HackDig : Dig high-quality web security articles for hacker

Hosted Payment Pages, the Payment Services Directive and PCI DSS Validation & Reporting

Following the release of PCI DSS v3.0 in November 2013, both the PCI SSC and Visa Europe sought to clarify the validation and reporting requirements for the e-commerce payment channel.The guidance from the PCI SSC (May 2014) and guidance from Visa Europe (July 2014) made it clear that either a full redirect or iframe method containing a hosted payment page (
Publish At:2015-07-07 17:20 | Read:3475 | Comments:0 | Tags:awareness legislation PCIDSS design technical specification

Ecommerce and Financial Web Application Vulnerabilities

NCC Group has published some guidance for finance/e-commerce application penetration testers.Common Security Issues in Financially-Oriented Web Applications is arranged in the following sections:Time-of-Check-Time-of-Use (TOCTOU) and race condition issuesParameter manipulationReplay attacks (capture-replay)Rounding issuesNumerical processingCard number-relat
Publish At:2015-06-20 13:05 | Read:3798 | Comments:0 | Tags:testing development PCIDSS design threats technical specific

PCI DSS v3.1 for Ecommerce Payments

Lots happening this week. The Payment Card Industry Security Standard Council (PCI SSC) has announced the release of an update to the PCI Data Security Standard (PCI DSS).PCI DSS v3.1 (15 April 2015), includes several changes to reflect changing threats and recently discovered vulnerabilities, but also including some clarifications and additional guidance.Th
Publish At:2015-04-16 15:55 | Read:2440 | Comments:0 | Tags:technical SSL threats PCIDSS monitoring preventative

Remote Banking Fraud Up, Card Fraud Up

The Financial Fraud Action UK (FFA UK) has published its latest figures about financial fraud in the UK.e-commerce card fraud losses increased from £190.1m in 2013 to £217.4m in 2014 — a 14 per cent riseIn a news release published at the end of March, the FFA UK states the increase is primarily due to a change in tactic by fraudsters who are deceiving custom
Publish At:2015-04-14 15:55 | Read:3961 | Comments:0 | Tags:defense metrics incidents PCIDSS operation

Penetration Testing Guidance for PCI DSS

The Payment Card Industry (PCI) Security Standards Council (PCI SSC) has published another information supplement for PCI Data Security Standard (PCI DSS), this time on penetration testing. It would appear there has been a large variability in penetration tests being undertaken for PCI DSS.Information Supplement: Penetration Testing Guidance, v1 March 2015,
Publish At:2015-04-07 07:45 | Read:2468 | Comments:0 | Tags:vulnerabilities information assurance technical threats oper

Payment Security and PCI DSS Compliance 2015

Verizon has published its annual PCI Compliance Report 2015 covering data up to the end of 2014, describing compliance, the sustainability of controls and ongoing risk management.PCI Compliance Report 2015 analyses information from PCI Data Security Standard (PCI DSS) assessments undertaken by Verizon between 2012 and 2014, together with additional data from
Publish At:2015-03-17 15:00 | Read:3316 | Comments:0 | Tags:detective metrics technical PCIDSS validation maturity corre

Moonpig Website Vulnerability, Incident and Breaches

Personalised greetings card service Moonpig was all over the popular news yesterday.Paul Price found an exploitable weakness in Moonpig's public API and contacted them in August 2013, and again a year later. Eventually he gave up and published details on Monday.Following much Twitter activity, yesterday Moonpig tweeted:We are aware of claims re customer data
Publish At:2015-01-10 21:25 | Read:4783 | Comments:0 | Tags:technical development vulnerabilities preventative incidents

75,000 GBP Fine For SQL Injection From ICO But With 90% Discount

Lancaster-based apartment booking company Worldview Limited has been fined under the Data Protection Act for allowing unauthorised access to customers' details. The company operates under two UK brands, Citybase Apartments and Central London Apartments.Although customers' payment details had been encrypted, the means to decrypt the information - known as the
Publish At:2014-11-07 09:15 | Read:6659 | Comments:0 | Tags:injection corrective technical SQL vulnerabilities data prot

Payment Checkout Flaws and Bugs

The announcement last week by researchers from Newcastle University about a problem with Visa's contactless cards reminded me to mention again commons issues with checkout and payment functions in web and mobile applications.The Visa fault relates to not enforcing the same limits on transactions when using foreign currencies.The paper is being presented this
Publish At:2014-11-06 06:15 | Read:3901 | Comments:0 | Tags:PADSS mobile technical vulnerabilities data protection priva

OWASP Snakes and Ladders

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects o
Publish At:2014-11-06 06:15 | Read:4604 | Comments:0 | Tags:preventative data protection code injection business logic p

Application Security and Privacy Mapping 2014

The chart detailing the most important guidance, standards, legislation and organisations that can influence mobile and web application development security and privacy in the UK has been comprehensively updated.Principal Influences on UK Applications is managed by me and published on my company's web site as a mind map diagram and text tree, together with a
Publish At:2014-10-11 10:45 | Read:4018 | Comments:0 | Tags:policies standards legislation administrative information as

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud