) 6545406
> 
>     US: +1 (646) 7700646
> 
>     Office: +972 (9) 9565840
> 
>     Fax: +972 (9) 9500047
> 
>     LinkedIn: http://www.linkedin.com/in/ofermaor
> 
>     Web: www.hacktics.com <http://www.hacktics.com/>
> 
>      
> 
>      
> 
>      
> 
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> 
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list