Charity site payments - secure or not ?

Discussion in 'Computer Security' started by Kev, Apr 1, 2006.

  1. Kev

    Kev Guest

    I wanted to donate to a well established and reputable charity using a
    credit card. I'll not mention the name of the organisation for obvious
    reasons.

    The problem seems to be that although there is a VeriSign logo on the pages,
    the connection in both IE6 and FireFox 1.5 seems to be a pure HTTP
    connection and not an HTTPS one. This is reflected in the address bar and
    there is no padlock.

    This is true on the page where you enter the amount and also on the page
    where you enter the actual card details.

    As far as I can tell, this means that the card details would be routed
    across the internet in an unencrypted format.

    I've raised this with the organisation who passed it onto the hosting
    company. This is what they had to say :

    "There are multiple ways to donate as instructed on the page. You can send
    him an email back saying your web hosting company, XXXXXXXXX, does not host
    Verisign's online forms. That first page is on our servers (he mentions
    http://www.xxxxxxxxx.org/donate.html ), after that it goes to VeriSign. If
    he would place an amount in and continue, he would know. We can add some
    text that says something along these lines. Please let me know."

    If you enter an amount and click the Donate button it takes you to the
    payment page - which is not showing as HTTPS. Clicking on the VeriSign logo
    shows the following text :

    "Encrypted Data Transmission This Web site can secure your private
    information using a VeriSign SSL Certificate. Information exchanged with any
    address beginning with https is encrypted using SSL before transmission.
    Identity Verified VERISIGN, INC. has been verified as the owner or
    operator of the Web site located at payments.verisign.com. Official records
    confirm VERISIGN, INC. as a valid business."

    What does anyone think about this ? You reasoning would be good to see as I
    intend to pass the comments back to the organisation.

    Thanks
    Kev, Apr 1, 2006
    #1
    1. Advertising

  2. Kev wrote:
    > I wanted to donate to a well established and reputable charity using a
    > credit card. I'll not mention the name of the organisation for obvious
    > reasons.
    >
    > The problem seems to be that although there is a VeriSign logo on the pages,
    > the connection in both IE6 and FireFox 1.5 seems to be a pure HTTP
    > connection and not an HTTPS one. This is reflected in the address bar and
    > there is no padlock.


    You picked up on the first hint that the page isn't secure.

    >
    > This is true on the page where you enter the amount and also on the page
    > where you enter the actual card details.


    Again, this is a big clue. Don't enter your information on these sites.
    The charity (or any organization) needs to ensure that the site is
    communicating to you that it's secure.

    >
    > As far as I can tell, this means that the card details would be routed
    > across the internet in an unencrypted format.


    That's a perfect assumption.

    >
    > I've raised this with the organisation who passed it onto the hosting
    > company. This is what they had to say :
    >
    > "There are multiple ways to donate as instructed on the page. You can send
    > him an email back saying your web hosting company, XXXXXXXXX, does not host
    > Verisign's online forms. That first page is on our servers (he mentions
    > http://www.xxxxxxxxx.org/donate.html ), after that it goes to VeriSign. If
    > he would place an amount in and continue, he would know. We can add some
    > text that says something along these lines. Please let me know."


    This arrangement does not make for good security. We security
    professionals are trying to raise Information Security awareness and
    when service providers come up with a solution that counters our
    efforts, we all lose.

    The proper way to implement this solution is to have the information
    gathering page be secured -- the form itself, not just the submission of
    the form.

    This sort of thing is really starting to be a problem. There are still
    banks who send out legitimate e-mails requesting users to click on a
    link. This is what makes phishers successful -- legitimate companies
    legitimizing a method of usability that the bad guy can then exploit.

    >
    > If you enter an amount and click the Donate button it takes you to the
    > payment page - which is not showing as HTTPS. Clicking on the VeriSign logo
    > shows the following text :
    >
    > "Encrypted Data Transmission This Web site can secure your private
    > information using a VeriSign SSL Certificate. Information exchanged with any
    > address beginning with https is encrypted using SSL before transmission.
    > Identity Verified VERISIGN, INC. has been verified as the owner or
    > operator of the Web site located at payments.verisign.com. Official records
    > confirm VERISIGN, INC. as a valid business."


    It sounds like they've got implementation problems.
    >
    > What does anyone think about this ? You reasoning would be good to see as I
    > intend to pass the comments back to the organisation.
    >
    > Thanks
    >
    >


    I think you've answered your own question. If you still want to donate
    to the company, do so in the old fashioned way -- pay by check via snail
    mail.

    --
    *Adam W. Montville, CISSP*
    <mailto:>
    *http://www.MontvilleArchives.net <http://www.MontvilleArchives.net>*

    *ICQ: 271-685-874*
    Adam W. Montville, Apr 1, 2006
    #2
    1. Advertising

  3. Kev

    Kev Guest

    <snip>

    Thanks Adam. We clearly agree on this.

    Now I can tell the organisation that I'm not a lone voice and that despite
    what the hosting company has advised, several people have the view that the
    card payments are indeed insecure.

    Would anyone else care to comment ?

    Thanks
    Kev, Apr 1, 2006
    #3
  4. In article <>, Kev <> wrote:
    ...
    >The problem seems to be that although there is a VeriSign logo on the pages,
    >the connection in both IE6 and FireFox 1.5 seems to be a pure HTTP
    >connection and not an HTTPS one. This is reflected in the address bar and
    >there is no padlock.

    ...
    >What does anyone think about this ? You reasoning would be good to see as I
    >intend to pass the comments back to the organisation.


    You are correct: the session isn't encrypted.

    So, assuming that you are on dialup or DSL, this means that you aren't
    protected in the _least_ likely place to expose your information. If
    you are on cable, using wireless, or coming in from a public place,
    this is somewhat more exposure here.

    The real place to worry is in the charity's database and backend
    processors. These are much more tempting targets and much more likely
    to be implemented in an insecure fashion. They are also the same
    systems that are used no matter how you make the donations. :)-(

    You can always send them a check.

    Craig
    Craig A. Finseth, Apr 3, 2006
    #4
  5. Craig A. Finseth wrote:
    > In article <>, Kev <> wrote:
    > ...
    >> The problem seems to be that although there is a VeriSign logo on the pages,
    >> the connection in both IE6 and FireFox 1.5 seems to be a pure HTTP
    >> connection and not an HTTPS one. This is reflected in the address bar and
    >> there is no padlock.

    > ...
    >> What does anyone think about this ? You reasoning would be good to see as I
    >> intend to pass the comments back to the organisation.

    >
    > You are correct: the session isn't encrypted.
    >
    > So, assuming that you are on dialup or DSL, this means that you aren't
    > protected in the _least_ likely place to expose your information. If
    > you are on cable, using wireless, or coming in from a public place,
    > this is somewhat more exposure here.
    >
    > The real place to worry is in the charity's database and backend
    > processors. These are much more tempting targets and much more likely
    > to be implemented in an insecure fashion. They are also the same
    > systems that are used no matter how you make the donations. :)-(
    >
    > You can always send them a check.
    >
    > Craig
    >


    Kev, Craig makes a great point!

    --
    *Adam W. Montville, CISSP*
    <mailto:>
    *http://www.MontvilleArchives.net <http://www.MontvilleArchives.net>*

    *ICQ: 271-685-874*
    Adam W. Montville, Apr 4, 2006
    #5
  6. Kev

    Kev Guest

    "Adam W. Montville" <> wrote in message
    news:e0smef$nk6$...
    > Craig A. Finseth wrote:
    >> In article <>, Kev <>
    >> wrote:
    >> ...
    >>> The problem seems to be that although there is a VeriSign logo on the
    >>> pages, the connection in both IE6 and FireFox 1.5 seems to be a pure
    >>> HTTP connection and not an HTTPS one. This is reflected in the address
    >>> bar and there is no padlock.

    >> ...
    >>> What does anyone think about this ? You reasoning would be good to see
    >>> as I intend to pass the comments back to the organisation.

    >>
    >> You are correct: the session isn't encrypted.
    >>
    >> So, assuming that you are on dialup or DSL, this means that you aren't
    >> protected in the _least_ likely place to expose your information. If
    >> you are on cable, using wireless, or coming in from a public place,
    >> this is somewhat more exposure here.
    >>
    >> The real place to worry is in the charity's database and backend
    >> processors. These are much more tempting targets and much more likely
    >> to be implemented in an insecure fashion. They are also the same
    >> systems that are used no matter how you make the donations. :)-(
    >>
    >> You can always send them a check.
    >>
    >> Craig
    >>

    >
    > Kev, Craig makes a great point!


    True - he does. But I'm being public spirited in multiple ways ! When
    people have enquired about it being secure they always say that it is
    protected by VeriSign ! The three of us get the distinct impression that it
    is not.

    >
    > --
    > *Adam W. Montville, CISSP*
    > <mailto:>
    > *http://www.MontvilleArchives.net <http://www.MontvilleArchives.net>*
    >
    > *ICQ: 271-685-874*
    Kev, Apr 4, 2006
    #6
  7. Kev

    Art Guest

    On Mon, 03 Apr 2006 11:59:30 -0000, Craig A. Finseth
    <> wrote:

    >You can always send them a check.


    Hmmm--how secure is a paper check these days? Not counting the small
    number of mailed checks that never get delivered--were they stolen?
    destroyed? piling up in some demented postal worker's garage?--any
    person you pay with a check can use the routing and account numbers to
    make online electronic fund transfers from your account. In fact,
    many large businesses are already doing exactly that, legitimately,
    when they receive a check--for instance my local electric utility and
    credit card companies. They covert it to electronic transfer so they
    can credit the funds the same or next day, no kiting possible.

    Plus--if you make any sort of online payment from your checking
    account, there's probably no way for your bank OR the payee to confirm
    that (a) it's really your checking account or (b) it's really you
    making the withdrawal. The bank transfers the money automatically and
    payee collects the money automatically, no questions asked.

    Seems to me online payment by credit card at least lets you see your
    credit card statement before paying it and catch fraudulent
    transactions. With a checking account the money just gone.
    Art, Apr 4, 2006
    #7
  8. Art wrote:
    > On Mon, 03 Apr 2006 11:59:30 -0000, Craig A. Finseth
    > <> wrote:
    >
    >> You can always send them a check.

    >
    > Hmmm--how secure is a paper check these days? Not counting the small
    > number of mailed checks that never get delivered--were they stolen?
    > destroyed? piling up in some demented postal worker's garage?--any
    > person you pay with a check can use the routing and account numbers to
    > make online electronic fund transfers from your account. In fact,
    > many large businesses are already doing exactly that, legitimately,
    > when they receive a check--for instance my local electric utility and
    > credit card companies. They covert it to electronic transfer so they
    > can credit the funds the same or next day, no kiting possible.
    >
    > Plus--if you make any sort of online payment from your checking
    > account, there's probably no way for your bank OR the payee to confirm
    > that (a) it's really your checking account or (b) it's really you
    > making the withdrawal. The bank transfers the money automatically and
    > payee collects the money automatically, no questions asked.
    >
    > Seems to me online payment by credit card at least lets you see your
    > credit card statement before paying it and catch fraudulent
    > transactions. With a checking account the money just gone.
    >
    >


    All points well taken. I've seen recommendations on www.fool.com
    (financial advice, really great site -- if you've not been there, I
    highly recommend it) that indicate you should have one or two low-limit
    credit cards.

    1. You're only going to be liable for $50 maximum on fraudulent
    transactions.

    2. Criminals won't get too much out of it.

    One thing is for certain: in today's electronic age financial
    transactions not performed in person and with cash have downside risk.

    --
    *Adam W. Montville, CISSP*
    <mailto:>
    *http://www.MontvilleArchives.net <http://www.MontvilleArchives.net>*

    *ICQ: 271-685-874*
    Adam W. Montville, Apr 6, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mick

    $5 INSTANT PAYMENTS GUARANTEED

    mick, Jan 9, 2004, in forum: Firefox
    Replies:
    0
    Views:
    647
  2. mick
    Replies:
    0
    Views:
    575
  3. Replies:
    0
    Views:
    562
  4. Replies:
    0
    Views:
    614
  5. RichA
    Replies:
    3
    Views:
    364
    David J Taylor
    Jun 25, 2012
Loading...

Share This Page