Re: Iframes and credit card security from Craig Francis on 2016-08-15 (public-webappsec@w3.org from August 2016)

From: Craig Francis <craig@craigfrancis.co.uk>
Date: Tue, 16 Aug 2016 00:11:02 +0100
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <3B1D7B33-F568-42D4-A19A-7E6DBA7673E3@craigfrancis.co.uk>

On 15 Aug 2016, at 21:40, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> On the other hand, whatever studies of phishing I have seen, suggest that a full page navigation would also be ripe for phishing for the vast majority of users. Not sure whether iframes cause a massive change in phishing risk, in the case of a malicious merchant.



Very true, but if you go back to the old approach, where the customer was redirected to the payment providers website, they had a chance at noticing what was in the address bar :-)








> On 15 Aug 2016, at 21:40, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> 
> On 15 August 2016 at 10:00, Daniel Veditz <dveditz@mozilla.com> wrote:
>> From a very narrow definition entering your payment details into a 3rd party
>> iframe is "secure" from the parent frame--assuming the correct iframe has
>> been opened! Stripe etc aren't going to get hacked, so I guess they're
>> happy. You're right that this leaves users ripe for phishing.
>> 
> 
> On the other hand, whatever studies of phishing I have seen, suggest
> that a full page navigation would also be ripe for phishing for the
> vast majority of users. Not sure whether iframes cause a massive
> change in phishing risk, in the case of a malicious merchant.
> 
> 
> --dev
> 
> 
> 
>> -Dan Veditz
>> 
>> On Mon, Aug 15, 2016 at 6:11 AM, Craig Francis <craig@craigfrancis.co.uk>
>> wrote:
>>> 
>>> Hi,
>>> 
>>> Is there a secure way to collect sensitive information (e.g. credit card
>>> numbers) though an iframe, if the parent page has been compromised?
>>> 
>>> I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay,
>>> etc are all pretending they have a secure system, when they really don't.
>>> 
>>> I've written up my notes at the following URL, but if you have any other
>>> comments/feedback, I'd really appreciate it (I'd like to contact the PCI
>>> Council again by the end of the week).
>>> 
>>> Craig
>>> 
>>> 
>>> 
>>> https://www.code-poets.co.uk/misc/security/pci-saq/
>>> 
>> 
>

Received on Monday, 15 August 2016 23:42:28 UTC