Risk Scenario – Hidden Field / Sensitive Information (Part 1 of 4) – The Scenario

The Initech Novelty, Inc. Security Manager (SM) was recently contacted by a concerned consumer about the security of some its online Initech Novelty, Inc. payment transaction pages. The consumer reported that her credit card information had been stored in some cached Web pages on her PC.

The Security Manager decided to do an investigation and browsed to the Initech Novelty Inc. website, created an order, and completed the payment card transaction process.

The following observations were made:

1.    In order to make a purchase on the web site, a user ID and password is required.

2.    A valid 128 bit SSL EV (Extended Validation) certificate is used within the session from login to checkout.

3.    Since, Initech Novelty Inc. does not store credit card information or preferences on behalf of its consumers, all transactions require input of credit card information.

4.    Session state between the payment card input / transaction amount screen and the payment card / transaction amount confirmation screen is controlled via hidden fields.

5.    Even though a portion of the of payment card PAN is masked on the confirmation page, the full payment card PAN can be viewed looking at the source of the confirmation page. Additional payment card information in hidden fields are the CVV2/CID/CVC2 values, expiration dates, and cardholder name information.

6.    Utilizing a client-side web proxy, the Security Manager noticed that none of the response headers from the web servers contained “no store” or “no cache” directives.

7.    The Security Manager was able to retrieve a copy of the confirmation page from his cache and view the entire payment PAN.

Other Given Information:

1.    The daily average of online sales transactions (purchases) via the Initech Novelty, Inc. ecommerce site is 1000. The average transaction amount is US $43.

2.    Initech Novelty Inc. is considered a Level 3 merchant by its payment processor, an agent of the processor’s acquirer.

3.    Based off voluntary post-check out web surveys – 45% of all the transactions on the Initech Novelty Inc. ecommerce site are by consumers that regularly visit the site throughout a 3 month period. The remaining 55% of transactions are from consumers who only purchase one time or only frequent the site less then once every three months.

4.    Based off voluntary post-check out web surveys – 65% of the survey respondents consider themselves “online security” aware.

5.    Finally, 75% of survey respondents performed their Initech Novelty, Inc. transaction from their home or work PC.  Of the remaining 25% of respondents, only 10% performed their transaction from a public terminal.

Task: Perform a risk assessment on this security issue utilizing the FAIR methodology. Summarize the risk associated with this scenario. Recommend some general risk mitigation approaches the application team can look at to mitigate the risk.

Posts 2, 3 and 4 to be published throughout this week.

Note: The purpose of the scenario is to provide enough information to conduct a risk assessment. It would be nearly impossible to write a scenario that would fit every environment (end user / provider), every web application platform, every use case, and every real-world variable. Please see my Scenario Pre-Read for additional information.


4 Responses to Risk Scenario – Hidden Field / Sensitive Information (Part 1 of 4) – The Scenario

  1. […] Risk) methodology. Take a stab at it. He will be posting the rest of the series this week. Risk Scenario – Hidden Field / Sensitive Information (Part 1 of 4) – The Scenario << Risktical… Tags: ( risk assessment fair […]

  2. Patrick Florer says:

    Hi, Chris!

    Thanks for posting this – I look forward to the rest of the series.

    You may not remember me – we met briefly in the parking lot of the Platform Labs in Columbus last month. I was up from Dallas for the FAIR training. I, Alex, Jack Freund, Brooke Paul, and maybe Jack Jones were heading out for lunch when you stopped by to see how things were going. It was a cold day, to my Texas sensibilities, anyway – I believe that you were dressed in grey, and not too warmly, at that. I remember thinking that you must have been cold.

    Maybe it’s the former US Marine in you – one of my children is a former Marine – did a 4 year tour as an ordnance guy with an F-16 wing based in Beaufort, SC – served briefly in Kuwait in 2003.

    Well, be all of that as it may – I am very, very interested in FAIR, and have received my Basic Certification as a result of the training last month. I am doing a bit of evangelizing here in Dallas, and am involved in two efforts to bring Jack Jones down to present FAIR – one in a private setting, the other as a speaker to the ISACA N Texas group.

    I will give your scenario a try using Fair Lite and let you know what I come up with.

    There is probably a better way to communicate than comments in a blog, so if you would like to send me an email address, I would be glad to have it.

    Best regards,


  3. Chris Hayes says:

    @Patrick – Thanks for the email, reading the blog, and the kind words. I do remember our brief “meet and greet” there at Platform Labs. I really despise wearing coats or other heavy garments unless absolutely necessary – and yes I was cold. I will usually wear only what is needed for the expected exposure to the elements. My wife would prefer I wear a coat at all times but I am stuck in my ways.

    I look forward to any additional comments you might have on the scenario I am posting this week. Mentally going through these exercises and jotting down justification notes – takes so much less time then writing it the way I have done.

    I will send some contact information out of band. Again, thanks for reading and leaving some comments!


  4. […] I wanted to point you over to Chris’ Risktical blog.  He’ll be doing a FAIR analysis over there that looks interesting.  It’s nice that […]

%d bloggers like this: