Skip to main content
Tweeted twitter.com/StackSecurity/status/809869024486105093
added 253 characters in body
Source Link
bbozo
  • 511
  • 6
  • 19

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Update 1

One of the additional problems is how the PAN, PIN and CVV get into the mobile app.

Assuming they are not cached (which would open its own sets of issues in an unsecure environment like an Android phone + opens up the issue of factory reinitialization) then it means that they are fetched on every application start, meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programatically, making

meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programmatically,

just let this sink in...

This would make the mobile app something completely different from a "moral equivalent of a physical card", and we're talking a 4-long application login pin code here that afaik doesn't lock out the account.

Somebody commented:

The normal DSS rules that apply to processors and merchants aren't applied to cardholders.

Does anybody have resources about things that DO apply?

Or is the issuing security enterprise a kind of a free for all at the moment coming from the assumption that the issuer is supposed to be concerned about his own exposure and no audit of these choices needs to be performed because the fraud financial impact is issuer's and theoretically issuer's alone?

I would assume that this kind of behavior would eventually lead to breaches and a fall of trust in the mobile ewallet market, I'd love if somebody could put a bounty on this one, I'd love to see an informed authoritative answer.

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Update 1

One of the additional problems is how the PAN, PIN and CVV get into the mobile app.

Assuming they are not cached (which would open its own sets of issues in an unsecure environment like an Android phone + opens up the issue of factory reinitialization) then it means that they are fetched on every application start, meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programatically, making the mobile app something completely different from a "moral equivalent of a physical card", and we're talking a 4-long application login pin code here that afaik doesn't lock out the account.

Somebody commented:

The normal DSS rules that apply to processors and merchants aren't applied to cardholders.

Does anybody have resources about things that DO apply?

Or is the issuing security enterprise a kind of a free for all at the moment coming from the assumption that the issuer is supposed to be concerned about his own exposure and no audit of these choices needs to be performed?

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Update 1

One of the additional problems is how the PAN, PIN and CVV get into the mobile app.

Assuming they are not cached (which would open its own sets of issues in an unsecure environment like an Android phone + opens up the issue of factory reinitialization) then it means that they are fetched on every application start,

meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programmatically,

just let this sink in...

This would make the mobile app something completely different from a "moral equivalent of a physical card", and we're talking a 4-long application login pin code here that afaik doesn't lock out the account.

Somebody commented:

The normal DSS rules that apply to processors and merchants aren't applied to cardholders.

Does anybody have resources about things that DO apply?

Or is the issuing security enterprise a kind of a free for all at the moment coming from the assumption that the issuer is supposed to be concerned about his own exposure and no audit of these choices needs to be performed because the fraud financial impact is issuer's and theoretically issuer's alone?

I would assume that this kind of behavior would eventually lead to breaches and a fall of trust in the mobile ewallet market, I'd love if somebody could put a bounty on this one, I'd love to see an informed authoritative answer.

added 253 characters in body
Source Link
bbozo
  • 511
  • 6
  • 19

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Update 1

One of the additional problems is how the PAN, PIN and CVV get into the mobile app.

Assuming they are not cached (which would open its own sets of issues in an unsecure environment like an Android phone + opens up the issue of factory reinitialization) then it means that they are fetched on every application start, meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programatically, making the mobile app something completely different from a "moral equivalent of a physical card", and we're talking a 4-long application login pin code here that afaik doesn't lock out the account.

Somebody commented:

The normal DSS rules that apply to processors and merchants aren't applied to cardholders.

Does anybody have resources about things that DO apply?

Or is the issuing security enterprise a kind of a free for all at the moment coming from the assumption that the issuer is supposed to be concerned about his own exposure and no audit of these choices needs to be performed?

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Update 1

One of the additional problems is how the PAN, PIN and CVV get into the mobile app.

Assuming they are not cached (which would open its own sets of issues in an unsecure environment like an Android phone + opens up the issue of factory reinitialization) then it means that they are fetched on every application start, meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programatically, making the mobile app something completely different from a "moral equivalent of a physical card", and we're talking a 4-long application login pin code here that afaik doesn't lock out the account.

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Update 1

One of the additional problems is how the PAN, PIN and CVV get into the mobile app.

Assuming they are not cached (which would open its own sets of issues in an unsecure environment like an Android phone + opens up the issue of factory reinitialization) then it means that they are fetched on every application start, meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programatically, making the mobile app something completely different from a "moral equivalent of a physical card", and we're talking a 4-long application login pin code here that afaik doesn't lock out the account.

Somebody commented:

The normal DSS rules that apply to processors and merchants aren't applied to cardholders.

Does anybody have resources about things that DO apply?

Or is the issuing security enterprise a kind of a free for all at the moment coming from the assumption that the issuer is supposed to be concerned about his own exposure and no audit of these choices needs to be performed?

added 663 characters in body
Source Link
bbozo
  • 511
  • 6
  • 19

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Update 1

One of the additional problems is how the PAN, PIN and CVV get into the mobile app.

Assuming they are not cached (which would open its own sets of issues in an unsecure environment like an Android phone + opens up the issue of factory reinitialization) then it means that they are fetched on every application start, meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programatically, making the mobile app something completely different from a "moral equivalent of a physical card", and we're talking a 4-long application login pin code here that afaik doesn't lock out the account.

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?

Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN.

Update 1

One of the additional problems is how the PAN, PIN and CVV get into the mobile app.

Assuming they are not cached (which would open its own sets of issues in an unsecure environment like an Android phone + opens up the issue of factory reinitialization) then it means that they are fetched on every application start, meaning there is an API which somebody could theoretically use to pull all of the PAN/PIN/CVV information programatically, making the mobile app something completely different from a "moral equivalent of a physical card", and we're talking a 4-long application login pin code here that afaik doesn't lock out the account.

Source Link
bbozo
  • 511
  • 6
  • 19
Loading