I've seen this also, but once or twice on closer examination, the data ws input on a http screen but transmitted securely on an https connection by putting the https in the form tag. It made a form which was transmitted securely look insecure. I have no idea why the ordering page was not done over https, and I decided not to order from them, even though it appeared to be secure, because I just wasn't positive.

Richard Lowe

Unfortunately Brett that is the default setup for a lot of shopping carts especially older open source carts. The thing that galls me is that there are workarounds available and most of the time, I know I'm generalizing, people don't take the bit of extra time to change the setup and actually make the form secure as well.

When I run in to sites set up like this I'll go so far as to take a look like, richlowe, to see if the form data is being transmitted via https but they have already lost the sale.

I've only, thankfully, run into a few sites that are just out and out liars, a bit harsh I know but they give everyone else a bad name.

Whenever family or friends ask about ordering on the internet the best thing i tell them is to look for the key,lock,....etc. on any page they have to enter sensitive info and if they don't see it RUN. Simplistic I know but it works.

Sometimes that order form itself isn't secure, but the form posts to a secure server. I've seen this a few times, it isn't a security liability when it's set up this way, but it has a bad psychological effect.

It's all bad, but the process of transmitting the cc info to the server (be it secure or not) is the safest part of the whole transaction.

I do belive that every commerce site should have a certificate, but the chances of your info being intercepted at that point are far less than the chances of somebofy going through your trash and finding bank statements and other financial papers.

All the big ecomm embarassments I've heard of, with credit card #s being stolen & etc., have had to do with people breaking into the server, not intercepting traffic from the site's order form.

I don't worry much about how I send the info... once it reaches their server, I can only hope they have the server either set up very securely, or they don't actually store my CC info for any length of time. I can't really check on that part, so I cross my fingers.

My employer's site doesn't store any CC info at all. I didn't want to expose us to that kind of liability/risk/bad publicity.

Littleman, I agree with you that as long as the data is transmitted to a secure server via https it is not an actual security issue but its the psychological factor that, IMHO, takes its toll.

My point would be: with the news agencies taking every opportunity to point out failings in online commerce why give people a reason or opportunity to loose whatever level of trust they have developed in a site over something that is, in most cases, easily avoidable.

<added> Mivox, that is the real issue. Once the order is sent I cross my fingers,toes,...etc. too :). I guess I should be more optimistic but I have seen some setups that make me cringe. </added>

[edited by: Big_Balou at 8:59 pm (utc) on July 25, 2002]

I always put in a fake card and give the submit button a go to see if it really is secure...

Aha! YOU are the one placing those orders, Brett! Well, you're not getting the stuff you ordered until you give me the real card... ;)

Unless I have used the site before I do the same thing Brett. Credit cards make me nervous enough as it is. I have worked in enough businesses to know that it really isn't hard to get cc #'s with sigs etc. All about the integrity of the establishment.

Don't be fooled into thinking a site using SSL (https) is secure. SSL only protects the transmission of the card numbers from the browser to the server. Once the card details reach the server, they are often stored in plain text format in a mailbox until the site owner downloads his/her emails. The script that receives the card numbers should really encrypt the data using PGP etc. Of course, you have no way of knowing whether a site is using any form of security or encryption beyond the ordering page .... I will only ever purchase from a site that uses a recognised secure card processing service.

>>Are there any organizations out there that are actively looking for such things

yes, hackers / carders / etc. It's so easy to access a mailbox!

I'm sure I read that the EU are imposing legislation about this, maybe in the EU Ecommerce Directive (I'll have to look into it when I get more time). Trouble is, the law is only effective when it's enforced - day after day I see UK based sites in breach of the UK Distnace Selling laws, but nothing is ever done about them.

yes, hackers / carders / etc. It's so easy to access a mailbox!

those are crackers, not hackers.
and it's not that easy to access a mailbox.

I agree that sensitive info should not be sent over the e-mail.
The problem is - everybody want's to sell on the internet, and everybody wants the lowest development and maintenance costs; which comes down to cheaper, less secure solutions. And simply mailing the info to the merchant is the cheapest way to implement it. Encrypting it with PGP or doing anything else just increases the cost.

Whenever you shop on the net - just make sure that you are using a card from a bank that stands by it's customers.

those are crackers, not hackers

I love it when someone knows the difference. Of course, I'm a hacker. Telling that to someone who gets their news from NBC will give them a different impression of me.

Nuf said about that. Earlier today I tried to get to paypal to see what services were offered. Site was down. I'm considering my options of online credit card processing. (never used anything before so I'm a total newbie on this).

authorize.net seems expensive; I'm only going to have a small amount of business at first. any suggestions? (This is for an online classified ads site) - payment made when the ad is posted. I want to make sure that everything is on the up and up.

[edited by: bobriggs at 6:02 am (utc) on July 28, 2002]

>Whenever you shop on the net - just make sure that you are using a card from a bank that stands by it's customers.<

And stick with credit cards. If there is a hack and your number is stolen and used, the credit card company takes the hit. I have not seen this myself, but I understand that debit cards can also be used, but if their hacked it's your money - chances are you won't get it back.

I have not seen this myself, but I understand that debit cards can also be used, but if their hacked it's your money - chances are you won't get it back.

I'm pretty sure you can claim fraud with either debit or credit.

>I'm pretty sure you can claim fraud with either debit or credit.<

The difference is that with the credit card it is the credit card companies money that has been stolen, and they are under obligation to pay the tab. With the debit card it is the consumers money that has been stolen, and it might take a lawsuit to get any back.

Think about it. Whose money would you rather put at risk - the credit card company's or yours?

The difference is that with the credit card it is the credit card companies money that has been stolen, and they are under obligation to pay the tab. With the debit card it is the consumers money that has been stolen, and it might take a lawsuit to get any back.
Think about it. Whose money would you rather put at risk - the credit card company's or yours?

Well, if your number has been stolen and published on some site and you lost thousands - it's not about bank or visa any more. Call authorities.

If you purchased something for $59.95 and never got it - forget the lawsuit.

I undersatnd your point about bank's money vs your money, although it does have a flaw.
Read your card's policy, I'm sure it will mention that you are responsible for all charges unless .....

The unless part is pretty much the same for debit and credit cards.

Finally, if your bank does not do anything - call visa or mc. They will dieal with it and your bank will have to comply.

If the debit card has visa (or mc) logo on it and it's charged as a visa (or mc) card - it's protected by visa (or mc), on top of the bank.

I'm considering my options of online credit card processing. (never used anything before so I'm a total newbie on this).

Not really on topic but I have had good experiences with 2checkout.com on an old web site. You may want to take a look at them.

The difference is that with the credit card it is the credit card companies money that has been stolen, and they are under obligation to pay the tab. With the debit card it is the consumers money that has been stolen, and it might take a lawsuit to get any back.

And stick with credit cards. If there is a hack and your number is stolen and used, the credit card company takes the hit.

You couldn't be more wrong. With both credit and debit cards, it's the merchant who takes the hit. The credit card issuers don't eat the chargeback, they take back the money from the merchants funds. Hence the word charge-back, it is charged back to the merchant.

And debit cards, in most cases in the US, are afforded the same protection as credit cards. The difference being that with a debit card, your money is actually gone and they have to follow certain banking procedures to recover your funds, whereas with a credit card, they usually suspend the charge until the issue is resolved.

But remember that, the merchant takes the hit. Helful information if you ever have a merchant account.

That's only if it is proved how the number was accessed by the crook. Most of the time it is never discovered, and either the card company or the consumer takes the hit.

This is a circular arguement that just keeps continuing itself with no real purpose except to incite FUD(Fear, Uncertainty and Doubt), you can thank the AVS, news media and everyone else for that.

Now on to the _real_ points. First HTTPS/NO HTTPS? Guess what, a cracker doesn't care. You wanna know why? I'll tell you. Ok say by some odd chance a cracker or cc thief has hax0red his way into a ecommerce site and instead of reading the db or cc files he says "No bob I'm gonna do this the hard way!", so he installs a sniffer gets a dump of 50 ecrypted transmissions and makes an attempt to decrypt it, that will take...well a long time for him to get the cc.

Now which do you think hes _REALLY_ gonna do?

BTW if anyone wants to know how many cc #'s you can find that were stolen from a secure transaction, just hop on IRC and go to dalnet.

*sigh*

That's only if it is proved how the number was accessed by the crook. Most of the time it is never discovered, and either the card company or the consumer takes the hit.

Again, not true. I don't know where you are getting this information. US Federal law protects the card holder from being liable for fraudulent charges. That's it.If you are the card holder, you are NOT financially responsible for fraudulent charges.

Credit card companies DO take the money back from the merchant.There is absolutely no need to prove how the number was accessed, in most cases, it cannot be proven. I don't know where you are getting that information. Never in the case of a chargeback have I ever heard of a merchant being required to prove how the card number was compramised.

If you have a merchant account, ask your provider what happens when someone claims fraudulent use of their card to place an order at your store. The credit card companies do not take the loss! This is very common knowledge among those that have merchant accounts.

I'm not trying to be argumentative, it's just that the information you gave is highly innacurate and I think merchants and prospective merchants need to know that they do bear the burden of the cost for internet fraud.

The way it works is like this:

Crook makes purchase at your site
Cardholder receives statement and disputes charge
Issuer suspends charge from cardholder and requests chargeback to merchant
Merchant account provider removes funds from merchant's account and assesses chargeback fee to merchant
Merchant is sent documentation of chargeback
Merchant must prove that card holder placed order and received goods
If merchant cannot prove the this, merchant loses funds and chargeback fee

This IS how it works.

I've only had one chargeback (thankfully), a situation where a thief got hold of someone's credit card number and billing address. Since the billing address entered matched that on file for the credit card, the Address Verification System (AVS) gave it two thumbs-up. We shipped to the Ship-To address, which turned out to be a private mail facility.

Who ended up eating the charge? Me, the merchant. Why? Because I couldn't prove delivery to the billing address.

And I heartily concur the notion that CC numbers are easiest to get from the servers themselves. While we don't store entire CC numbers at all, I have worked for a major operation where the numbers were easily obtainable from a database using the default username/password.

OK I stand corrected. I just read a rather lengthy article on this a few weeks ago, and what I said is what they said. I was steered wrong.

Chuladi is completely correct about who takes the hit. The odds are stacked against the merchant. Sometimes even a customer who GETS the merchandise can beat the merchant out of his money by alleging the product didn't arrive, was defective or wrong, etc. The credit card companies are disposed to believe the customer 100%, no matter how outrageous the claim - it's "take the money back first, ask questions later." Fortunately, the percentage of criminally abusive customers is pretty small.

The web makes fraud a lot easier. I used to have customer service reps taking phone orders, and a skilled rep could spot 95% of the fraud orders before they were even in the system. Now, the human element is gone and one must rely on tools like address verification and filters/profiles.

>>The web makes fraud a lot easier

at least us webtraders don't have to suffer burglaries, shoplifting, armed robberies etc, no need for CCTV, electronic tagging and alarms on goods, no need to pay for security guards to stand in the doorway .... ho hum ....

>>The credit card companies are disposed to believe the customer
>>100%, no matter how outrageous the claim

yup. i think the only way to beat this would be for large numbers of web traders to form an organisation to lobby the card companies and persuade them to give us some sort of backing .... but it would take a lot of time, a lot of effort, and a lot of money from a lot of web traders around the world.

no need to pay for security guards to stand in the doorway

those are called system administrators :)

I never look or really even care whether or not a form is secure. From a statistical standpoint, my time would be better spent following the 100+ waiter/waitresses a year that wonder off with my credit card tucked into a little leather case.

For all I know, the card could be passed around to every employee in the building. Each taking time to jot down my number and Exp. date.

In the big picture, the occasional non-secure form is pretty low on the priority list.