Forgot your password?
typodupeerror
Privacy The Internet

Websites Still Failing Basic Privacy Practices 205

Posted by kdawson
from the after-all-these-years dept.
DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"
This discussion has been archived. No new comments can be posted.

Websites Still Failing Basic Privacy Practices

Comments Filter:
  • It's a good thing (Score:5, Insightful)

    by XanC (644172) on Monday August 25, 2008 @09:02PM (#24746053)

    That Firefox saves the nasty warnings for Web sites that are encrypted!

    • Re:It's a good thing (Score:5, Informative)

      by stfvon007 (632997) <enigmar007 AT yahoo DOT com> on Monday August 25, 2008 @10:32PM (#24746861) Journal
      Well i went to the site and changed http to https, and it brought up the page on an encrypted connection. looks like they aren't forcing you to submit it in the open after all.
      • Re: (Score:3, Insightful)

        by palegray.net (1195047)
        While the responsibility does lie with the consumer to take appropriate technical measures to safeguard his personal information, is it too much to ask for a company to make SSL the default when submitting information?

        It only takes adding an "s" in the form element...
        • Re: (Score:3, Informative)

          by robo_mojo (997193)

          It only takes adding an "s" in the form element...

          And a valid signed cert, if the site owner doesn't want his users getting annoying warnings...

        • by BrokenHalo (565198)
          ...to mention is that the whole point of a lot of those online forms (such as competitions etc) is to provide an opt-in to any kind of marketing dreck the the site owner (or any of his mates) cares to send you.

          The best way to keep your personal information private is to not hand it out. I know that should be obvious, but the fact seems to escape people when they appear to be being offered free ponies (or whatever).
      • by robo_mojo (997193)
        Just a warning: that doesn't always work.

        Sometimes, even if you change http to https, the form still submits to plain http (though that isn't the case this time).

        But if you want to be sure without having to wade through HTML, you can just set security.warn_submit_insecure to true in Seamonkey/Firefox, which should be true by default if you haven't already turned it off.
        • When is this "sometimes" you speak of?
          If it's >form action="https://server.tld/page.ext"> the data is submitted via https. Period. If you're already on a HTTPS site, a >form action="page.ext"> as enough.
          Of course if the site uses JavaScript to read the values and transfer it by other means, that connection should be encrypted too. But if you temporarily disable JavaScript, you're safe.

          • Re: (Score:3, Informative)

            by Covener (32114)

            When is this "sometimes" you speak of?
            If it's >form action="https://server.tld/page.ext"> the data is submitted via https. Period. If you're already on a HTTPS site, a >form action="page.ext"> as enough.
            Of course if the site uses JavaScript to read the values and transfer it by other means, that connection should be encrypted too. But if you temporarily disable JavaScript, you're safe.

            He surely means in the case the form action explicitly lists http; changing the protocol of the referring page d

            • by robo_mojo (997193)

              He surely means in the case the form action explicitly lists http; changing the protocol of the referring page doesn't accomplish anything.

              Yes that's exactly what I was talking about. Sorry I didn't make it more clear.

        • â¦every grandmother out there can do that. They all know exactly where it is and how to set the bit.

          Don't take personally, robo_mojo. Since the article is about overall web security, it just struck me as funny that the suggestion (a kind often made by the /. readership) is one of those types that the vast majority of the population would find a worthless because it is a technical response.

    • by Hyppy (74366)
      Yes, yes, it warns you that you're sending encrypted traffic to an admin that is too cheap and/or lazy to get a certificate signed.

      I know I sure as hell wouldn't send my data to someone like that.
  • but realistically (Score:5, Insightful)

    by Anonymous Coward on Monday August 25, 2008 @09:02PM (#24746073)

    HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it. Also, address and date of birth aren't usually considered confidential, even if you might not want to publish them.

    This isn't a lot different than many of those post-card questionnaires many people fill out and mail in.

    I think in this case, it's more important what they do with the information once they receive it.

    That said, I think there should be default encryption wherever possible automatically.

    • by Anonymous Coward on Monday August 25, 2008 @09:30PM (#24746309)
      I sniffed the password to a Slashdot account! Yours! And I'm using it to post a reply to your post!
    • Re:but realistically (Score:5, Interesting)

      by Anonymous Coward on Monday August 25, 2008 @10:31PM (#24746853)
      I run a copy of Wireshark whenever I'm at a coffee shop, airport lounge, or anywhere else there is a wireless hotspot. You would be amazed at the volume of info that gets sent in the clear - passwords, personal info, you name it. My favorite are people who log onto their webmail using HTTP:// not HTTPS://..... Simple rule I use and push is - if you are on a public (or untrusted) network, use a VPN or SSH tunnel.
      • Suggestion: OpenVPN (Score:3, Informative)

        by toby (759) *

        is a great solution [openvpn.net] (Windows, OS X, Linux, *BSD, Solaris, etc). Once you've started the daemon, it's available everywhere you go, transparently. Just proxy your web surfing, mail access through the VPN server.

        (Of course in the FA's example, it only encrypts half of the transmission - to your proxy - but it's these edge networks that are generally most vulnerable - home wireless, Starbucks, random offices, hotels, airports and local ISPs. That said, never forget the NSA is listening [eff.org] on core networks.)

    • Re:but realistically (Score:5, Interesting)

      by jd (1658) <imipak@nOSPam.yahoo.com> on Monday August 25, 2008 @10:38PM (#24746911) Homepage Journal

      Information is context-sensitive. The VERY first thing you learn when using encryption systems is that it's much easier to crack something where you know what the plaintext should look like. The second thing you learn is that the information around the encrypted data is often far more valuable intelligence-wise than the encrypted stuff. That's why those of you who have ever been instructed on the use of STU-III phones were told NOT to chat before inserting the encryption card. (You WERE paying attention to those talks, right? Right???)

      Next, there's this thing called the European Union. They're getting, oh, just a little sensitive about personal information these days. You know, what with German banks freely selling personal data (such as bank account details) to anyone who calls up, despite some of the toughest data protection laws in the world. Americans may view them as unimportant nobodies, but they are at least grasping the idea that ANY unnecessary exposure of personally-identifying information is a very high risk to the individual (identity theft) and a fairly substantial risk to the economy as a whole (such theft costs - and it costs a whole lot more than any "terrorist" threat ever did).

      Name and address "high risk information"? If it can be used in a social engineering attack on a bank, credit card company or Government department (and usually such people do not make much effort to validate who a person is), then it is high risk. It doesn't matter if such information has always been viewed as public, as long as human operators (and computer programs) are satisfied that such information proves identity, it is not safe to expose.

      Oh, and as for the fact that this information is actually used as a substitute for secure passwords, The Cheshire Catalyst [spaceyideas.com] was responsible for publishing a rather pointed song [poppyfields.net] on the subject by breaking into the PRESTEL account of a BBC presenter whilst he was demonstrating the service live on BBC television. The lyrics should be required reading material for anyone who uses any kind of online service, and failure to heed its warnings should be considered no different from reckless driving or setting off fireworks inside a furniture store.

      • by arminw (717974)

        ....If it can be used in a social engineering attack on a bank, credit card company or Government department ....

        That is a burden that should be on these institutions to diligently ensure for any given transaction, that the information given is truly connected to the person the information is about. As you go through life doing business with others you are required to give them information about you. Eventually there will be so much information about you all over the place, you might as well post it on the

    • by Ichijo (607641)

      HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it.

      Unless you're both on an unencrypted (or underencrypted) wireless hotspot.

    • by arminw (717974)

      ....I think in this case, it's more important what they do with the information once they receive it....

      I think it is more important for the financial institution or merchant to ensure that if someone gives them this information, which may be stolen, this really is a person that belongs to. Information theft is really a misnomer. Your identity cannot really be stolen, only misappropriated by someone who is not you or is not entitled to use it for their own purposes. Any time you want to do business with an

    • by holophrastic (221104) on Tuesday August 26, 2008 @12:35AM (#24747817)

      I certainly agree with your first sentiment -- not everything needs to be encrypted. I certainly see the value in encrypting cash and effetively-cash information -- like credit card information. But honestly when it comes to simple privacy information, https is way over-kill. I don't want to slow the web down by 300% just to encrypt everything. Not only is it not necessary -- it's not like packets are intercepted frequently -- but it's by far no where near the weakest link.

      I've been to, and photographed, bank machines that use external modems, loose and visible cables, and simple network jacks that could be easily by-passed. You're mail in most physical mailboxes is wide open for viewing. Hey, your licence plate is just sitting in your driveway.

      But by far, don't worry about the guy stealing your packets. Worry about the 16 year-old at the gas station that takes your credit card. The secretary at whatever company that answers the phone, the customer service agent. These people are all effectively able to intercept your packets, and you talk to them willingly as customer service for every company you've ever called where you weren't talknig to the owner.

      Our industry here is one where the principles of security have matured to the point where it seems like everything needs to be high-security. But in reality, every other industry on this planet is wide open by comparison.

      I'm reminded of something as simple as the sign at my local performing arts theatre that reads "no audience members beyond this point", engraved into a plackard beside the door to back-stage. However the door itself is unlocked. I go back after every performance to express my appreciation.

      Security for security sake is not only stupid, it's dangerous. It's what had me removing my shoes crossing the border last week. And in the end, after all of the security, I still wound up flying into and out of the U.S. with a knife in my pocket that everyone -- including myself -- missed entirely.

      Security is necessary only to the point where something needs securing -- that means it has value, someone wants it, and someone is trying to take it. That last part is vital to the equasion. Securing something that no one is trying to steal is a waste of effort, money, resources, time, and other liberties. You know, like three hours at an airport to take a $35, 25 minute flight.

      • Re: (Score:3, Insightful)

        by Library Spoff (582122)

        my online dvd rental company (dvdrental.cd-wow.com) emailed me to tell me i needed to update my credit card details - my card runs out at the end of the month. Their ssl cert ran out the end of July. When i contacted them to tell them this they basically said "Don't worry about it, it's all secure, your details don't leave the uk" etc.

        As i'll be adding new card info they won't be getting my business until it's fixed...

        • Re: (Score:3, Informative)

          by holophrastic (221104)

          a few things. first, the cert has nothing to do with the encryption. the cert isn't a security tihng, it's a third-party vouching system. if you trust the company in the first place, the cert does nothing for you anymore.

          as for the actual encryption, if you indeed believe that someone may be intentionally intercepting your transmissions, then yes the encryption is important when transmitting your credit card information. But it's purely a transmission thing. the https encryption only solves someone int

  • by topham (32406) on Monday August 25, 2008 @09:03PM (#24746077) Homepage

    That level of privacy is not considered important by anybody. Seriously.

    Credit Card data - encrypted; you're first and last name? short of being in the witness protection program it is NOT considered a privacy issue. sorry.

    (I know, I know, it would be nice if it was).

    • by linear a (584575) on Monday August 25, 2008 @09:18PM (#24746201)
      The big sites *must* be interested in privacy. They're plastered with security and privacy notices.
    • by Anonymous Coward on Monday August 25, 2008 @09:22PM (#24746233)

      No, I'm not "first and last name."

    • by DigitAl56K (805623) * on Monday August 25, 2008 @09:23PM (#24746241)

      That level of privacy is not considered important by anybody.

      It is by me (obviously) ;)

      You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?

      With specific regard to "trust", here you have a website asking for a bunch of personal information without taking the most basic precautions to protect it in transit and without an SSL certificate that identifies the owners to inform you where the data might really be going to.

      It was enough to make me cancel out.

      • Re: (Score:2, Insightful)

        by dreohio99 (963130)
        Your information is already out there in public records. Google your phone number and see what comes up. If the form asked for SSN or driver's license number I would be a bit more cautious. As far as passwords, it is already considered a bad practice to use the same one on a shopping website as your bank or credit card account websites.
        • Re: (Score:3, Insightful)

          by Ash-Fox (726320)

          Your information is already out there in public records.

          And I know which ones too.

          Google your phone number and see what comes up.

          Three results, all of which, not even related.

        • Re: (Score:2, Insightful)

          by whoisjoe (465549)

          I did google my phone number (although I admit that its a mobile phone). All I got were references to the area code and exchange, and one reference to my wireless provider.

      • by Zero__Kelvin (151819) on Monday August 25, 2008 @09:48PM (#24746515) Homepage
        You missed the real story, to wit:

        "Internet users still can't seem to get the basics of privacy and security on the Web pulled together. Web users still offer up information they consider to be private and sensitive, on the almost zero chance they will win a Wii, to companies about which they know little or nothing. They still believe the company can and should be trusted with their data, based solely on the fact that the companies products have a little brand recognition ..."
        • by Kent Recal (714863) on Monday August 25, 2008 @10:09PM (#24746671)

          Exactly. This "article" is yet another bad joke (slashdot disappoints a lot lately).

          Dear "DigitAl56K": If you're so worried about losing your first and lastname on the interwebs then why the hell do you participate in retarded lotteries?
          Here's a little secret: If you don't push that submit button then nobody will ever get your information!

          • Re: (Score:3, Insightful)

            by antic (29198)

            Easy publicity for Duracell. Have someone complain about a non-issue with your competition, and get free press.

            • Hm, I somewhat doubt that slashdot is the right target audience for that kind of PR.
              If someone really paid for it then I'd say they just wasted their money...

              • by antic (29198)

                If it were the case that it was planted, then I disagree completely with you. Cost someone a few moments to post, yet they got the competition in front of countless eyeballs. For every person who stops to gripe about privacy, you'll have a number of others who think "Ooh Wii, wouldn't mind one - I'll give it a shot."

                • Maybe you are right. Never underestimate human stupidity etc. but I *do* want to think that there are less of that kind(!) of idiots on slashdot than elsewhere.

      • by knewter (62953)

        Why did you mention password? I didn't see that listed as an item in the form. Esp. why did you emphasize it, when it's not even supposed to be in the list?

      • by telbij (465356) on Monday August 25, 2008 @11:01PM (#24747115)

        I don't challenge your thesis, but your example stinks. First of all, the biggest problem as far as privacy is concerned is the database being sold to other companies. The next biggest problem is the database being outright stolen by crackers. Sniffing your POST as it goes across the wire is the least of your worries.

        Second, it's just not reasonable to call https standard privacy practice in this case. Standard security practice is to use SSL for "sensitive" information. But it's not standard to consider name, birthdate and address sensitive. You can argue that it should be, but don't try to redefine reality by calling something standard that's not.

        • by arminw (717974)

          .....First of all, the biggest problem as far as privacy is concerned is the database being sold to other companies....

          The truth of the matter is, that in the digital age you have no privacy. Every time you do business with someone, of necessity you have to give them your personal information. In most cases that will be your true name and address, phone number and perhaps e-mail. If money is involved, most likely a credit card or bank account number will also be needed.

          As you go through life, this informati

      • by uhlume (597871)

        You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?

        That's great. How are they going to correlate that information to the other sites you use?

        It's easy to be paranoid about theoretical risks on the Internet, but often difficult to concoct practical scenarios under which they could be leveraged against you. Even assuming someone could launch a successful man in the middle attack against this site (hint: it's harder than you think), there are far easier and more effective ways for fraudsters to obtain access to accounts and data than this piecemeal approach yo

      • by uhlume (597871)

        ...and without an SSL certificate that identifies the owners to inform you where the data might really be going to.

        If you truly believe an SSL certificate does any such thing, you've been sadly (and dangerously) misled. A standard SSL cert reliably informs you only that someone with administrative access to the site to which you're currently connected (whether or not the site is the one you believe it to be) managed to obtain a certificate for that site's domain. It does nothing to verify the identity of the owners or the legitimacy of the site.

        Extended Validation (EV) certificates take this a couple of steps further by

    • by tokenturtle (765853) on Monday August 25, 2008 @09:24PM (#24746263)
      Exactly. The junk mail that's in my mailbox every day has more detailed information on the outside of the envelope. This is really a non-issue.
      • by DigitAl56K (805623) * on Monday August 25, 2008 @09:34PM (#24746361)

        If your junk mail shows your date of birth and password I'd be worried. It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

        BTW what has happened to /. tonight? If Google switched their login page to http would nobody care?

        • by mhall119 (1035984)

          I have companies sending me "Birthday discount" mailers all the time. Anybody with your first and last name, and even a vague idea of where you live, can figure out what your birthday is.

        • by CRC'99 (96526) on Monday August 25, 2008 @10:17PM (#24746757) Homepage

          It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

          Riiight - because people can easily sniff traffic at an ADSL DSLAM, wait no, at the L2TP router, wait not even there, oh - at the upstream to a Tier 1 ISP, no, not their either... So where exactly is someone going to sniff your data?

          Oh, you're talking about someone on your LAN or Wifi access point? Well then, you have bigger issues!

          Even if you're stuck on a cable node, most of the equipment I've seen filter other peoples data out via MAC of the cable modem - so you can't even sniff there...

          This being said, where would the so-called 'privacy breech' sniffing take place?

        • by ukyoCE (106879)

          You forgot to mention "AND PASSWORD" in the article summary. This is slashdot. No one reads TFA.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      you're first and last name?

      Oh c'mon - it's YOUR not you're

    • Re: (Score:3, Insightful)

      by cycleguy55 (1351277)
      Yeah, the only people that want that level of data are those involved in identity theft. Given the number of people who have had their lives turned upside down through identity theft, we should all be vigilant - including challenging any and all Web sites that don't use proper practices to protect personal information.
      • Re: (Score:3, Interesting)

        by arminw (717974)

        ... Given the number of people who have had their lives turned upside down through identity theft...

        The thing is though, that if you have your identity stolen, there has to be someone else who ultimately gives something of value to the thief, for that stolen identity. In the case of stolen credit card numbers for example, it would be a bank or merchant that gives the thief of your identity something of value. It is at this point of use, of any identity, stolen or not, that additional security could and shou

    • It's not the data, it's the context. Name, address and phone number for most people is not a problem to divulge (except for those who consider the White Pages in the phone book a threat). Name, address and phone number on a list of people who carry strategic defense codes around in a briefcase handcuffed to their wrist, however, might be.
      • by topham (32406)

        And they are using that list of names to submit for a Wii contest? geezus but security is lax these days.

  • by Anonymous Coward on Monday August 25, 2008 @09:03PM (#24746085)

    Whitehouse.com seems to have no regard for the security of web visitors.

  • Right... (Score:4, Insightful)

    by Anonymous Coward on Monday August 25, 2008 @09:04PM (#24746087)

    "XXXXX is committed to maintaining your trust by protecting personal information we collect."

    Means nothing when every website harvesting your info says that.

  • Taxcut http (Score:5, Interesting)

    by Anonymous Coward on Monday August 25, 2008 @09:08PM (#24746139)

    A few years ago I was buying a state tax program and realized that their form that asked for all my private data was an http page! I was shocked. Then I added "s" after http and it happily connected me over SSL. How many people who buy Taxcut will check the protocol and change it?

    • Re: (Score:3, Insightful)

      by rriven (737681)

      It does not matter when you fill the form. As long as when you clicked submit and it went to a https page you are safe.

      That is how all the sites that don't handle CC or SSN's do it. It reduces overhead and load time. Even gmail did until recently.

      • Re:Taxcut http (Score:5, Interesting)

        by SpottedKuh (855161) on Monday August 25, 2008 @09:42PM (#24746443)

        It does not matter when you fill the form. As long as when you clicked submit and it went to a https page you are safe.

        Now if only you had some assurance that the http-based form hadn't been MitM'ed, such that the "Submit" button no longer submits where you want it to. E.g., if the form were sent over https.

        • by Zadaz (950521)

          If a site has a HTTPS form on an HTTP page, just click "submit" with bogus information (or no info). They "error" please enter your info again" page will be HTTPS, which you can then verify the cert, etc.

          Or just try adding the "s" to all http pages. Works 9 of 10 times.

          • If a site has a HTTPS form on an HTTP page, just click "submit" with bogus information (or no info). They "error" please enter your info again" page will be HTTPS, which you can then verify the cert, etc.

            Wrong. If the http form is MitM'ed, the adversary could easily insert some malicious code into the form that would do the following: post the data to the proper https site, so everything works perfectly for the user, but also "cc" some malicious site on all the data (using http).

            If the form is compromised,

      • Re:Taxcut http (Score:4, Insightful)

        by FLEB (312391) on Monday August 25, 2008 @09:45PM (#24746479) Homepage Journal

        Actually, I've heard this discussion come up before-- generally, you want the login form SSL encrypted, as well, to verify the identity and integrity of the form. Otherwise, it leaves the possibility for phishing, poisoned DNS, or a man-in-the-middle attack that rewrites the form to submit to a malicious intermediary. (Granted, a person viewing the code could see that last one, but I know I certainly don't eagle-eye the action param on every form I submit before I hit "go".)

  • "Flash Player of 7 or above is required" on a blank page.

  • so just stick an s after the http and you're golden.

    unsure if that makes it better or worse for them though.

    • by Ash-Fox (726320)

      so just stick an s after the http and you're golden.

      Failed to Connect

      The connection was refused when attempting to contact *domain here*

      Though the site seems valid, the browser was unable to establish a connection.

      * Could the site be temporarily unavailable? Try again later.

      * Are you unable to browse other sites? Check the computer's network connection.

      * Is your computer or network protected by a firewall or proxy? I

      • by spotter (5662)

        not the duracell page, the softcoin page the duracell page takes you to, that actually contains the form. sheesh

  • Read The Fine Print (Score:2, Informative)

    by candude43 (998769)
    Or the official rules.

    Neither Sponsor nor SoftCoin are responsible for lost, late, incomplete, stolen , misdirected or illegible plays, registrations, entries, Code requests, email, postage due mail or replies to Code requests which are returned as undeliverable mail; or for any computer, telephone, satellite, cable, network, electronic or Internet hardware or software malfunctions, failures, connections, or availability, or garbled, corrupt or jumbled transmissions, service provider/Internet/website/use

    • Honestly, what are you going to do if the servers gets hacked? You can't exactly go to the hacker's computers and erase the data can you?
  • Ignorance at work (Score:3, Interesting)

    by horatio (127595) on Monday August 25, 2008 @09:38PM (#24746411)

    Many, many people that I've tried to talk to about this very thing completely don't understand encryption at the most basic level - why it matters or if they have it. My guess from past experience is that if you tried to talk to P&G about it, the people responsible would try to tell you that it didn't need encryption, because the site is on *their* servers, so the data only goes on their network, and no amount of convincing would get them to think otherwise. The site you mentioned was probably farmed out anyways.

    The state of affairs when it comes to the most basic data protection is really sad. One case was where I was applying for a job which required my SSN (a federal gov't position). The instructions were to download the form and email it. I called the number listed and explained why I wasn't going to include my SSN in an email, and they weren't mad, but they were annoyed. So you tell me a) did they wait for my app and trash it because I put "withheld for security reasons, will provide offline" (something like that) b) if the folks running the federal jobs website think it is okay to email around sensitive information (this was another one of those "your email is stored in our secure servers" things), then it must be okay, right?

    Even in the physical realm, things aren't much better. A couple of months ago, I called a local business to complain that they'd charged my creditcard a fee for canceling an appointment. (The number shouldn't be on file, I know. At the time I didn't realize that it was.) I explained to the person that when I canceled the appointment I was aware of the fee, but to send me a bill for it and I'd pay it when I got the bill. They sent me an invoice in the mail, with the charges and showing the balance was paid. I asked the guy which credit card they'd charged - and he proceeded to read off the type, entire number, and expiration date - without any authentication from me except my name and one other non-secret item, derived from the start of the conversation. I've since canceled that card, but people really don't understand.

    • Re: (Score:3, Informative)

      by Ritchie70 (860516)

      Afraid I don't understand actually.

      OK, the merchant shouldn't have your card # on file.

      But wait, actually, according to my understanding of current PCI rules, they can have it on file, so long as it's secure from hacking. Not fraud, hacking.

      Fraud = an employee steals the number or is fooled into giving it away.
      Hacking = IT security breach causes the loss.

      So if they wrote it on a piece of paper and put it in a file drawer, it's fine.

      If it's in electronic format, that's something they have to prove is secure

    • That said, the whole idea behind the bad credit card security in general is that Mastercard/Visa etc. regard it cheaper to have relatively bad security and reimburse people when accounts get mobbed, than to have a more secure setup. In general I think that's a healthy attitude if the numbers count up. Of course, we're all paying for that, but we'd also all be paying for better security. The above isn't entirely true anymore, because the design of those setups precedes the Internet and millions of credit car
  • Honestly, your date of birth, age, address, full name is worth absolutely nothing to the average person. Secondly, how many people actually run packet sniffers for malicious purposes? Not that many, then take that number and see how many really care about your address and name? Few, very few. Now, if this contained our social security number, we might be worried, but for this? It is making a mountain out of a molehill.
    • by WK2 (1072560)

      Honestly, your date of birth, age, address, full name is worth absolutely nothing to the average person.

      Your full name, DOB, age, address, CC #, SS #, Mother's maiden name, stool, blood, and hair samples are all useless to the average person. Security is mostly about protecting yourself from abnormal people (thieves, murderers, rapists, and the like).

  • by bugs2squash (1132591) on Monday August 25, 2008 @10:10PM (#24746687)
    It probably wasn't really their website you were entering your details into anyway...
  • by teh moges (875080) on Monday August 25, 2008 @10:21PM (#24746789) Homepage
    I put in some fake credentials to test it out, but unfortunately the email address asdf@asfd.com was already in use...
  • by iminplaya (723125) <iminplaya.gmail@com> on Monday August 25, 2008 @10:24PM (#24746805) Journal

    How can they maintain something they'll never have?

  • One time I went to buy a night vision scope from a website. After filling out all of the shipping/billing information except for the credit card information itself, I noticed that it wasn't a secure submittal form. I immediately....

    Accidentally hit the enter key, for which my incomplete order was submitted, no confirmation or anything.

    a month later a strange box showed up C.O.D. It was the night vision.
  • "Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect."

    Corporations, especially North American ones, tell great, honking lies all the time and get away with it. The business media are their whores, and what private individual has the time and/or money to challenge them?

    A large corporation might actually tell the truth if a lawyer told them it was the most profitable

  • by jbsooter (1222994) on Monday August 25, 2008 @10:52PM (#24747053)
    "It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST"

    If I wanted a list of names, birth dates and addresses to use for nefarious purposes I don't need to steal yours from some dinky website or sniff packets. I'd just take one of the plentiful lists of birth records on the internet like this one [rootsweb.com] then cross reference it with property tax records of the area which are more plentiful than the birth records and it'll give probable name, dob, and address combinations. A good portion of probable matches can be confirmed through freely available court records. All of that data is fairly trivial to collect in bulk (i used to collect databases, was a pretty fun hobby actually), is perfectly legal and will provide a much better profile of matches than just name/dob/addr combinations stolen from a website or data stream.

    Being that anal about your name, birth date and address is actually quite silly. Theres so much low hanging fruit as far as collecting that type of data is concerned (and you're probably already included in it) that all you really did by not continuing with that form was taking yourself out of the running for a Wii.

    The best thing you can really do is just keep close tabs on your credit report and get signed up for all the fraud alerts or freezes they offer. Thats the best place to prevent and quickly repair most identity theft. Stop being so anal about info thats almost guaranteed to be out there already, set up your defenses where they're most effective and go get your Wii.
    • by bit01 (644603)

      If I wanted a list of names, birth dates and addresses to use for nefarious purposes I don't need to steal yours from some dinky website or sniff packets.

      Many countries have much stricter privacy rules than the USA. Access to electoral rolls and birth, death and marriage information is restricted and the only realistic way to get the information is via marketing signups or fraud. Reselling of personal information obtained for a specific purpose is also restricted.

      The best thing you can really do is just

  • Stopped using SSL (Score:5, Informative)

    by Ash-Fox (726320) on Monday August 25, 2008 @10:54PM (#24747069)

    I stopped providing security on my websites when browsers made it too difficult for the average user (that I deal with) to continue using the site with a self signed certificate.

    Sure, it won't help against a man in the middle attack. But that is truly the only attack that using self signed certificates is vulnerable to. Unlike completely unencrypted content.

    If godaddy, verisign etc. didn't charge insane prices like £107 per year for a wildcard certificate for one domain, I would do actually buy the certificates needed. I already find 10USD too much for a wildcard certificate for the numerous domains I operate, so it would have to be quite a significant drop. It's not like they do any verification with the £107 certificates, they just want a credit card number.

    • by Hyppy (74366)
      You can afford the hosting costs to maintain a website, yet you're too lazy or cheap to get a certificate signed by a third party?
      • by Ash-Fox (726320)

        You can afford the hosting costs to maintain a website, yet you're too lazy or cheap to get a certificate signed by a third party?

        I can barely afford the server costs at the moment actually.

        • by Hyppy (74366)
          A signed SSL certificate can be had for as little as 15 dollars per year. That's one vente mocha latte (whipped cream and caramel, please) per 4 months.
  • by knifeyspooney (623953) on Monday August 25, 2008 @11:24PM (#24747333)

    They stopped this practice recently, but for over a year, my student loan company required me to sign up for monthly paperless statements if I wanted to pay electronically. The statements were e-mailed in the form of a PDF attachment. The e-mail body assured me my privacy was intact because the file was password protected -- by my Social Security number!

    Brilliant! If an interloper intercepted my e-mail, not only could he brute force my password with easy to find, easy to use tools (in a matter of minutes, since he knows the number of characters in it), but he'd know my SSN once he cracked it. I would have been better off with no password protection.

    When I e-mailed Sallie Mae with the above information, the representative brushed it off. It was safe, he said, as long as I opened it on a non-public computer, because my SSN was not being sent over the Internet when I typed it in.

    (The Consumerist didn't find it interesting, either.)

    • Re: (Score:2, Informative)

      by mpaulsen (240157)
      It's not hypothetical. SallieMae has sent that email to the wrong person, and it did prove to be easy to crack. In fact, your post sounds an awful lot like... http://www.ownrecognizance.com/salliemae.html [ownrecognizance.com]

      They stopped this practice recently
      Do you have any details? I'd like to see their announcement of the change.
  • slashdot (Score:5, Interesting)

    by blitzkrieg3 (995849) on Tuesday August 26, 2008 @12:12AM (#24747665)
    What about slashdot? Strangely there is no https://slashdot.org/login.pl [slashdot.org], even though here is a https://slashdot.org/my/logout [slashdot.org]. You can logout with SSL, you just can't log in with it.
    • by houghi (78078)

      /. specificaly told me to use a password that I can afford to miss. However a https would be nice. Next you know everybody is using ID #1

  • ...Cliff Stoll recognised the thing we're struggling with here. They didn't have a name for it then, but now we call it data mining.

    The problem is that your name, address, and birthday aren't that important to keep secret by themselves. Uniquely identifying you with that information isn't a big deal in isolation either, but using that identity to cross reference you as the person who entered this contest with something else you've done allows people to draw connections in your behaviour. It used to be that

What this country needs is a dime that will buy a good five-cent bagel.

Working...