Welcome to WebmasterWorld Guest from 18.104.22.168
Forum Moderators: buckworks
* the entire booking process is done on https://
however the final customer details and credit card numbers are then entered into a form and sent (using formmail.pl) by email to the respective accommodation.
there is no pgp encryption and no verisign secure mail (which we use to do the same). so this means that the customers credit card details are being sent in clear text from his secure server to the accommodation's email account.
now if i were a competent hacker, i'm sure that would be easy to hack, to prove how unsecure this is. but i am not.
so my question is what can i do? can i report him to visa or thawte or some sort of consumer protection association? if something were to happen, it would reflect diastrously on everyone involved in our business, not just him
to cap it all, he boasts all over his site about how secure his system is and how his is the only secure site for the area in question (blatantly not true).
thanks for advice
let him get on with it, while you mind your own business.
dont get me wrong, but you would be amazed at the amount of sites that do this.
unless you have time on your hands and want to get involved in this sort of thing, let him get on with it.
Bit like hiring a security van full of guards, driving your sack-of-cash all the way to the bank in this van, then simply dumping your deposit (sic) on the street outside the bank.
joined:Apr 27, 2003
I built a small ecommerce system from the ground up a few years ago (php/mysql, great learning experience) and found that it was very difficult to securely store credit cards on the remote server. Encryption is easy, but you have to put the key on the server to encrypt/decrypt. That's insecure.
I settled on encrypting the whole order form with PGP and emailing it to the person who takes the orders. No credit card info stored in the database (though I do store the encrypted order forms.) No private keys stored on he server.
Anyway, that's not what this thread is about, is it. It's about ratting out your competitor.
If you raise alarms, you'd probably be doing them a favor as they'd be forced to clean it up before anything disastrous occurs. I agree with everyone here, if you wish them ill, let it bite them.
In general, I'm uncomfortable with the whole ratting out thing. What comes around goes around. That's just me though.
If you want to hide a message, the best way is to cushion it in a lot of junk. That's what happens when you send CC info email. Sort of like sending a diamond in the mail rather than by armoured car.
There are some neat halfway measures you can use, that can be a lot easier than "real" encyryption. Like using a simple script that will add some number to the cc #, which you subtract at your end. Or pasting the expir date in the middle of the CC number.
That way only the encrytion key is on the server, there is a further key which is burried in the dll that does the encryption.
The windows client is unique to the user, in that the dll key is buried within it, you then have to supplied the additional key that is sent to the dll by the asp code. Only having the two codes together can you decrypt the string :)