3

A web shop allows customers to order as guest or to create an account.

  1. I ordered as guest, entered my email address and the shipping address, and payed per credit card (I had to enter the security code).

  2. Some weeks later, I ordered something else, again as a guest. To my surprise, after entering my email address and shipping address, I could select the credit card that I used in the previous order.

    It showed the credit card issuer, the credit card customer’s name, 4 digits of the credit card number, and the expiration date.

    I selected it, and it worked. I didn’t have to enter or confirm anything (not even the security code; but this doesn’t seem to be required anyway).

I tested whether it is related to a cookie (no, it also works from a different PC) and whether the data has to be entered exactly the same (no, it only checks for the email address).

I guess this is bad, right?

I intend to contact the shop owner, but I want to be prepared in case they don’t agree that this is a problem. Should I also contact the credit card company, or is such a process allowed according to their rules (saving and allowing to use a credit card without authentication; showing some parts of the credit card data without authentication)?

unor
  • 1,769
  • 1
  • 19
  • 39
  • If they're in the US, they're breaking the law, IIRC. I may be wrong. Even if it's legal, if they're hacked, your CC goes to da black market ;) – Mints97 Feb 27 '15 at 19:09

2 Answers2

5

This isn't just bad, this is a disaster. Just knowing the email address of someone allows you to buy stuff using his credit card if he happened to be the unlucky customer of this horrible site.

They are either storing complete credit card data in reversible format, and given that this security disaster was overlooked I wouldn't be surprised if it was stored in plain text without even any attempt at encryption (not that this would change much if the entire server is compromised anyway).

Another less scary possibility would be that they are only storing a reference to the card, whereas the actual card is stored (more securely) on the payment provider's side. In this case, the "buy something on other's behalf with their email" still stands, but at least if they're compromised your card's data doesn't go out in the wild.

If you can see what their credit card processing company is, you should report it to them, they'll quickly cancel his account while they sort it out. And please do expose them on Plaintext Offenders, as this is even worse than plaintext passwords.

0
I guess this is bad, right?

edit:

Based on the new information that only email address, not physical address, is the authenticator the merchant is using......

It's still only mildly bad.

They're not violating any law. They're not violating the PCI DSS or any card brand regulation that I'm aware of. They're drastically increasing the likelihood that fraudulent purchases will be made on their site, which increases their chargeback liability and (after enough abuse) potentially their ability to process card payments.

It's bad for you in that someone might fraudulently charge your card. You will then need to notice that in your statements and apply for a chargeback. You will get your money back, so in the end, it's an inconvenience rather than a tragedy. You will probably vote with your feet and not use that merchant. Which also damages the merchant.

If you want to help other people avoid that potential fate, you can publicize the name of the merchant. That's probably the only thing that will lead them to change their practices.

original answer:

Mildly, but for whom?

I don't think there's a violation of the PCI DSS here. The merchant is on the hook for authenticating your identity before they charge your card. Clearly they're doing it somehow; perhaps they consider use of the same email address and shipping address to be "authentication". But the DSS doesn't lay out requirements on how merchants authenticate customers, so perhaps that's a valid method.

Storing your card (encrypted or tokenized) is completely legitimate. Storing in plaintext and displaying the first 6 and last 4 digits are completely legitimate. From the information you've provided, you have no indication that the merchant is doing anything other than storing and using the card in a manner compliant with the PCI DSS.

They are liable for any fraudulent charges to your card, and they will eat the chargeback if someone abuses it (e.g., enters your email and your address and then grabs the package when the mailman drops it off). But that's a pretty limited scenario, it isn't usable by random strangers on the Internet. This attack vector doesn't allow someone to retrieve your information, your card number, or to ship anywhere but your known shipping address.

If people abused this regularly, the merchant's chargeback numbers would go up, they're risk score will go up, and their processor will drop them. At that point, it's certainly bad for the merchant.

In the meantime, you're protected. The card companies will charge back any disputed claims against your card, and you'll get your money back. That's why you're willing to use a credit card, because of the convenience and protections it offers you. If the merchant is doing something that'll ultimately hurt them, well, that'll police itself.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • 1
    *to ship anywhere but your known shipping address* from what I understood from the question it seems like by ordering as guest they didn't store a known address and only the email had to match for the card to be usable. –  Feb 27 '15 at 19:40
  • The **customer** didn't store their address in a named account... but nothing keeps the **merchant** from storing it. _To my surprise, after entering my email address and shipping address, I could select the credit card..._ The merchant stored the email and shipping address during the first purchase. When the customer returned for a second purchase, the merchant treated matching email + shipping address as sufficient authentication, and used it to pull up the (hopefully, presumably, properly stored) card data to charge. – gowenfawr Feb 27 '15 at 19:43
  • 1
    *I tested whether it is related to a cookie (no, it also works from a different PC) and whether the data has to be entered exactly the same (no, it only checks for the email address).* –  Feb 27 '15 at 19:45
  • Would the OP please post their email address so we can test to see what it does when you try and ship an Xbox to my physical address? – gowenfawr Feb 27 '15 at 19:47
  • Please try with my physical address and a few Macbooks as well. Thanks. –  Feb 27 '15 at 19:48
  • The acid test is really where you can get it to ship. If you can ship anywhere, my answer is true but the level of merchant risk just shot way the hell up. If you can't ship other than the initial address, then it's arguably reasonable authentication. More information is required. – gowenfawr Feb 27 '15 at 19:56
  • To clarify, I can enter *any* shipping address. Today I ordered something to a shipping address never used before. I just entered my "known" email address, entered a new shipping address (different name, different city) and could select my "known" credit card. – unor Feb 28 '15 at 01:11