W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Iframes and credit card security

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 15 Aug 2016 13:40:21 -0700
Message-ID: <CAPfop_0QQTM2BJy9Zc3DD=Hj7Fw1XeK4YTrAi8t5p2zp2R0xHA@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Craig Francis <craig@craigfrancis.co.uk>, WebAppSec WG <public-webappsec@w3.org>
On 15 August 2016 at 10:00, Daniel Veditz <dveditz@mozilla.com> wrote:
> From a very narrow definition entering your payment details into a 3rd party
> iframe is "secure" from the parent frame--assuming the correct iframe has
> been opened! Stripe etc aren't going to get hacked, so I guess they're
> happy. You're right that this leaves users ripe for phishing.

On the other hand, whatever studies of phishing I have seen, suggest
that a full page navigation would also be ripe for phishing for the
vast majority of users. Not sure whether iframes cause a massive
change in phishing risk, in the case of a malicious merchant.


> -Dan Veditz
> On Mon, Aug 15, 2016 at 6:11 AM, Craig Francis <craig@craigfrancis.co.uk>
> wrote:
>> Hi,
>> Is there a secure way to collect sensitive information (e.g. credit card
>> numbers) though an iframe, if the parent page has been compromised?
>> I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay,
>> etc are all pretending they have a secure system, when they really don't.
>> I've written up my notes at the following URL, but if you have any other
>> comments/feedback, I'd really appreciate it (I'd like to contact the PCI
>> Council again by the end of the week).
>> Craig
>> https://www.code-poets.co.uk/misc/security/pci-saq/
Received on Monday, 15 August 2016 20:41:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC