Is accepting an invalid credit card number a security issue? Unicorn Meta Zoo #1: Why another...
std::is_constructible on incomplete types
What is the best way to deal with NPC-NPC combat?
Function to calculate red-edgeNDVI in Google Earth Engine
How to count in linear time worst-case?
Error: Syntax error. Missing ')' for CASE Statement
Implementing 3DES algorithm in Java: is my code secure?
Are all CP/M-80 implementations binary compatible?
Mistake in years of experience in resume?
Israeli soda type drink
Multiple fireplaces in an apartment building?
Could moose/elk survive in the Amazon forest?
I preordered a game on my Xbox while on the home screen of my friend's account. Which of us owns the game?
Does Feeblemind produce an ongoing magical effect that can be dispelled?
Visa-free travel to the US using refugee travel document from Spain?
What is /etc/mtab in Linux?
Justification for leaving new position after a short time
How would I use different systems of magic when they are capable of the same effects?
Passing args from the bash script to the function in the script
Does Mathematica have an implementation of the Poisson Binomial Distribution?
Is there any hidden 'W' sound after 'comment' in : Comment est-elle?
What's parked in Mil Moscow helicopter plant?
Co-worker works way more than he should
Why is an operator the quantum mechanical analogue of an observable?
How to avoid introduction cliches
Is accepting an invalid credit card number a security issue?
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar ManaraConvince the company not to store credit card numbers in our webappWhat Can I Do While I'm Waiting for “Chip and Pin” Credit Cards?Proper credit card encryption for use in a blacklistLooking for credit card data and other PII in filesHow can my bank issue a new credit card with the same pin number?Do It Yourself Credit Card Storage (PCI - DSS Compliant)Is it security if an alternative of the full credit card number is stored in databaseHow to secure CC details and CCV for a small hotel?Online Retailer asks for a copy of Credit Card and Drivers LicenseIs there a security issue with fit4less requiring bank information and not simply card number?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?
credit-card fraud
edited 16 hours ago
AleksanderRas
292111
asked 17 hours ago
JayaJaya
10714
add a comment |
I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?
credit-card fraud
edited 16 hours ago
AleksanderRas
292111
asked 17 hours ago
JayaJaya
10714
4
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
13 hours ago
4
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
10 hours ago
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
3 hours ago
add a comment |
I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?
credit-card fraud
edited 16 hours ago
AleksanderRas
292111
asked 17 hours ago
JayaJaya
10714
I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?
credit-card fraud
credit-card fraud
edited 16 hours ago
AleksanderRas
292111
asked 17 hours ago
JayaJaya
10714
edited 16 hours ago
AleksanderRas
292111
asked 17 hours ago
JayaJaya
10714
edited 16 hours ago
AleksanderRas
292111
edited 16 hours ago
AleksanderRas
292111
edited 16 hours ago
AleksanderRas
292111
292111
asked 17 hours ago
JayaJaya
10714
asked 17 hours ago
JayaJaya
10714
asked 17 hours ago
JayaJaya
10714
10714
4
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
13 hours ago
4
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
10 hours ago
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
3 hours ago
add a comment |
4
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
13 hours ago
4
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
10 hours ago
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
3 hours ago
4
4
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
13 hours ago
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
13 hours ago
4
4
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
10 hours ago
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
10 hours ago
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
3 hours ago
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
3 hours ago
add a comment |
3 Answers
3
active
oldest
votes
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered 16 hours ago
gowenfawrgowenfawr
55.1k11115164
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
14 hours ago
1
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
13 hours ago
5
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
12 hours ago
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
12 hours ago
add a comment |
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered 7 hours ago
longnecklongneck
24918
add a comment |
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered 5 hours ago
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f208926%2fis-accepting-an-invalid-credit-card-number-a-security-issue%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered 16 hours ago
gowenfawrgowenfawr
55.1k11115164
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
14 hours ago
1
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
13 hours ago
5
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
12 hours ago
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
12 hours ago
add a comment |
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered 16 hours ago
gowenfawrgowenfawr
55.1k11115164
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
14 hours ago
1
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
13 hours ago
5
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
12 hours ago
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
12 hours ago
add a comment |
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered 16 hours ago
gowenfawrgowenfawr
55.1k11115164
Should I report this as a security issue or will it come under fraud management?
There may be a business risk issue, which you can document under security, but how significant it is depends on the business.
You say the web site
accepts ... credit card numbers for reservations.
What are those reservations for?
If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.
If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.
There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.
The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.
And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.
answered 16 hours ago
gowenfawrgowenfawr
55.1k11115164
answered 16 hours ago
gowenfawrgowenfawr
55.1k11115164
answered 16 hours ago
gowenfawrgowenfawr
55.1k11115164
answered 16 hours ago
gowenfawrgowenfawr
55.1k11115164
55.1k11115164
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
14 hours ago
1
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
13 hours ago
5
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
12 hours ago
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
12 hours ago
add a comment |
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
14 hours ago
1
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
13 hours ago
5
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
12 hours ago
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
12 hours ago
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
14 hours ago
Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.
– chrylis
14 hours ago
1
1
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
13 hours ago
I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.
– tim
13 hours ago
5
5
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
12 hours ago
@tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.
– TripeHound
12 hours ago
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
12 hours ago
@tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)
– gowenfawr
12 hours ago
add a comment |
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered 7 hours ago
longnecklongneck
24918
add a comment |
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered 7 hours ago
longnecklongneck
24918
add a comment |
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered 7 hours ago
longnecklongneck
24918
There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.
In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.
answered 7 hours ago
longnecklongneck
24918
answered 7 hours ago
longnecklongneck
24918
answered 7 hours ago
longnecklongneck
24918
answered 7 hours ago
longnecklongneck
24918
24918
add a comment |
add a comment |
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered 5 hours ago
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered 5 hours ago
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered 5 hours ago
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.
If you aren't going to validate the card at the time of entry, then you lose two things:
- The ability to correct an incorrect entry immediately
- The ability to determine if it is a security/fraud issue
I would rather validate all cards than worry about fraud with the ones I don't validate.
answered 5 hours ago
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 5 hours ago
MohairMohair
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 5 hours ago
MohairMohair
1011
answered 5 hours ago
MohairMohair
1011
1011
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f208926%2fis-accepting-an-invalid-credit-card-number-a-security-issue%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.
– Felipe Pereira
13 hours ago
4
is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.
– J.Doe
10 hours ago
There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.
– jpaugh
3 hours ago