More of the same
A year ago we discovered that RBS had failed to keep effective and responsible control of its finances. Why should we expect any different behaviour with data?
RBS WorldPay downplays database hack reports
RBS WorldPay and a hacker are at loggerheads over the seriousness of a supposed breach on websites run by the payment processing firm. Security shortcomings - since blocked - on RBS WorldPay website exposed confidential information, including admin passwords and the contact details of partners, according to blog posts by …
-
Friday 11th September 2009 18:07 GMT Anonymous Coward
XSS vulnerabilities
Recently worldpay implemented anti-samy measures that effectively destroy part of the opensource zen cart shop (about 1000 small business use this module and gateway), they are attempting to implement PCI DSS but seem to have no understanding of it or the concepts involved. They explained the measures were to stop possible XSS breaches.
Unfortunately their website is already full of XSS vulnerabilities which were published here:
http://www.zen-cart.com/forum/showpost.php?p=776363&postcount=364
they also appear not to understand some basic concepts of how their own payment system works and a Proof of Concept was presented to them that demonstrated that no matter what measures they took, their website could be used for phishing if someone had already made a payment to their system, it is actually possible to take a payment for a item, then repeatedly present a screen saying the payment never cleared, in the worldpay colours on their own website and just loop around and around taking multiple payments until the "victim" gets board and stops handing over their credit card details.
Declaration of Interest.
I maintain the RBSWorldPay module for zen cart, discovered the vulnerabilities and showed the proof of concept for phishing. Although having maintained the module, they have never granted a request for a developer account, nor will talk to me, so other forum members with worldpay accounts have to talk to them on my behalf.
-
Friday 11th September 2009 23:57 GMT Martin Nicholls
Failure.
RBS proving once again they're utterly clueless.
In this day and age if you have anything that smells even remotely like an SQL injection you're doing it very very wrong and all your developers need firing. That's not even a joke, fire people.
No very hard to see how RBS almost melted the economy with this level of incompetence.
-
Monday 14th September 2009 08:54 GMT Matthew 4
fhucking morons
Well I'll know who to blame if I see some unexpected purchases made on my credit card.
It's really the CEO's fault, as always in these big corporates, nothing serious - security wise - ever gets done because no one in the organisation has or wants the responsibility making the first move - this sort of thing is the result.
-
Monday 14th September 2009 10:09 GMT Anonymous Coward
So...
Is there a vulnerabillity or not? The hacker says yes, RBS says no, which is it?
Also a couple of points: You can't change a system like worldpay instantly, you have to go through change controls and the like in order to make sure that you don't knacker or make vulnerable to attack other parts of the system. This takes time and people meeting to discuss design changes, it can be done quickly but I'd imagine you'd still be looking at a day or so at the very quickest.
Just because someone says that there is a vulnerabillity and a big company says there isn't, does automatically mean that the big company is telling porkies.
@AC 1629: Probably a coincidence, yes - if Worldpay had been hacked and CC details were available there would be a whole load of cloned cards going about and no doubt it'd be a newsworthy item. Have you used that card for anything else?
This topic is closed for new posts.
Biting the hand that feeds IT
