Re: PCI Compliance
- On 18 March 2010 23:59, J. Roeleveld <joost@...> wrote:
> Does this mean that the service-desk of companies are not compliant either?Hehe, in a way. Social engineering is thankfully(?) outside the scope
of PCI-DSS compliance.
> 1) Check in phonebook for number of VISA credit card service deskExactly! Disabling VRFY gains nothing because you can test with RCPT
> 2) Call listed number
> They then will answer with:
> "Hello, thank you for calling VISA credit card service desk, <insert name>
> speaking, how may I help you?"
> Me: Hi, can you please direct me to <insert other name here>
> How is this different from:
> $ telnet mail.isp.com 25
> Trying 10.1.4.50...
> Connected to mail.isp.com.
> Escape character is '^]'.
> 220 mailer.isp.com ESMTP Postfix
> MAIL TO <user>
> MAIL TO OK
> I guessed the last 2 lines, but I think it shows what I mean? :)
TO instead. There will always be some debate about the value of this
measure ("why not disable it if we can?" vs. "why *bother* if we don't
have to?) - just ignore it and do whatever has to be done, there are
better things to waste energy on.