Welcome to WebmasterWorld Guest from 3.227.240.31

Forum Moderators: buckworks

Message Too Old, No Replies

Competitor sends credit card details by unsecure mail

what can we do about it?

     
7:37 am on May 5, 2003 (gmt 0)

Senior Member from ES 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 24, 2002
posts:1129
votes: 2


Our major competitor has a webserver secured by thawte.

* the entire booking process is done on https://

however the final customer details and credit card numbers are then entered into a form and sent (using formmail.pl) by email to the respective accommodation.

there is no pgp encryption and no verisign secure mail (which we use to do the same). so this means that the customers credit card details are being sent in clear text from his secure server to the accommodation's email account.

now if i were a competent hacker, i'm sure that would be easy to hack, to prove how unsecure this is. but i am not.

so my question is what can i do? can i report him to visa or thawte or some sort of consumer protection association? if something were to happen, it would reflect diastrously on everyone involved in our business, not just him

to cap it all, he boasts all over his site about how secure his system is and how his is the only secure site for the area in question (blatantly not true).

thanks for advice

9:00 am on May 5, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member shak is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 28, 2002
posts:4154
votes: 0


Jamie,

let him get on with it, while you mind your own business.

dont get me wrong, but you would be amazed at the amount of sites that do this.

unless you have time on your hands and want to get involved in this sort of thing, let him get on with it.

Shak

9:17 am on May 5, 2003 (gmt 0)

Senior Member from ES 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 24, 2002
posts:1129
votes: 2


"unless you have time on your hands"

absolutely not ;-)

will ignore then. hopefully he'll dig his own grave before too long.

cheers shak

9:19 am on May 5, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member shak is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 28, 2002
posts:4154
votes: 0


will ignore then. hopefully he'll dig his own grave before too long.

exactly :)

Shak

10:24 am on May 5, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 29, 2002
posts:1819
votes: 0


Forgive my ignorance but if the form is on a https and his formmail used is called through the https: then is that not secure?

mat

10:43 am on May 5, 2003 (gmt 0)

Preferred Member from IT 

10+ Year Member

joined:Apr 5, 2002
posts:633
votes: 0


The browser procedure is all secure, but the 'end product' is simply a common-or-garden text email that gets sent 'in the open', with none of the gathered data encrypted or protected in any way.

Bit like hiring a security van full of guards, driving your sack-of-cash all the way to the bank in this van, then simply dumping your deposit (sic) on the street outside the bank.

12:37 pm on May 8, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 7, 2001
posts:608
votes: 0


confession - we did this for our first 2 years.

setting up our secure server was easy compared to establishing our secure connection to it (in order to download orders).

12:57 pm on May 8, 2003 (gmt 0)

Junior Member

joined:Apr 27, 2003
posts:131
votes: 0


Yeah, storing credit card info on a server is a challenge when you don't have the server in your building.

I built a small ecommerce system from the ground up a few years ago (php/mysql, great learning experience) and found that it was very difficult to securely store credit cards on the remote server. Encryption is easy, but you have to put the key on the server to encrypt/decrypt. That's insecure.

I settled on encrypting the whole order form with PGP and emailing it to the person who takes the orders. No credit card info stored in the database (though I do store the encrypted order forms.) No private keys stored on he server.

Anyway, that's not what this thread is about, is it. It's about ratting out your competitor.

If you raise alarms, you'd probably be doing them a favor as they'd be forced to clean it up before anything disastrous occurs. I agree with everyone here, if you wish them ill, let it bite them.

In general, I'm uncomfortable with the whole ratting out thing. What comes around goes around. That's just me though.

10:37 pm on May 14, 2003 (gmt 0)

New User

10+ Year Member

joined:Nov 19, 2002
posts:28
votes: 0


You know, everyone gets all riled about sending CC info by email, but I have never been able to find an authenticated case of CC info being stole that way - when you look at the cases where CC info has been stolen, its always been from big servers that store the stuff, the so-called secure sites. It always seems crazy to me that we get all frightened about giving our CC# over email, then hand the CC to some itinerant, undocumented waiter to dissappear with for 15 minutes.

If you want to hide a message, the best way is to cushion it in a lot of junk. That's what happens when you send CC info email. Sort of like sending a diamond in the mail rather than by armoured car.

There are some neat halfway measures you can use, that can be a lot easier than "real" encyryption. Like using a simple script that will add some number to the cc #, which you subtract at your end. Or pasting the expir date in the middle of the CC number.

I

10:42 pm on May 14, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 8, 2002
posts:2335
votes: 0


Competitors, especially when they are nasty, are an amazing way to get under your skin. But there are so many better, more positive ways to handle things. Consider how big your market is and work on the untapped market. Look at market share and figure out how to make your share bigger without thinking that your competitor exists. How secure his system is goes WAY beyond something you need to worry about. Look at WW. They have taught you ways to get more and more and more and more traffic. By building more content. Time spent worrying about your competitor is time spent not working on content. I'm glad you chose the positive approach in the end. It will pay off. Trust me.
4:43 pm on May 16, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 12, 2003
posts:161
votes: 0


What I do is encrypt the details on the server, but then provide a secure admin area which displays the encoded string in a text box, you then have to copy this into a windows client that has the correct reg key, and is also protected by a user/pass

That way only the encrytion key is on the server, there is a further key which is burried in the dll that does the encryption.

The windows client is unique to the user, in that the dll key is buried within it, you then have to supplied the additional key that is sent to the dll by the asp code. Only having the two codes together can you decrypt the string :)