Hacker News new | ask | show | jobs
by PeterisP 4596 days ago
If they send a https password reset/create link, then the password is never transmitted in the clear and nobody knows it. In the case of an email snooper getting access to the password-reset link and clicking it before me, I would immediately know that there's an attack because, well, the password was reset to something different from what I entered, and I'd receive a notification about that, too.

If they generate and send a plaintext password, then anyone who gets access to that email, even months in future, can silently access the account. So there is a difference.

Also, the whole concept of having a cleartext password sent unencrypted anywhere at all clearly violates PCI DSS requirements - and it is Ayden's duty to comply and be knowledgeable about that.

There's not a question of good/bad service quality, it raises a question if they're meeting the bare minimum criteria to be allowed in payment business at all.
1 comments
wdvh 4596 days ago
If they generate and send a plaintext password, then anyone who gets access to that email, even months in future, can silently access the account. So there is a difference.

Not if you change the password immediately.

link
PeterisP 4596 days ago
True. But in any case, the simple PCI rules state that passwords for any account accessing the payment systems can't be stored or sent unencrypted period, no matter what.

There are many things where what's completely okay for 99% companies is unacceptable (as in, a valid reason to break contracts and incur penalties of size that can bankrupt the company) for payment processing companies.

So what does it say about the company and how they treat security? What are they doing in the parts that are more tricky to get right and less visible to customers? Have all their systems, including that one, had a proper external audit recently - and if yes, why wasn't it noticed?

They don't know the security rules that are mandatory for them?

They intentionally break them for some reason?

They are simply sloppy with security and don't check if 100% of their systems are done properly?

That some systems that they give their customers for testing are low-security and don't matter, but "don't worry everything else is done with a completely different attitude" ?

They were going to fix it but didn't notice it before the feature was already live?

Can you give me one single sane reason that would excuse them?

link