[24195] in bugtraq
verisign payment site backdoor ?
daemon@ATHENA.MIT.EDU (Andrej Todosic)
Fri Feb 8 14:14:23 2002
Message-ID: <9A1957CB9FC45A4FA6F35961093ABB84066089A9@srvmail-mtl.montreal.ubisoft.org>
From: Andrej Todosic <atodosic@ubisoft.com>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Thu, 7 Feb 2002 19:43:53 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Hello,
so i had today a little adventure with verisign about paying some domains.
When you go on their secure site and enter payment information, they now
require a security check
The security check consists of entering a billing address postal code.
Without this the payment wouldnt work.
After verifying several times witht hem on the phoen ( their system wont
accept a canadian postal code).
They told me just to put 5 zeros. The payment went through. I also seem to
vaguely remember a mention of it somewhere in the payment confirmation
screen. My question is:
they gave it to me, so they know very well it exists, but what security do
they have if they have a backdoor like this,
and what is the point of extra precautions when you publicly tell everyone
to use zeros if nothing else works.
I dont know if this should be made into a big thing, but i certainly dont
feel comfortable with these guys having my CC number.
Comments or opinions are welcome.
Andrej
