Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: verisign payment site backdoor ?
From: redwood () visualjourneys com (Nojan Moshiri)
Date: Fri, 8 Feb 2002 09:08:49 -0800 (PST)


Is this a function of Verisign or a function of Address Verification
(AVS) on the credit card side.  Credit Card companies use the digits
of your stress address and your zip to validate billing.  This may
be true for US citizens only based on verisign's CC verification
company.

If would be good to try five zeros with a US based credit card. If AVS
is being properly used it should no go through.

On Thu, 7 Feb 2002, Andrej Todosic wrote:

Hello,

so i had today a little adventure with verisign about paying some domains.
When you go on their secure site and enter payment information, they now
require a security check
The security check consists of entering a billing address postal code.
Without this the payment wouldnt work.
After verifying several times witht hem on the phoen ( their system wont
accept a canadian postal code).
They told me just to put 5 zeros. The payment went through. I also seem to
vaguely remember a mention of it somewhere in the payment confirmation
screen. My question is:

they gave it to me, so they know very well it exists, but what security do
they have if they have a backdoor like this,
and what is the point of extra precautions when you publicly tell everyone
to use zeros if nothing else works.

I dont know if this should be made into a big thing, but i certainly dont
feel comfortable with these guys having my CC number.


Comments or opinions are welcome.

Andrej



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]