On Apr 11, 2010, at 3:55 AM, Michael G Schwern wrote:
Joshua Juran wrote:
I want them to test their site with Firefox, observe that it asks
to save the password with the plaintext credit card number as the
user name, and realize that this is a bad idea.
For extra credit, they might realize that asking for the same
password a second time is (at best) pointless in any case.
I don't think credit card companies live in the same universe we do.
Well, the credit card itself is evidence of that. They've conflated
identification with authentication -- if you know the identifiers,
you must be the identified or an agent thereof. To be fair, there is
a precedent for this -- in tales of Rumpelstiltskin and other guess-
my-name-to-win stories. So you could call this 'fairy tale security'.
Take Verified By Visa.
...PLEASE.
Its basically a XSS exploit. Worse, it wants me to make up a
secure password to associated with my credit card. The password
MUST be between 6 and 10 characters. If I forget the password, I
can just make up a new one.
I ran into this last year with Ticketmaster. After determining that
Verified by Visa wasn't a clever phishing attempt, but merely a
security circus[1], I went to the theater to buy tickets in person.
Direct human contact For The Win.
I'd love to meet their security consultants.
With blunt instrument in hand, perhaps.[2]
Josh
[1] That's right -- it doesn't even merit the term 'security theater'.
[2] I refer of course to a rolled-up newspaper.
