Forum OpenACS Q&A: Bugtraq: verisign payment site backdoor ?

Collapse
1: Bugtraq: verisign payment site backdoor ?
Posted by Jade Rubick on 02/11/02 07:26 PM 
Date: Thu, 7 Feb 2002 19:43:53 -0500 
From: Andrej Todosic 
To: "'bugtraq@securityfocus.com'" 
Subject: verisign payment site backdoor ?

Hello, 

so i had today a little adventure with verisign about paying some
domains. 
When you go on their secure site and enter payment information, they
now
require a security check
The security check consists of entering a billing address postal code.
Without this the payment wouldnt work.
After verifying several times witht hem on the phoen ( their system
wont
accept a canadian postal code).
They told me just to put 5 zeros. The payment went through. I also
seem to
vaguely remember a mention of it somewhere in the payment confirmation
screen. My question is:

they gave it to me, so they know very well it exists, but what
security do
they have if they have a backdoor like this, 
and what is the point of extra precautions when you publicly tell
everyone
to use zeros if nothing else works. 

I dont know if this should be made into a big thing, but i certainly
dont
feel comfortable with these guys having my CC number.


Comments or opinions are welcome. 

Andrej
Collapse
2: Response to Bugtraq: verisign payment site backdoor ? (response to 1)
Posted by David Walker on 02/11/02 07:57 PM
That depends on how important you consider address verification.
Some banks, (Wells Fargo for one) store your account address and your visa
address in different places so that you could change your address and still
have the old address in your visa information (probably other types of cards
as well but my experience is with visa).  Therefore you will fail address
verification.

Some online stores don't use address verification at all.  Many
order-by-phone places do not.  And almost no stores that you visit in person
care about the address.

So while verisign may not be doing it "right", how dangerous it is is largely a
matter of perception.

Collapse
3: Response to Bugtraq: verisign payment site backdoor ? (response to 1)
Posted by Jade Rubick on 02/11/02 08:47 PM
A followup posting: 
Date: Fri, 8 Feb 2002 09:08:49 -0800 (PST)
From: Nojan Moshiri 
Reply-To: redwood@linex.com
To: Andrej Todosic 
Cc: "'bugtraq@securityfocus.com'" 
Subject: Re: verisign payment site backdoor ?


Is this a function of Verisign or a function of Address Verification
(AVS) on the credit card side.  Credit Card companies use the digits
of your stress address and your zip to validate billing.  This may
be true for US citizens only based on verisign's CC verification
company.

If would be good to try five zeros with a US based credit card. If AVS
is being properly used it should no go through.