W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Iframes and credit card security

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 15 Aug 2016 13:40:21 -0700
Message-ID: <CAPfop_0QQTM2BJy9Zc3DD=Hj7Fw1XeK4YTrAi8t5p2zp2R0xHA@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>, WebAppSec WG <public-webappsec@w3.org>
On 15 August 2016 at 10:00, Daniel Veditz <dveditz@mozilla.com> wrote:
> From a very narrow definition entering your payment details into a 3rd party
> iframe is "secure" from the parent frame--assuming the correct iframe has
> been opened! Stripe etc aren't going to get hacked, so I guess they're
> happy. You're right that this leaves users ripe for phishing.
>

On the other hand, whatever studies of phishing I have seen, suggest
that a full page navigation would also be ripe for phishing for the
vast majority of users. Not sure whether iframes cause a massive
change in phishing risk, in the case of a malicious merchant.


--dev



> -Dan Veditz
>
> On Mon, Aug 15, 2016 at 6:11 AM, Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>>
>> Hi,
>>
>> Is there a secure way to collect sensitive information (e.g. credit card
>> numbers) though an iframe, if the parent page has been compromised?
>>
>> I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay,
>> etc are all pretending they have a secure system, when they really don't.
>>
>> I've written up my notes at the following URL, but if you have any other
>> comments/feedback, I'd really appreciate it (I'd like to contact the PCI
>> Council again by the end of the week).
>>
>> Craig
>>
>>
>>
>> https://www.code-poets.co.uk/misc/security/pci-saq/
>>
>
Received on Monday, 15 August 2016 20:41:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC