[WEB SECURITY] Real security of web sites with security logos

MustLive mustlive at websecurity.com.ua
Thu Feb 3 12:23:22 EST 2011


Hello participants of Mailing List.

In my post Vulnerabilities at PCI DSS sites
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-December/007344.html)
I wrote in particular about funky security logos at vulnerable e-commerce
sites (such as EPS), which aren't PCI DSS certified, but which need to be
certified. Which we discussed a lot in the list during December-January.

I asked partly rhetorical question concerning it - "Does the company, owner
of EPS, is deceiving people by not having PCI DSS and putting "funky"
Verified by VISA and MasterCard SecureCode logos?" and answered on it - "It
looks like so". And in my letter to Christian
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-January/007390.html)
I said, that I'd write more about it later. So here we go :-).

At beginning of January I wrote article Real security of web sites with
security logos (http://websecurity.com.ua/4811/). To make a short retelling
of it I'll note, that this article about above-mentioned issue with security
logos at e-commerce sites (such as EPS), which have holes or don't PCI DSS
certified or have both holes and no PCI DSS certificate. And such sites use
security logos to hide under them and to deceive people (to make them feel
that their sites are safe, while they are not, and so users of the sites
also are not safe).

For security logotypes, which are used to hide under them and to ignore
security of their sites (and to create false sense of security for visitors
and users of such sites), belong such logos as Verified by VISA, MasterCard
SecureCode and SSL logos. Like it's clear from examples which I provided in
my article, there are such e-commerce and EPS sites, which are putting such
logotypes to them and don't caring about security at all (which is clear
from those multiple holes which I found at these web sites).

Like the LiqPAY system (EPS/processing system), mentioned in my article,
which must be PCI DSS certified, but is working for two years without
certificate (and with multiple holes), and putting Verified by VISA,
MasterCard SecureCode and SSL logo. And by putting these logos to every page
and at "security" page the system is telling (i.e. deceive people) about its
high level of security - with holes at site and lack of PCI DSS. The SSL
certificate is issued by GoDaddy and at "security" page of the site there is
"GoDaddy Secure Web Site" logo, which is vulnerable by itself, as I wrote in
another my article in January 2010.

In the article I draw attention to real purpose of SSL and 3-D Secure
standards, from which risks they can protect and from which they can't. And
also that the names of technologies "Verified by VISA" and "MasterCard
SecureCode" are sounding by itself not what they are in reality, which
confuse people and help such companies (which like to hide under security
logos) to deceive people and to look "secure" at that. So to let people know 
real state of security of sites with such logos and with any security logos 
in the whole.

And I mentioned about one recently hacked e-commerce site with Verified by
VISA, MasterCard SecureCode and VeriSign Secured logos, which I found during
my regular research of hacked sites (http://websecurity.com.ua/4878/). Which
shows that sites which such security logos not only have holes, but also get
hacked ;-). Plus recently I wrote about hacked site of EPS/processing system
Chronopay (http://websecurity.com.ua/4881/). Which was hacked (in December),
as it was looked like from defaced site, but owner claimed that it was
domain hijacking - which in any case is not good for card processing system.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua






More information about the websecurity mailing list