Is accepting an invalid credit card number a security issue? Unicorn Meta Zoo #1: Why another...

std::is_constructible on incomplete types

What is the best way to deal with NPC-NPC combat?

Function to calculate red-edgeNDVI in Google Earth Engine

How to count in linear time worst-case?

Error: Syntax error. Missing ')' for CASE Statement

Implementing 3DES algorithm in Java: is my code secure?

Are all CP/M-80 implementations binary compatible?

Mistake in years of experience in resume?

Israeli soda type drink

Multiple fireplaces in an apartment building?

Could moose/elk survive in the Amazon forest?

I preordered a game on my Xbox while on the home screen of my friend's account. Which of us owns the game?

Does Feeblemind produce an ongoing magical effect that can be dispelled?

Visa-free travel to the US using refugee travel document from Spain?

What is /etc/mtab in Linux?

Justification for leaving new position after a short time

How would I use different systems of magic when they are capable of the same effects?

Passing args from the bash script to the function in the script

Does Mathematica have an implementation of the Poisson Binomial Distribution?

Is there any hidden 'W' sound after 'comment' in : Comment est-elle?

What's parked in Mil Moscow helicopter plant?

Co-worker works way more than he should

Why is an operator the quantum mechanical analogue of an observable?

How to avoid introduction cliches



Is accepting an invalid credit card number a security issue?



Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar ManaraConvince the company not to store credit card numbers in our webappWhat Can I Do While I'm Waiting for “Chip and Pin” Credit Cards?Proper credit card encryption for use in a blacklistLooking for credit card data and other PII in filesHow can my bank issue a new credit card with the same pin number?Do It Yourself Credit Card Storage (PCI - DSS Compliant)Is it security if an alternative of the full credit card number is stored in databaseHow to secure CC details and CCV for a small hotel?Online Retailer asks for a copy of Credit Card and Drivers LicenseIs there a security issue with fit4less requiring bank information and not simply card number?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







15















I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?










share|improve this question




















  • 4





    Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.

    – Felipe Pereira
    13 hours ago








  • 4





    is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.

    – J.Doe
    10 hours ago











  • There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.

    – jpaugh
    3 hours ago


















15















I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?










share|improve this question




















  • 4





    Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.

    – Felipe Pereira
    13 hours ago








  • 4





    is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.

    – J.Doe
    10 hours ago











  • There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.

    – jpaugh
    3 hours ago














15












15








15








I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?










share|improve this question
















I am testing a website which accepts invalid credit card numbers for reservations. The interesting thing is they do CC validation if the currency is USD, but not for any other currencies. Should I report this as a security issue or will it come under fraud management?







credit-card fraud






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 16 hours ago









AleksanderRas

292111




292111










asked 17 hours ago









JayaJaya

10714




10714








  • 4





    Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.

    – Felipe Pereira
    13 hours ago








  • 4





    is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.

    – J.Doe
    10 hours ago











  • There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.

    – jpaugh
    3 hours ago














  • 4





    Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.

    – Felipe Pereira
    13 hours ago








  • 4





    is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.

    – J.Doe
    10 hours ago











  • There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.

    – jpaugh
    3 hours ago








4




4





Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.

– Felipe Pereira
13 hours ago







Security issue or not, be careful on how to report this to the website. I assume you did all this testing on their live/production environment, so they could be upset and try to retaliate (because of the bogus reservations, to try to hide the vulnerability, because they thought the system was perfect and you hurt their ego, etc.). If they have a bug bounty program great, use it, otherwise think if it´s worth it. If the test was done on their sandbox/test environment, that could explain the lack of further validations on the cc.

– Felipe Pereira
13 hours ago






4




4





is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.

– J.Doe
10 hours ago





is there a reason why you can't ask the point of contact for testers where you initially got permission to perform testing ? Either you are hired to do this, or doing this on a website with a clear bug bounty program. I would hope you aren't testing payment methods on a production/live website without permission.

– J.Doe
10 hours ago













There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.

– jpaugh
3 hours ago





There are legal issues with pen-testing another's website without their permission, first. Bug bounty? Great! That means you have permission. Contacting them affirms that you intended to "hack" them, regardless of whether your motivation was benevolent or not.

– jpaugh
3 hours ago










3 Answers
3






active

oldest

votes


















23















Should I report this as a security issue or will it come under fraud management?




There may be a business risk issue, which you can document under security, but how significant it is depends on the business.



You say the web site




accepts ... credit card numbers for reservations.




What are those reservations for?



If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.



If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.



There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.




The interesting thing is they do CC validation if the currency is USD,
but not for any other currencies.




And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.






share|improve this answer
























  • Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.

    – chrylis
    14 hours ago






  • 1





    I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.

    – tim
    13 hours ago






  • 5





    @tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.

    – TripeHound
    12 hours ago











  • @tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)

    – gowenfawr
    12 hours ago



















0














There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.



In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.






share|improve this answer































    0














    Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.



    If you aren't going to validate the card at the time of entry, then you lose two things:




    1. The ability to correct an incorrect entry immediately

    2. The ability to determine if it is a security/fraud issue


    I would rather validate all cards than worry about fraud with the ones I don't validate.






    share|improve this answer








    New contributor




    Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f208926%2fis-accepting-an-invalid-credit-card-number-a-security-issue%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      23















      Should I report this as a security issue or will it come under fraud management?




      There may be a business risk issue, which you can document under security, but how significant it is depends on the business.



      You say the web site




      accepts ... credit card numbers for reservations.




      What are those reservations for?



      If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.



      If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.



      There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.




      The interesting thing is they do CC validation if the currency is USD,
      but not for any other currencies.




      And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.






      share|improve this answer
























      • Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.

        – chrylis
        14 hours ago






      • 1





        I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.

        – tim
        13 hours ago






      • 5





        @tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.

        – TripeHound
        12 hours ago











      • @tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)

        – gowenfawr
        12 hours ago
















      23















      Should I report this as a security issue or will it come under fraud management?




      There may be a business risk issue, which you can document under security, but how significant it is depends on the business.



      You say the web site




      accepts ... credit card numbers for reservations.




      What are those reservations for?



      If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.



      If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.



      There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.




      The interesting thing is they do CC validation if the currency is USD,
      but not for any other currencies.




      And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.






      share|improve this answer
























      • Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.

        – chrylis
        14 hours ago






      • 1





        I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.

        – tim
        13 hours ago






      • 5





        @tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.

        – TripeHound
        12 hours ago











      • @tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)

        – gowenfawr
        12 hours ago














      23












      23








      23








      Should I report this as a security issue or will it come under fraud management?




      There may be a business risk issue, which you can document under security, but how significant it is depends on the business.



      You say the web site




      accepts ... credit card numbers for reservations.




      What are those reservations for?



      If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.



      If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.



      There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.




      The interesting thing is they do CC validation if the currency is USD,
      but not for any other currencies.




      And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.






      share|improve this answer














      Should I report this as a security issue or will it come under fraud management?




      There may be a business risk issue, which you can document under security, but how significant it is depends on the business.



      You say the web site




      accepts ... credit card numbers for reservations.




      What are those reservations for?



      If it's a hotel room, then there is limited potential for fraud, since the actual card would be required at check-in time. An attacker could attempt to impact service by blocking off rooms with bogus cards, thus reducing the pool legitimate visitors could reserve, but I see that as a minor concern based on scalability and sustainability issues.



      If it's a game store that is purchasing stock based on pre-order reservations, then the store is extending actual capital to stock games they might then be stuck without buyers for. This sort of business is more threatened by invalid card reservations, because they're sinking real dollars into the expected sales those reservations indicate.



      There are other businesses where 'reservations' are largely meaningless, a way to encourage engagement by the customer at no real cost. In these cases, the business impact is negligible.




      The interesting thing is they do CC validation if the currency is USD,
      but not for any other currencies.




      And that may be reflective of business risk acceptance. If 99% of their reservations are in USD, then the risk of accepting invalid non-USD card reservations may be negligible. If implementing non-USD validation has any specific cost to it (fees from processor? coding time to handle if-then-else branches?) then it's a legitimate option to leave it out at 1% coverage.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered 16 hours ago









      gowenfawrgowenfawr

      55.1k11115164




      55.1k11115164













      • Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.

        – chrylis
        14 hours ago






      • 1





        I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.

        – tim
        13 hours ago






      • 5





        @tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.

        – TripeHound
        12 hours ago











      • @tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)

        – gowenfawr
        12 hours ago



















      • Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.

        – chrylis
        14 hours ago






      • 1





        I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.

        – tim
        13 hours ago






      • 5





        @tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.

        – TripeHound
        12 hours ago











      • @tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)

        – gowenfawr
        12 hours ago

















      Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.

      – chrylis
      14 hours ago





      Does the business file authorizations on the credit cards? That's typical with hotel reservations in the US.

      – chrylis
      14 hours ago




      1




      1





      I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.

      – tim
      13 hours ago





      I'm not sure about your last point. That they validate USD cards to me implies that they do see a risk in not validating cards. For an attacker who wants to negatively impact the business with bogus reservations, it doesn't matter that 99% of common-use cards are validated if they can just use the 1% that aren't.

      – tim
      13 hours ago




      5




      5





      @tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.

      – TripeHound
      12 hours ago





      @tim Possibly the "risk" they are mitigating against in validating USD cards is not against "dedicated attackers" but just against "normal users" who – through error, carelessness or fraudulently – enter an incorrect or invalid card number.

      – TripeHound
      12 hours ago













      @tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)

      – gowenfawr
      12 hours ago





      @tim most controls are <100%, and we really don't know enough about the target environment or the business to know how this fits in or what other controls might overlap. Would love more info about the assessment but understand it's likely not forthcoming :)

      – gowenfawr
      12 hours ago













      0














      There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.



      In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.






      share|improve this answer




























        0














        There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.



        In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.






        share|improve this answer


























          0












          0








          0







          There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.



          In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.






          share|improve this answer













          There may be other controls and business processes that you are not aware of that mitigate the risk, such as verifying the credit card through a different processor, or calling the cardholder.



          In all of the testing I've been involved with, there has always been a section of the report that lists interesting findings, but that are not necessarily security problems. I would expect this finding to be listed in that section.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 7 hours ago









          longnecklongneck

          24918




          24918























              0














              Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.



              If you aren't going to validate the card at the time of entry, then you lose two things:




              1. The ability to correct an incorrect entry immediately

              2. The ability to determine if it is a security/fraud issue


              I would rather validate all cards than worry about fraud with the ones I don't validate.






              share|improve this answer








              New contributor




              Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.

























                0














                Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.



                If you aren't going to validate the card at the time of entry, then you lose two things:




                1. The ability to correct an incorrect entry immediately

                2. The ability to determine if it is a security/fraud issue


                I would rather validate all cards than worry about fraud with the ones I don't validate.






                share|improve this answer








                New contributor




                Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.























                  0












                  0








                  0







                  Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.



                  If you aren't going to validate the card at the time of entry, then you lose two things:




                  1. The ability to correct an incorrect entry immediately

                  2. The ability to determine if it is a security/fraud issue


                  I would rather validate all cards than worry about fraud with the ones I don't validate.






                  share|improve this answer








                  New contributor




                  Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.










                  Why do you assume an invalid credit card is either a security issue or fraud? It should be expected that users will sometimes enter the card number incorrectly. I've done it. Most everyone has done it.



                  If you aren't going to validate the card at the time of entry, then you lose two things:




                  1. The ability to correct an incorrect entry immediately

                  2. The ability to determine if it is a security/fraud issue


                  I would rather validate all cards than worry about fraud with the ones I don't validate.







                  share|improve this answer








                  New contributor




                  Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  share|improve this answer



                  share|improve this answer






                  New contributor




                  Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 5 hours ago









                  MohairMohair

                  1011




                  1011




                  New contributor




                  Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  Mohair is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f208926%2fis-accepting-an-invalid-credit-card-number-a-security-issue%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

                      Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

                      VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...