Thanks everyone for all your input on this subject. I am nervous about Payoneer so I am glad to have the heads up on these sorts of things.
Thanks everyone for all your input on this subject. I am nervous about Payoneer so I am glad to have the heads up on these sorts of things.





Got it...from your first message, I thought you were upset that the guy was able to see your name when he typed in your card number, but this clarifies it a bit more, that you mean its about the guys who can just randomly type in card numbers and get someones name...
That is very good point actually, because in essense, its a cc number verification for payoneer cards... and its possible someone has a program running to have it try different numbers til they hit on one that is legit.
What did payoneer tell you when you let them know your concerns about this?
Don't blink. Don't even blink. Blink and you're dead. Don't turn your back. Don't look away. And don't blink!





We would be speculating a program can do this without it being flagged on their site, theres millions (billions?) of numbers for credit cards.
This would be a wider issue and not just Payoneer, your name and card number is on all your cards and hundreds of random people see it per year. (with the exp date etc)
I think this is abit blown out of proportion.
**** Nissim is unable to post in this section, can a mod move this to the appropriate section as it not only concerns us but the wider audience.
PrincessJenny you need to politely remove yourself from this discussion. You do not work at Payoneer. You do not handle their website's programming and technology. You do not handle their website's infrastructure and security.





And neither does anyone else here, I have sent a request to have the thread moved.
Nissim at Payoneer is in denial about this being a serious security breach. He said they have systems in place to prevent the random entry of possible credit card numbers, but they do not. Roast confirmed this. She was successful in entering a number of random credit card numbers and their system did not shut her down.
Last edited by EricaErotica; 04-30-2012 at 09:26 AM.
What it will say is:
"Action was locked due to multiple requests. Please type the text above to unlock. "
Then you just type in the text, it unlocks it, and you can proceed again. I've unlocked it many many times.
If you type it wrong it just gives you new numbers to type in. If theyre trying to prevent number generating bots from using it, at the very least their CAPTCHA should not be numbers, lol right? I mean, there are so many other forms of CAPTCHA you can use.
All I other security alerts I get:
"Oops.. Maximum field length of 16 for payoneer card number was exceeded."
"Oops.. Please fill in a valid payoneer card number"
The longer I try the more the system just gives me more numeric CAPTCHAs that I can just easily bypass. Or, I can get it wrong and it kindly gives me a new one.
I mean.
Hey, I get you guys need to save face - but instead of thinking we're the dumb ones and focusing on damage control, can you just look into it and fix it? All you have to do is disable that feature or put it on the confirmation page. This is not people clucking over something trivial.





But a program couldnt do that? and it would be highly impractical to sit and type them manually over and over again.
Its like trying to guess someones password. In theory it could be done but the chances are slim to 0.
PrincessJenny people spend YEARS planning bank heists. I can see someone spending weeks and months on their computer trying to figure this out. Criminals are VERY VERY persistent.
This feature needs to be disabled immediately.
And how do you know whether a program can do this or not. Are you a website developer? Are you a website programmer? You would be surprised what people can create especially when there is the possibility of huge financial gain people will go to great lengths.
You dont even need time to plan it - you just need the right number generating scripts. Like DDoS attacks arent people who collect a million computers and slowly overload a server manually, they have bots/scripts doing it. There are a number of easy to download number generating/spam bots out there (it is why CAPTCHA even exists tbh). A variety of computer programming languages support its creation, even if you have the most basic understanding of database language it can be done. I just googled instructions and there are a bunch of directions on how to do it. Many forums devoted to this kind of thing. It is like a blackhat orgasm waiting to be rubbed out.
Hey, here's an idea, instead of this being a uncomfortably and weirdly hostile debate - how about that feature gets moved to the confirmation page. That is the only place you need to know that the card is valid, also at that point your own information has been submitted which is a bonus for detecting the origin of fraud. Otherwise it serves no other purpose? A lot of people use this service so I understand the vested interest, but no one is calling for it to be boycotted or shut down or anything financially dire (I just used it like 5 seconds ago) - we're just saying: fix it?
PLEASE FIX THIS!!! This feature poses a great danger to EVERY single Payoneer card holder. My client is a very sweet and sincere person. He was so shocked that this feature exists and that the security of all card holders is at risk. That is why he told me about this occurrence when he was trying to load money onto my card for the first time. He wanted to make me aware of the security breach. Now I am trying to raise awareness of this serious issue to Payoneer and ALL card holders.
this thread should NOT be moved to "other work"...
maybe make a duplicate in "other work"..
this concerns everybody in camming connection whos using payonner...
WHO decided and WHY did they decide to move it?
Every thread that does not have " show ass" in it ...is moved???
This was rerouted to the wrong area, lol it is currently in jobs? Im assuming it was flagged to go to "Other Work"?
Well idk, I hope this doesnt turn into a long protracted debate with no resolution. Like I get from a marketing standpoint why admitting error/oversight can be viewed as a dent in branding or promote customer dissatisfaction ... and that ppl will go on the defensive but it really is very simple: move it to the confirmation page or eliminate it, it can even be done quietly?![]()
It's possible it was moved so that I may post here, as I am unable to post in the "Camming Connection" section of the forum. As this thread is directly regarding Payoneer and our services, I'd like to comment (I've also posted on the official Payoneer support thread so I'll copy/paste):
I have been actively monitoring that thread, however unfortunately I cannot post there. It seems like the main issue you have is with:
1) The card holder name being displayed for full card number loads - Account holder privacy is a top priority of ours, and this will be removed in the near future.
2) The CAPTCHA - This is an industry approved CAPTCHA that is an image, and not a set of numbers. The image displays numbers, however the coding behind it is for an image so a computer software/program will be unable to auto-generate the required information.
Of course, there are always hackers and fraud attempts, and in addition to to the security measures you see we also have a fraud engine running behind the scenes. This is constantly monitoring all site visitors and actions, and will immediately shut down any fraudulent or suspicious activity. load.payoneer.com is also a secured, encrypted and digitally certified website (you can click on the "lock" in the address field to view the certificate information) and certain bots/script/proxies will be unable to run on the site.
This is a SERIOUS issue. This thread belongs in the Camming Connection area. All cam models need to know about this security breach.
There is an Official Payoneer Thread in "Other Work" please start posting there. Do not post in this Jobs Section.
Nissim your organization has not been able to provide a satisfactory answer concerning this issue. And that is because there is no rationale behind the existence of this feature. It needs to be removed.
Last edited by EricaErotica; 04-30-2012 at 08:49 AM.
It does not seem like we are getting any concrete answers about this serious security issue. That is a problem.
I was assured that this change will be included in the next routine maintenance update to the loading page. I will see what I can do regarding an exact ETA.
I have addressed your concern regarding the name showing up, and also commented numerous times as to the security of the website. I am doing my best to provide you with as detailed an answer as I can.
- The name being displayed for full card number loads is being removed
- The site is a secured, encrypted and digitally certified website. The CAPTCHA is not a set of numbers but an image designed to deter automated scripts. In addition, we have a fraud engine constantly monitoring site activity to detect any automated scripts/bots and immediately shut them down.
If there is something I am not addressing, or if you have any other questions, I'd be more than happy to address them.
Given that this isnt a routine issue, Id assume this would be given heightened priority. I look forward to your ETA since part of the fees that people pay is the presumption of security for their accounts. I do, however, appreciate the amount of transparency you're able to provide on behalf of your company and since you arent a security / design tech, recognize some explanations are just out of your hands .... but I hope it is being taken as seriously behind the scenes as youre communicating so that it is handled more expeditiously beyond a routine update.
Thanks for keeping us in the loop as much as you're able to. Looking forward to an ETA or even confirmation when it is fixed.
I will be checking the Load Page over the next few days to make sure that feature is removed. You as an organization are so fortunate that this particular client of mine is the one who actually discovered this. He is a very sweet and sincere person. Once he detected this breach of security and privacy while he was attempting to load funds to my card for the very first time he alerted me right away.
I just want to reiterate that our system is designed to prevent fraud attempts, and this is not a breach in Payoneer's security. Your card information is not at risk, and you cannot simply use a program to run through the loading page - there are fraud prevention measures in place to restrict this.
In regards to privacy, your full card number is highly sensitive information. Loading via the full card number is a feature reserved mainly for friends and family, and in most cases anyone with your full card number will also have access to your name. We realize that for this specific industry that may not be the case, and advise you to use your e-mail address when loading. If you do not want to give that out, you can change it via your My Account page.
The name is being removed as we very much respect and value your feedback and comments. It is our goal to provide the best service and support possible, and if this is a concern for our account holders it is a concern for us (regardless of what industry they are in). We do not criticize based on industry and value the business of all our account holders equally.
Even though it's being changed to not show the name, we still recommend that you never give out your full card number outside of secured and encrypted payment forms.
Nissim, I have read your response. I understand your points completely. Well this client of mine is basically a very good friend. He has been supporting me financially for over a year and I trust him very much. He is actually the only client that I have that I trust in this manner. My biggest concern was not with him having my card number or my real name. I provided him with my card number. My concern was raised when he told me that by entering my card number he saw my real name and could easily have gained access to the names of other cardholders. It was my client being sincere and honest and feeling the need to alert me about how easy it was for other people to obtain my cardholder name even if I NEVER provided them with my card number. He was very disturbed by this and he felt that I should know the risk that I was being unnecessarily exposed to due to the mere fact that I am a Payoneer cardholder.
I and a few others have been plugging numbers in for quite awhile without any hassle from the site. I get more hassle if I put in the wrong password more than 5 times when I log into my Payoneer account. Itd be easy to use a script to expedite the process, find, verify and save all of the valid card numbers that one can do currently with the system as is, and Id really rather not download one to check. If there wasn't an error there would be nothing to fix.
So, not to belabor a point since no one's goal here is to be right, and debating it just feels like a way to stretch out the timeline from resolution - just looking forward to this being fixed as soon as possible.
It is certainly not easy to do this. The card number is 16 digits in length, of which there are trillions of possibilities, most of which not Payoneer cards. After a small amount of attempts, the page locks down and requires a CAPTCHA, which is an image and cannot be auto-entered by a basic program/bot. If any program or script were used to circumvent this, the system would immediately recognize it and shut it down. There are ways to detect such technology/attempts, and our fraud engines and technical support teams are monitoring site activity 24x7, for the sole purpose of finding and shutting down any such attempts.
We live in a technological and digital world, and the sad truth is that there are people out there with the intent of fraud and stealing information. Payoneer's security is industry leading, and we are focused on being equipped with cutting edge technology so that we can confidently prevent any such attempts. There have been DDoS attacks and attempts on Payoneer in the past, all of which were prevented and shut down with absolutely no security breach. We are a company serving millions of users and those attempts are inevitable, however I assure you that we are well equipped and prepared to stop them.
Bookmarks