
Went to update payment info, showed me some random person’s credit card info - Link512
https://reddit.com/r/ios/comments/d7u91h/went_to_update_payment_info_showed_me_some_random/
======
skissane
I saw something very similar to this happen once in a system (many moons ago,
before my current role). Hopelessly incompetent software developers put the
session cookie in a static field of one of the Java classes responsible for
the login process, and if two users logged in at the exact same moment (and
their requests happened to be served by the same node of the app server
cluster), one of them would be given the other's session cookie. So A and B
would both log in at the same time, and there was a chance that B would get
logged into A's account details instead of their own.

Somehow, all through QA testing, nobody noticed it (or if they did, they
didn't report it). At just about the last possible minute before go-live,
somebody observed it happen. Then there was a mad rush to patch the bug in the
middle of the go-live weekend so the go-live stayed on schedule.

------
19ylram49
Yikes.

This is part of the reason why I prefer to never let any services/apps/etc.
save my bank/card details. If there’s not an option to save the card details
that I can uncheck, 9x out of 10, I reconsider the transaction.

The assumption here though is that the services/apps/etc. that do provide the
option actually respect it; in other words, unless you use fake/virtual card
details (not entirely reliable, in my experience), you can’t be 100% sure that
you’re safe either way, which sucks.

------
taurath
Cross wiring user data is always a bad bug. Especially when it has to deal
with payments and credit card data. I hope this is a very rare thing and they
find the cause quickly. Could be in user authentication, the payment card
tokens, or one of any numbers of things. My bet would be on Auth.

------
newguy1234
Credit cards are never secure by default. It is best to assume that the number
will be stolen eventually.

~~~
rambojazz
I really wish they had multi-factor authentication like bank transfers have.
The only credit-cards that I use are prepaid ones, for the reason you just
mentioned.

~~~
dessant
Confirming online debit and credit card payments with a one-time password has
become a standard practice in the EU. These solutions are also available in
the US, are they not being adopted by banks there?

[https://usa.visa.com/pay-with-visa/featured-
technologies/ver...](https://usa.visa.com/pay-with-visa/featured-
technologies/verified-by-visa.html)

[https://www.mastercard.us/en-us/consumers/payment-
technologi...](https://www.mastercard.us/en-us/consumers/payment-
technologies/securecode.html)

~~~
filleduchaos
It's not just in Europe, even here in West Africa OTPs (and hardware tokens)
have been standard practice for years. I always feel weirdly unsafe
interacting with US-based companies/payment processors.

------
hoppla
Should not this incident involve PCI in some way?

~~~
floatingatoll
PCI requires a forensic investigation after a breach occurs. (Further
requirements may exist, I am not an auditor etc.)

