Log in

View Full Version : VERY IMPORTANT: Payoneer Security Issue



Pages : 1 [2]

EricaErotica
04-30-2012, 09:31 AM
Nissim, all that Payoneer needs to do is REMOVE the feature. End of story.

Nissim-Payoneer
04-30-2012, 09:34 AM
Nissim, all that Payoneer needs to do is REMOVE the feature. End of story.

As you can see from my previous post, we will be updating the load page to not show the card holder name during full card number private payments.

It is important, however, to make a distinction between this change and a security issue in our system. We take all matters of security very seriously, and I feel it necessary to point this out. I'm sorry if I seem repetitive in saying this, however it is an extremely important issue.

EricaErotica
04-30-2012, 09:42 AM
When the feature is removed the problem will be resolved. End of story.

Nissim-Payoneer
05-01-2012, 07:07 AM
Update: When receiving a private payment using the full card number, the card holder name is no longer displayed (your e-mail address will be displayed).

As a reminder, we advise you to never give out your full card number and use this option for friends and family. For general private payments, you should use your account e-mail address.

roast
05-01-2012, 07:29 AM
I think itis great the name-to-valid-card feature has been removed from the main page

However, with the current system you can still verify out which numbers are valid (without being locked out), because it indicates to you which cards are invalid and tells you to try again. If you get the card correct instead of the name popping up like before, nothing pops up. If you get it wrong, you're prompted to keep on trying. Id assume like before, ad infinitum? The risk is reduced, which is great however it is still a risk for Payoneer card users as I am not being blocked out of the site to keep on plugging in numbers and I can still figure out a way to determine which card numbers I'm randomly putting in are valid and which ones are not. I'm unclear why this feature isn't just available on the confirmation page once the transaction is processed?

I'm unsure if the core issue is being communicated well here. It isn't that names appear - it is that the setup of the load page makes it very easy to find out which debit card numbers are valid without any security mechanism to block the user from using a script OR to just sit for hours manually plugging in numbers (which is what I and several others did do yesterday) to determine which ones are "usable". Given Payoneer, like most cards, have a static set of identifying numbers, the series of numbers the user needs to generate is not 16 but 10-12 - and the security setup of the load page does not inhibit someone (or something) from perpetually plugging in numbers and saving each one that the system flags for you as being valid.

Once the system flags it as valid - the user already know Payoneer is mastercard and can look up the bank details to use it. It is harder to do without a full name (again thanks for giving this the top priority it was due), but still feasible.

Almost every site that processes transactions tells you if the number you're using is valid on the confirmation page of a processed transaction - and often you are unable to make multiple attempts or it locks you out or tells you to call a customer service representative. I am still plugging in numbers with complete impunity.

Given the incidence of fraud, I'd hope this is looked into a bit more holistically instead of piecemeal. Fraud is easy to commit with just a valid card number. The system makes it easy to figure out which ones are valid because it tells you on the loading page which ones are invalid for as long as you like.

So if risk was a spectrum - the risk has been decreased, which again, very much appreciate that this was given a top priority, but not the core issue of being able to (very easily, with no safeguards except the name removal) determine which Payoneer cards are valid remains. My suggestion would be:

1. Put this feature on the confirmation page or disallow it from indicating if it is a valid number until the transaction is completed
2. Have a CAPTCHA that locks out bots if they get it wrong (I'm still allowed to get it wrong over and over again)
3. Have a harder CAPTCHA that locks out users like the one used to log into Payoneer accounts

I hope this is now clearer.

Thanks for giving this priority attention.

Nissim-Payoneer
05-01-2012, 07:40 AM
If you are manually plugging in numbers, it is very different than running a script. As I said before, there are millions to trillions of possible card combinations, and every time you enter a number into the field we know about it and are running it through a fraud engine.

I completely understand what you're saying, and have passed on your feedback to our technical support department, who has assured me that this is not a breach or risk to security. I will once again pass on your post.

roast
05-01-2012, 08:12 AM
It isn't trillions, there is a limit. If one is aware of how many users you have - which I believe you've mentioned here before but cannprobably be found just by mining company data, it wouldn't be hard to do? However, the more users you have the higher the likelihood it is to guess correctly, right. It is just a question of statistical probability - you've said you have millions of users, so that makes the risk of discovery even higher. Id rather not indicate if valid numbers have already been found using this system (without the use of blackhat software) - but part of the reason I'm so earnest is because of how easy it is to do? Im not trying to be testy or difficult, Im trying to stress a strange feature of your site that is an inherent flaw.

There are a number of articles about the perils of the basic forms of CAPTCHA on online security blogs - itd be exhaustive to list them all. Having a CAPTCHA that is standard is fine, but there is a reason there are harder ones out there that are commonly used (wordpress, gmail, yahoo, aol, my own small bank even) than the one on the load page. Furthermore, if I am allowed to use it repeatedly in excess without any block or barrier and even worse am allowed to get the CAPTCHA wrong over and over again - it doesn't serve its purpose as a security mechanism. There is no barrier on the loading page to get CAPTCHA wrong or right over and over again - which makes it incredibly easy to bypass and use ad infinitum. But if I try to log into my Payoneer account itll block me out for 15mins if I get it wrong 5 times or more? Im unsure why one part of the site is far more secure than another.

The more detailed I get the sillier I feel because I use Payoneer and feel like I'm writing a blueprint to lurkers / crack code / blackhat and other nuk forums on how to steal my or anyone else's card that they happen to get right. Im still unclear why this feature isn't just on the confirmation page or the person who is processing a transaction just gets a receipt or kickback telling them it is an invalid card once they submit their private load. Im unclear about the benefits of doing that over the current system. If this is just easier, that isnt a justification from a security standpoint. Again, none of your competitors have this feature?

You and I are kind of repeating the same things back and forth to one another - if you don't see the merit in it, that's fine, this just alters my own personal use of Payoneer. I appreciate Erica for even bringing this up. But let me say again, I still use your service and will continue to use it. The purpose of my comments is to be on the offensive of fixing problems? not on the defensive where hindsight is 20/20. I know of handfuls of people who have had problems with fraud and Payoneer, this just seems to be the puzzle piece that speaks to why

PrincessLuna
05-01-2012, 08:20 AM
It isn't trillions, there is a limit: 12! (factorial) is a little under half a billion.

That's only if numbers cannot be repeated (12*11*10*9*8*7*6*5*4*3*2*1)=479,001,600 The actual answer really is over a trillion (10*10*10*10*10*10*10*10*10*10*10*10*)
But there's 16 digits to the debit card so it's a lot more.

I don't have anything really to weight in to all of this, that was all I had...

EricaErotica
05-01-2012, 06:19 PM
It isn't trillions, there is a limit. If one is aware of how many users you have - which I believe you've mentioned here before but cannprobably be found just by mining company data, it wouldn't be hard to do? However, the more users you have the higher the likelihood it is to guess correctly, right. It is just a question of statistical probability - you've said you have millions of users, so that makes the risk of discovery even higher. Id rather not indicate if valid numbers have already been found using this system (without the use of blackhat software) - but part of the reason I'm so earnest is because of how easy it is to do? Im not trying to be testy or difficult, Im trying to stress a strange feature of your site that is an inherent flaw.

There are a number of articles about the perils of the basic forms of CAPTCHA on online security blogs - itd be exhaustive to list them all. Having a CAPTCHA that is standard is fine, but there is a reason there are harder ones out there that are commonly used (wordpress, gmail, yahoo, aol, my own small bank even) than the one on the load page. Furthermore, if I am allowed to use it repeatedly in excess without any block or barrier and even worse am allowed to get the CAPTCHA wrong over and over again - it doesn't serve its purpose as a security mechanism. There is no barrier on the loading page to get CAPTCHA wrong or right over and over again - which makes it incredibly easy to bypass and use ad infinitum. But if I try to log into my Payoneer account itll block me out for 15mins if I get it wrong 5 times or more? Im unsure why one part of the site is far more secure than another.

The more detailed I get the sillier I feel because I use Payoneer and feel like I'm writing a blueprint to lurkers / crack code / blackhat and other nuk forums on how to steal my or anyone else's card that they happen to get right. Im still unclear why this feature isn't just on the confirmation page or the person who is processing a transaction just gets a receipt or kickback telling them it is an invalid card once they submit their private load. Im unclear about the benefits of doing that over the current system. If this is just easier, that isnt a justification from a security standpoint. Again, none of your competitors have this feature?

You and I are kind of repeating the same things back and forth to one another - if you don't see the merit in it, that's fine, this just alters my own personal use of Payoneer. I appreciate Erica for even bringing this up. But let me say again, I still use your service and will continue to use it. The purpose of my comments is to be on the offensive of fixing problems? not on the defensive where hindsight is 20/20. I know of handfuls of people who have had problems with fraud and Payoneer, this just seems to be the puzzle piece that speaks to why

Roast, you are so correct. When my client alerted me about this feature he was simply shocked. He even advised me to limit my use of my Payoneer card. I really love my Payoneer card and how easy it makes getting paid by adult sites that are located overseas especially. But it does make me think twice about how extensively I will be using my card from now on. I really hope that Payoneer implements these changes that you are suggesting. I am very glad to see that the name to valid card number feature has been removed. This is definitely a step in the right direction to protect the privacy and security of all Payoneer cardholders. But as Roast has stated more should be done.

CamgirlInUK
05-04-2012, 07:28 AM
Just to chip in with maths geekery - there's theoretically a quadrillion (a thousand trillions, or a million billion) number available - from 0000000000000000, 0000000000000001 etc all the way up to 9999999999999999. Obviously in real life it's less, cos the first 4 digits indicate the type of card, and not every combination is currently in use. But there's still, you know, TONS :-)