[WEB SECURITY] Vulnerabilities at PCI DSS sites

MustLive mustlive at websecurity.com.ua
Thu Dec 30 16:50:40 EST 2010


Hello Christian!

Thanks for information.

I know about scanlesspci.com :-) and I'll read about vulnerabilities of 3-D
Secure presented by the University of Cambridge.

Concerning situation with PCI DSS and 3-D Secure standards. As I told
earlier, I'd write new set of questions in addition to previous ones (that
time I wrote 3 questions and answers on them). Here is new set questions.

If previous set of questions was concerning relation between PCI DSS and 3-D
Secure (Verified by VISA, MasterCard SecureCode and others), then this set
of questions would be concerning that particular vulnerable site - #2 in the
list of vulnerable Electronic Payment System (EPS) sites in my first letter.
About vulnerabilities at which I wrote about at my site and soon I'd write
about new vulnerabilities (Business Logic flaws which allow to steal money
from accounts of the users of EPS).

This vulnerable site has logos of Verified by VISA and MasterCard SecureCode
(i.e. "certified" by VISA and MasterCard), but isn't PCI DSS certified. And
it's EPS which is working with plastic cards (as internet acquirer). So here
are new questions and answers on them.

1. Why EPS which works with cards - for many years (and doing business not
only in Ukraine, but worldwide) isn't PCI DSS certified?

It's strange case. For companies and online project of such size (which work
with cards) there must be PCI DSS certificate, as it looks like concerning
other similar EPS. Yes this site is holed one and other "PCI DSS compliant"
ones also have holes, so it's not 100% guaranty of flawless, but it could
improve site's security.

2. Don't Visa and MasterCard asking from EVERY company and bank (or at list
large ones) which work with cards to be PCI DSS compliant?

I heard about that. But as I sometimes see sites (which are working with
cards) which are vulnerable and not PCI DSS certified, like above-mentioned
case, then it doesn't look so.

3. Does the company, owner of EPS, is deceiving people by not having PCI DSS
and putting "funky" Verified by VISA and MasterCard SecureCode logos?

It looks like so.

4. Are they not caring about security of their sites?

Yes, they are :-). I know it from my experience of finding many holes at
sites of this company (bank) during 2007-2010.

5. Do Visa and MasterCard will be doing any sanction to such sites, who work 
with cards, but isn't PCI DSS compliant and are hiding behind Verified by 
VISA and MasterCard SecureCode logos?

For many years (while this EPS was working) not VISA, nor MasterCard didn't
do anything (in this particular case). Will look what will be in the future,
at least they could demand to remove these logos from such sites.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Christian Heinrich" <christian.heinrich at cmlh.id.au>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: <websecurity at webappsec.org>
Sent: Wednesday, December 29, 2010 10:27 PM
Subject: Re: [WEB SECURITY] Vulnerabilities at PCI DSS sites


> MustLive,
>
> A number of vulnerabilities of 3-D Secure, i.e. Verified by VISA and
> MasterCard SecureCode, have been presented by the University of
> Cambridge:
> 1.
> http://www.lightbluetouchpaper.org/2010/01/26/how-online-card-security-fails/
> 2.
> http://www.lightbluetouchpaper.org/2010/01/29/why-is-3-d-secure-a-single-sign-on-system/
>
> ASV of PCI DSS has also been criticised i.e. http://www.scanlesspci.com/.
>
>
> -- 
> Regards,
> Christian Heinrich
>
> http://www.linkedin.com/in/ChristianHeinrich
>
> Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
> SkypeID: cmlh.id.au



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates



More information about the websecurity mailing list