[Owasp-southafrica] credit card information sent over http

Lindsay van Eden lindsay.vaneden at absa.co.za
Wed Aug 20 07:35:06 EDT 2008


I guess what annoys me is how clients turn to their vendors/service
providers for guidance and solutions.

Mailing credit card information in clear text = fail!
Mailing credit card information in clear text to an insecure portal = fail!
The look on the clients face when mastercard/visa pull their merchant
licence = priceless.  :D

Sorry, I couldn't resist that one..

The client and SP have been notified.
Will be dropping a mail to mastercard and visa should nothing be done by EOD
today.  Surely more then enough time?

Or am I being too harsh?

On 2008/08/20 1:26 PM, "Alastair "Bell" Turner" <aturner at khulisa.com> wrote:

> I don't think that holding a service provider accountable for a client's
> bad decisions on what could be sent via a web for is entirely
> reasonable. I think that there should be some mention of this in hosting
> T&Cs though, to give some recourse in situations like this. It shouldn't
> be too difficult to do some basic checks in the form mailer code to
> check up.
> 
> As I said before I would strongly suspect that the SP contributed to the
> situation by trying to sell an over-complicated and therefore overpriced
> solution to what could be a simple problem. There are a lot of very
> difficult problems in information security, but there are also some
> relatively simple ones. Making them all seem complex and bundling hordes
> of other services with them makes security more difficult to sell when
> it's actually necessary and makes it more difficult for clients to make
> secure decisions. And if the clients aren't making secure decisions then
> everyone potentially suffers.
> 
> Not having spotted that one of their servers had been defaced was a
> horrible failing on DataPro's part. A brief look doesn't seem to
> indicate that it's serving any malware at least.
> 
> On Wed, 2008-08-20 at 12:39 +0200, Lindsay van Eden wrote:
>> Well, after mentioning it very nicely to the client (Barnyard Theatre) by
>> Wimpie, with a follow up call this morning, would have thought they as the
>> client would have come down a bit harder on DataPro, being the service
>> provider.
>> 
>> For the non technical savvy individual purchasing a service or solution from
>> a provider, as they often do not know any better, have to trust in their
>> SP's offerings.  I personally feel DataPro should be help accountable for
>> this.  
>> 
>> Looking at their site, they offer all sorts of security services, such as
>> VPN's, Firewalls, hosting etc etc.
>> 
>> Makes you wonder if their staff have any idea what they're doing.
>> Nevermind the genius that came up with the idea of mailing the credit card
>> information to DataPro in clear text.
>> 
>> That individual should just be dragged into the street, tarred and
>> feathered!!  :D
>> 
>> I did however take it upon myself to drop the MD a mail re: their hosting of
>> a hacked site.
>> 
>> Let's see shall we... ?  :D
> 
> 
> _______________________________________________
> Owasp-southafrica mailing list
> Owasp-southafrica at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-southafrica


Lindsay van Eden
GRCB Information Security
Barclays PLC ­ ZA Regional Data Centre

Direct:  +27 11 772 7172
mailto:  Lindsay.vaneden at absa.co.za
mailto:  Lindsay.vaneden at barclays.com
mailto:  GRCBZARegionalDataCentreInformationSecurity at Barclays.com


OWASP South Africa
https://www.owasp.org/index.php/South_Africa




___________________________________________________________

Important Notice: 

Absa is an Authorised Financial Services Provider and Registered Credit Provider, 
registration number: NCRCP7.

This e-mail and any files transmitted with it are confidential and intended for the use of 
the individual or entity to whom they are addressed.

Please note that there are terms and conditions and some important restrictions, 
qualifications and disclaimers ("the Disclaimer") that apply to this email. To read this 
click on the following address or copy into your Internet browser: 

http://www.absa.co.za/disclaimer

The Disclaimer forms part of the content of this email in terms of 
section 11 of the Electronic Communications and Transactions 
Act, 25 of 2002. 

If you are unable to access the Disclaimer, send a blank e-mail 
to disclaimer at absa.co.za and we will send you a copy of the 
Disclaimer.


More information about the Owasp-southafrica mailing list