| More details as an explanation. Facebook was providing: Cardholder Name
First 6
Last 4
Expiry Date
Billing Address.
The only bits missing were CVV and the middle 6.Yes, first 6 and last 4 are not considered sensitive for PCI compliance. However, like most security standards, the standard is a minimum, not what your target should be. Given the ability for attackers to quickly guess CVV and the remaining digits[1], the attack becomes a numbers game. They don't care about _a_ card, they care about _any_ card. This is why Visa and MasterCard are pushing to tokenize all cards - so the stored information is linked to the merchant storing it and can't be reused. That's even before we take into account the account take over possibilities since those card details are used by other companies as verification for account recovery[2]. Yes, those vulnerabilities were closed, but that doesn't stop new companies from making the same mistakes. Yes, it's impressive that they managed to prune the fields so quickly. Shows a very efficient escalation path! [1] https://www.theregister.co.uk/2016/12/05/undetectable_sixsec... [2] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking... |