Reviews:
 ·Clear Wireless
 ·Cruzio Internet
 ·AT&T U-Verse
| Payment processor security I work for an organization that uses an outside vendor to process payments.
The website owned by this vendor to process individuals payments has an option for password recovery that I think is very insecure. I'm trying to see if I'm correct here. If a user of this website forgets their password, they are given the option of having their password emailed to them. When you do this, their password is sent in cleartext straight to their email address. Besides the transmission of the emails being in cleartext and the inherent insecurity here, I'm even more concerned that these passwords are recoverable at all.
The company insists that their passwords are encrypted using "industry standard 1-way hashes", but if this was true, then there shouldn't be any way whatsoever for these users' passwords to be able to be sent in an email address, correct?
These accounts are used to process payments using credit/debit cards, and I cannot believe that this company is telling me that they are storing passwords securely. It seems like a HUGE liability to me. Am I wrong here?
--
»www.qirfa.com/
انا احب لبنان |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | Some of these mechanisms don't send your password, they send a password generated for the purpose; you use that new password to login and set a new password.
If they're sending your original password, there's no "one-way" going on here. |
|
Reviews:
·Clear Wireless
·Cruzio Internet
·AT&T U-Verse
| Oh they're definitely sending the original password, not a randomly generated one for a temporary login.
--
»www.qirfa.com/
انا احب لبنان |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by kdepasquale:Oh they're definitely sending the original password, not a randomly generated one for a temporary login. Then press them: "if it's one way, how do you recover the password? Please show your work" |
|
| reply to kdepasquale
Liability in what? You can't view the credit card number of previous transactions.
Have you actually used the option and been sent the current password -- or is it a new password? |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6
 ·RoadRunner Cable
·Clearwire Wireless
| said by password3453 :Liability in what? You can't view the credit card number of previous transactions.
That's a good question.
AFAIK there isn't a whole lot that can be done within a processors web interface.
Changing the account where the ACH credits are to appear might be one malicious activity but I doubt if that could be done without additional followup that would expose the change for what it is.
A business competitor might have an interest in the sales volume by credit/debit card but beyond that I can't imagine that much if anything is actually at risk.
What items do you see as being at risk?
If it's a concern that brings into question the processors backend security, then tell them that, it's not an outrageous concern at all. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Snowy: What items do you see as being at risk? Whoa: when a financial-services provider provides BS about security in one area, do you assume that's the only place? |
|
| reply to password3453
They send the current password. If they claim they're securing passwords, but aren't, how am I to know that they're securing card data as well? |
|
 dib22
join:2002-01-27
Kansas City, MO | reply to kdepasquale
said by kdepasquale:These accounts are used to process payments using credit/debit cards, and I cannot believe that this company is telling me that they are storing passwords securely. It seems like a HUGE liability to me. Am I wrong here?
You are not... it should send a unique link that requires another form of identification verification.
You should point that out to them, of course we are talking about bank think here. They would rather pay off the thefts than secure the banking card / traditional banking system. |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| reply to Steve
said by Steve:said by Snowy: What items do you see as being at risk? Whoa: when a financial-services provider provides BS about security in one area, do you assume that's the only place? I have a hard time accepting that the person working at the processor or MSP help desk is same person that's responsible for security.
But yeah, it's always a good sign when you get a correct reply from a company. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Snowy: I have a hard time accepting that the person working at the processor or MSP help desk is same person that's responsible for security. Me too, that's why one should press to get a real answer rather than something read from a script.
It's possible to get a really satisfying answer that suggests that the company has a clue, but it's also possible to find out that it's as bad as it looks at first (I've had both sets of experiences). |
|
Reviews:
·Clear Wireless
·Cruzio Internet
·AT&T U-Verse
| reply to kdepasquale
This is the response I was just given:
To clarify, passwords are encrypted when stored and are not retrievable by our staff. The passwords however can be retrieved by the end user, which at this point is being sent in clear text via email.
We are VERY aware of the issues with this and have had it on the docket to re-engineer this for a time. The plan is to migrate to the industry accepted practice of hashes for the password and password resets based on some temporary generated password and link via email. We will let you know as we firm up the timetable on the above.
Please rest assured that credit card info is completely secure and as a matter of fact we store no credit card info on our system at all. The only information we retain is an abstracted reference to a wallet which is owned by the payment gateway. I would also like to emphasize that both the security and handling of user info and credit card info is regularly audited in person by security professionals at Trustwave as part of our PCI Certifications. We take the security of all of our users data very seriously. Funny that they're passing their audits, since they're breaking PCI-DSS requirement 8.5.2: Examine password/authentication procedures and observe security personnel to verify that, if a user requests a password reset by phone, e-mail, web, or other non-face-to-face method, the user’s identity is verified before the password is reset.
--
»www.qirfa.com/
انا احب لبنان |
|
|
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| said by kdepasquale:Funny that they're passing their audits, since they're breaking PCI-DSS requirement 8.5.2:
I might have this completely wrong but I'm not sure that Trustwave needs PCI-DSS compliance.
Aren't they a tester/evaluator for bringing other companies into compliance? |
|
| From what I gather, Trustwave is their outside auditor that is supposed to validate compliance |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| said by kdepasquale:From what I gather, Trustwave is their outside auditor that is supposed to validate compliance
Right, so why would they need to be PCI-DSS compliant?
It would be easy enough to ask them. |
|
| I meant to validate PCI compliance. |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| said by kdepasquale:I meant to validate PCI compliance.
Got it.
You've already got an open channel there.
Ask them, I'm willing to wager they are not required to be PCI-DSS complaint but probably do self testing. |
|
Reviews:
·Clear Wireless
·Cruzio Internet
·AT&T U-Verse
| Hmm. You're probably right. I really hate dealing with vendors who don't take things like this seriously.
--
»www.qirfa.com/
انا احب لبنان |
|
| reply to kdepasquale
If you don't like the way they're doing business, take it elsewhere. That's the easiest answer.
"Had it on the docket to re-engineer this for a time..." huh? Million dollar question (literally)
is how long have they had it on the docket?
Regards |
|
Reviews:
·Clear Wireless
·Cruzio Internet
·AT&T U-Verse
| I wish it was simple as taking my business elsewhere. Unfortunately, it's not my decision to do that. If it were my choice, I'd drop the entire company in a heartbeat, because the rest of their software that we use is horrific as well.
--
»www.qirfa.com/
انا احب لبنان |
|
