Too often.
Now, I'm not talking about somewhat obscure subjects like CSRF, which sites may or may not do something about. I'm talking about really basic stuff, specifically the use of HTTPS to send credit card information.
This new site began its business this January 1st, called TenemosHambre.com (in Spanish, something like "WeAreHungry.com"), which is a new idea for the local market: to be able to order food online, from several restaurants. I personally love the fact that someone actually went and built this in my city, and I'll definitely use it regularly when it's working properly.
The problem comes on the last step to make an order, which asks you if you want to pay in cash or using a credit card. They boldly state that since they do not store credit card numbers on their site, it's "as safe as ordering by phone". I don't know much about phone security so I wouldn't know how to compare the two (giving your credit card numbers by phone or online), but on the online version I expect at least HTTPS for the communication, because even if they don't store anything themselves, it's not that hard to intercept the packets and read what the poor user wrote.
I fell I'm talking to little kids here. This is not hard, and I'm inclined to think the problem is not that the developers didn't know about it, but that they decided not to take care of it for some reason (that may or may not include the fact that getting an SSL certificate is neither free nor fun).
This is unacceptable (as you may have guessed this is my opinion), and hopefully will be fixed really soon in that particular case. In a more general sense, I'm concerned anyone with a laptop and a PHP tutorial is making dangerous sites. I'll leave you to my last retweet:
This whole "everybody can learn to code" meme is retarded. Most coders can't even fucking code.
Dear Camilo,
ReplyDeleteWith all the technologic an commercial issues that begin with an fabolous start-up means, our technicians forgot to install the ssl, when you make us notice this issue (4 days after the launch) we delete the credit card functionality and 3 days later we had configured the https.
Today, two weeks after the lauch we are happy to tell you that our site is ranking 1000 (alexa) on the city of Quito (when we launch the site), our facebook page has more than 5000 likes, and we had hundreds of happy customers.
We love to be criticized by our clients because that's the only way we can improve, and we will love to have you soon on our site helping us to be better.
sincerely,
Luis Villarroel
Co-founder
www.tenemoshambre.com
The best way to protect yourself and your employees is to invest in retail security. Many businesses and retail stores, large and small, hire or implement security or loss prevention staff. guarantor loans
ReplyDelete