Is accepting an invalid credit card number a security issue?Convince the company not to store credit card numbers in our webappWhat Can I Do While I'm Waiting for “Chip and Pin” Credit Cards?Proper credit card encryption for use in a blacklistLooking for credit card data and other PII in filesHow can my bank issue a new credit card with the same pin number?Do It Yourself Credit Card Storage (PCI - DSS Compliant)Is it security if an alternative of the full credit card number is stored in databaseHow to secure CC details and CCV for a small hotel?Online Retailer asks for a copy of Credit Card and Drivers LicenseIs there a security issue with fit4less requiring bank information and not simply card number?
Controversial area of mathematics
Does a semiconductor follow Ohm's law?
How did Captain America manage to do this?
Do I have an "anti-research" personality?
how to find the equation of a circle given points of the circle
What is the most expensive material in the world that could be used to create Pun-Pun's lute?
How do I deal with a coworker that keeps asking to make small superficial changes to a report, and it is seriously triggering my anxiety?
How exactly does Hawking radiation decrease the mass of black holes?
Realistic Necromancy?
What language was spoken in East Asia before Proto-Turkic?
Is it possible to determine the symmetric encryption method used by output size?
How to solve constants out of the internal energy equation?
Which big number is bigger?
What route did the Hindenburg take when traveling from Germany to the U.S.?
What is the difference between `command a[bc]d` and `command `ab,cd`
A Strange Latex Symbol
What happened to Captain America in Endgame?
A Note on N!
Binary Numbers Magic Trick
Adjust deraillers after changing chain?
Critique of timeline aesthetic
How would one muzzle a full grown polar bear in the 13th century?
Was there a shared-world project before "Thieves World"?
What makes accurate emulation of old systems a difficult task?
Is accepting an invalid credit card number a security issue?
Convince the company not to store credit card numbers in our webappWhat Can I Do While I'm Waiting for “Chip and Pin” Credit Cards?Proper credit card encryption for use in a blacklistLooking for credit card data and other PII in filesHow can my bank issue a new credit card with the same pin number?Do It Yourself Credit Card Storage (PCI - DSS Compliant)Is it security if an alternative of the full credit card number is stored in databaseHow to secure CC details and CCV for a small hotel?Online Retailer asks for a copy of Credit Card and Drivers LicenseIs there a security issue with fit4less requiring bank information and not simply card number?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?
credit-card fraud
edited Apr 24 at 9:14
AleksanderRas
314111
asked Apr 24 at 8:19
JayaJaya
13714
add a comment |
I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?
credit-card fraud
edited Apr 24 at 9:14
AleksanderRas
314111
asked Apr 24 at 8:19
JayaJaya
13714
11
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
Apr 24 at 12:48
10
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
Apr 24 at 15:43
2
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
Apr 24 at 22:43
add a comment |
I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?
credit-card fraud
edited Apr 24 at 9:14
AleksanderRas
314111
asked Apr 24 at 8:19
JayaJaya
13714
I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?
credit-card fraud
credit-card fraud
edited Apr 24 at 9:14
AleksanderRas
314111
asked Apr 24 at 8:19
JayaJaya
13714
edited Apr 24 at 9:14
AleksanderRas
314111
asked Apr 24 at 8:19
JayaJaya
13714
edited Apr 24 at 9:14
AleksanderRas
314111
edited Apr 24 at 9:14
AleksanderRas
314111
edited Apr 24 at 9:14
AleksanderRas
314111
314111
asked Apr 24 at 8:19
JayaJaya
13714
asked Apr 24 at 8:19
JayaJaya
13714
asked Apr 24 at 8:19
JayaJaya
13714
13714
11
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
Apr 24 at 12:48
10
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
Apr 24 at 15:43
2
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
Apr 24 at 22:43
add a comment |
11
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
Apr 24 at 12:48
10
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
Apr 24 at 15:43
2
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
Apr 24 at 22:43
11
11
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
Apr 24 at 12:48
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
Apr 24 at 12:48
10
10
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
Apr 24 at 15:43
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
Apr 24 at 15:43
2
2
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
Apr 24 at 22:43
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
Apr 24 at 22:43
add a comment |
3 Answers
3
active
oldest
votes
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered Apr 24 at 9:24
gowenfawrgowenfawr
55.2k11116164
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
Apr 24 at 11:20
3
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
Apr 24 at 12:59
10
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
Apr 24 at 13:15
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
Apr 24 at 13:44
add a comment |
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered Apr 24 at 18:14
longnecklongneck
25918
add a comment |
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered Apr 24 at 20:38
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f208926%2fis-accepting-an-invalid-credit-card-number-a-security-issue%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered Apr 24 at 9:24
gowenfawrgowenfawr
55.2k11116164
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
Apr 24 at 11:20
3
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
Apr 24 at 12:59
10
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
Apr 24 at 13:15
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
Apr 24 at 13:44
add a comment |
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered Apr 24 at 9:24
gowenfawrgowenfawr
55.2k11116164
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
Apr 24 at 11:20
3
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
Apr 24 at 12:59
10
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
Apr 24 at 13:15
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
Apr 24 at 13:44
add a comment |
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered Apr 24 at 9:24
gowenfawrgowenfawr
55.2k11116164
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered Apr 24 at 9:24
gowenfawrgowenfawr
55.2k11116164
answered Apr 24 at 9:24
gowenfawrgowenfawr
55.2k11116164
answered Apr 24 at 9:24
gowenfawrgowenfawr
55.2k11116164
answered Apr 24 at 9:24
gowenfawrgowenfawr
55.2k11116164
55.2k11116164
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
Apr 24 at 11:20
3
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
Apr 24 at 12:59
10
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
Apr 24 at 13:15
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
Apr 24 at 13:44
add a comment |
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
Apr 24 at 11:20
3
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
Apr 24 at 12:59
10
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
Apr 24 at 13:15
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
Apr 24 at 13:44
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
Apr 24 at 11:20
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
Apr 24 at 11:20
3
3
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
Apr 24 at 12:59
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
Apr 24 at 12:59
10
10
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
Apr 24 at 13:15
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
Apr 24 at 13:15
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
Apr 24 at 13:44
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
Apr 24 at 13:44
add a comment |
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered Apr 24 at 18:14
longnecklongneck
25918
add a comment |
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered Apr 24 at 18:14
longnecklongneck
25918
add a comment |
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered Apr 24 at 18:14
longnecklongneck
25918
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered Apr 24 at 18:14
longnecklongneck
25918
answered Apr 24 at 18:14
longnecklongneck
25918
answered Apr 24 at 18:14
longnecklongneck
25918
answered Apr 24 at 18:14
longnecklongneck
25918
25918
add a comment |
add a comment |
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered Apr 24 at 20:38
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered Apr 24 at 20:38
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered Apr 24 at 20:38
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered Apr 24 at 20:38
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 24 at 20:38
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 24 at 20:38
MohairMohair
1011
answered Apr 24 at 20:38
MohairMohair
1011
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f208926%2fis-accepting-an-invalid-credit-card-number-a-security-issue%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
11
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
Apr 24 at 12:48
10
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
Apr 24 at 15:43
2
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
Apr 24 at 22:43