Thursday, 19 November 2009

Credit Card Safety

This month's Which? magazine has an article about credit card safety online (November 2009, page 23). It correctly asserts that if you buy from a company that goes under, paying by credit card almost guarantees that you can get your money back. For completeness, it ranks online payment methods as follows:
  1. Credit Card (least risky)
  2. Visa Debit
  3. PayPal
  4. Maestro (most risky)
The problem is that the article seems solely focussed on the perils of paying for goods that then fail to be delivered (whether by dealing with a dodgy company, or that company folding). It completely overlooks the safety of your credit card information and the likelihood of someone stealing it. Now it may well be that you can get your money back when your card details are stolen and you just have to wait for another card to be sent to you by the bank - but I'd prefer to stop that happening, wouldn't you?

So what's the problem?

When you work for an ISP for a significant period of time, you get a good handle on the bad practices employed by rouge website developers. By that I don't just mean little one-man-band amateur operations (some of which are fine, by the way) - but some fairly large brand names to boot. To cut a long story short - they're not protecting your card information as they should.

On eCommerce sites on the Internet I have seen (in no particular order):
  • Many sites which keep your credit card details in plain-text in their database (imagine just keeping a large document with everyone's card information on it)
  • Sites which e-mail your credit card details without encrypting them (it's trivial to read other people's e-mail if you know how)
  • Sites which keep the security code as well as your credit card number (in clear breach of credit card guidelines)
Now, in a lot of these cases the physical 'shop' that owns the website will download orders (or have them e-mailed) in plain text. If this wasn't bad enough, the database used to store your data is fairly likely to be directly internet-accessible (either by connecting to the MSSQL/MySQL database, over FTP, or sometimes even in the home directory of the website).

Larger companies who own their own infrastructure and know what they're doing keep their databases behind a firewall, but the standard set-up for sites provided by a shared web-hosting company is to allow database connectivity from anywhere over the internet - a veritable honeypot for those who enjoy less legitimate forms of income.

Even if the company has encrypted their credit card information, you can't be sure that they've made the encryption key hard to reach for a hacker. If the website has been hacked, and the website is the thing that encrypts the information stored in the company database, you can bet the hacker will have little trouble putting two and two together.

So what should I do?

I would strongly advise use of payment systems such as PayPal or Google Checkout. These systems take your credit card information and do NOT share it with the website you're trading with. The website has no opportunity to misuse your card information as it's never privvy to it in the first place.

Remember the good old days when shops used to print out credit-card receipts with the full card number on them? Dealing with a lot of smaller online retailers can be similar, but the receipt is stored in a little box that's left on public display.

Limit the number of eCommerce sites that know your credit card information - especially the smaller ones that probably can't afford their own infrastructure. If they offer PayPal or Google Checkout, use them - they save time, and reduce the number of places where your credit card information could be compromised.

3-D Secure

3-D Secure is the little password box that has started popping up when you pay for items online using certain types of credit cards (also called SecureCode by MasterCard). This is much safer than a standard card transaction as the password is sent straight to the bank, not to the retailer - so there's no chance of the retailer storing this value inappropriately.

However, until cards can ONLY be used with 3-D Secure, the rest of the card information could still be used for a card-holder-not-present transaction by a naughty person. There have also been reported phishing attempts pretending to show the bank's 3-D Secure password box. This cuts out the middleman and sends your password straight to the ne'er-do-wells.

It's a minefield!

In summary, I believe you're better off with PayPal or Google Checkout than risking your card details becoming compromised and having to spend time getting your card replaced (if you even spot the problem!)

Then all you've got to take care of is ensuring you don't fall for phishing scams trying to get hold of your PayPal or Google passwords. You do make sure that you use different passwords for your online services, don't you?

Take care,

What does "The Cloud" mean?

Every now and again our industry seems to invent a new buzz word to describe something that's been around for a while. A few years ago we had "Web 2.0" but now we're approaching the end of the decade so we need another one. To fill this void we've been given "The Cloud."

Suddenly we see lots of companies that have been picking up good trade in the web hosting industry desperately talking about their "Cloud Strategies" as if Cloud is some kind of defined resource that can be monetised in the same way we sell web hosting.

The problem isn't so much the term 'Cloud' - it's more that on its own it could mean pretty much anything. Do these companies mean:
  • Producing a cloud platform for others to host their own websites / web-apps etc. - akin to Amazon's EC2 platform, or Rackspace's equivalent?
  • A completely proprietary hosted language interpreter with some special scalable back-end database (Google AppEngine)
  • Hosting their own (or partner) applications on their own infrastructure (what we used to call Software as a Service "SaaS", or simply just "websites"!)
  • Some other meteorological phenomenon?
In a nutshell, it seems that anything that's "On the Internet" rather than "In House" can now be referred to as "In the Cloud". Indeed, the term is allegedly based on the cloud-shaped symbol used to represent the Internet on network architecture diagrams.

I may be being naive here, but isn't Amazon's EC2 platform basically a provision-on-demand and bill-by-the-hour VPS system? Is it really that much of a paradigm shift? The big innovation that seems to make this into a 'cloud' is the API which allows customers to provision server capacity on demand - but is this enough to warrant a completely new term? If I take a current VPS system (e.g. SliceHost) and slap an API onto the front which allows me to provision new VPS instances automatically and instantly, is that now a cloud offering or is there more to it?

Maybe it's the ability to dynamically route IPs to these VPS instances which makes this such a quantum shift from our existing VPS solutions? How much do I need to do before my system warrants Cumulonimbus or Stratus status?

Which of the following do I need?
  • Virtualization
  • PAYG billing
  • API for provisioning
  • High Availability (i.e. fail-over)
  • Auto-scaling
As for SaaS "Cloud" applications; they're just websites aren't they? Or are they? Like so many people I've spoken to, other assumptions are made about Cloud offerings. There is a wide-spread assumption that a certain level of redundancy and clever load-balancing technology is required before you can consider your system a 'cloud solution'.

Swissdisk suffers spectacular cloud snafu

"Attention SwissDisk Users, We regret to inform you that due to an unplanned and unforeseen catastrophic hardware failure caused by multiple simultaneous events the engineering staff was unable to restore the SwissDisk file server to it's previous status."

Now I'm sorry, but it's easy to imagine what's happened here - they didn't have adequate redundancy and the whole thing went wrong. This is not what I expect of a 'cloud' service - but it's what we'll see reported more and more as companies trust their data to 3rd parties with no track record.

Ultimately, it's usually impossible for a customer to assess quite how resilient a cloud service is. Is the service company surviving on luck or a combination of good judgement and investment?

"Please note, due to the unplanned outage all accounts will be required to re-register."

So SwissDisk lost their company database at the same time as their customers' files? Was the whole company hosted on a single server? Not so 'cloudy' now, is it?

So what does all this mean for us in the industry? Does the industry need some kind of seal of approval for the practices employed and the level of redundancy afforded?

If I could offer one bit of advice - if you're using "cloud services" make sure you:
  1. Can get hold of your data
  2. Back it up regularly
  3. Understand the security safeguards that are in place to protect your data
  4. Wear a parachute

Welcome to my blog

Hi everyone, my name's Robert Blatchford, and I hope to use this blog to tell you all about my views on the hosting industry from the inside. I have worked in the industry for over a decade as both a software developer and support manager and hope that my experiences can help you in some way.