Thursday, 19 November 2009

Credit Card Safety

This month's Which? magazine has an article about credit card safety online (November 2009, page 23). It correctly asserts that if you buy from a company that goes under, paying by credit card almost guarantees that you can get your money back. For completeness, it ranks online payment methods as follows:
  1. Credit Card (least risky)
  2. Visa Debit
  3. PayPal
  4. Maestro (most risky)
The problem is that the article seems solely focussed on the perils of paying for goods that then fail to be delivered (whether by dealing with a dodgy company, or that company folding). It completely overlooks the safety of your credit card information and the likelihood of someone stealing it. Now it may well be that you can get your money back when your card details are stolen and you just have to wait for another card to be sent to you by the bank - but I'd prefer to stop that happening, wouldn't you?

So what's the problem?

When you work for an ISP for a significant period of time, you get a good handle on the bad practices employed by rouge website developers. By that I don't just mean little one-man-band amateur operations (some of which are fine, by the way) - but some fairly large brand names to boot. To cut a long story short - they're not protecting your card information as they should.

On eCommerce sites on the Internet I have seen (in no particular order):
  • Many sites which keep your credit card details in plain-text in their database (imagine just keeping a large document with everyone's card information on it)
  • Sites which e-mail your credit card details without encrypting them (it's trivial to read other people's e-mail if you know how)
  • Sites which keep the security code as well as your credit card number (in clear breach of credit card guidelines)
Now, in a lot of these cases the physical 'shop' that owns the website will download orders (or have them e-mailed) in plain text. If this wasn't bad enough, the database used to store your data is fairly likely to be directly internet-accessible (either by connecting to the MSSQL/MySQL database, over FTP, or sometimes even in the home directory of the website).

Larger companies who own their own infrastructure and know what they're doing keep their databases behind a firewall, but the standard set-up for sites provided by a shared web-hosting company is to allow database connectivity from anywhere over the internet - a veritable honeypot for those who enjoy less legitimate forms of income.

Even if the company has encrypted their credit card information, you can't be sure that they've made the encryption key hard to reach for a hacker. If the website has been hacked, and the website is the thing that encrypts the information stored in the company database, you can bet the hacker will have little trouble putting two and two together.

So what should I do?

I would strongly advise use of payment systems such as PayPal or Google Checkout. These systems take your credit card information and do NOT share it with the website you're trading with. The website has no opportunity to misuse your card information as it's never privvy to it in the first place.

Remember the good old days when shops used to print out credit-card receipts with the full card number on them? Dealing with a lot of smaller online retailers can be similar, but the receipt is stored in a little box that's left on public display.

Limit the number of eCommerce sites that know your credit card information - especially the smaller ones that probably can't afford their own infrastructure. If they offer PayPal or Google Checkout, use them - they save time, and reduce the number of places where your credit card information could be compromised.

3-D Secure

3-D Secure is the little password box that has started popping up when you pay for items online using certain types of credit cards (also called SecureCode by MasterCard). This is much safer than a standard card transaction as the password is sent straight to the bank, not to the retailer - so there's no chance of the retailer storing this value inappropriately.

However, until cards can ONLY be used with 3-D Secure, the rest of the card information could still be used for a card-holder-not-present transaction by a naughty person. There have also been reported phishing attempts pretending to show the bank's 3-D Secure password box. This cuts out the middleman and sends your password straight to the ne'er-do-wells.

It's a minefield!

In summary, I believe you're better off with PayPal or Google Checkout than risking your card details becoming compromised and having to spend time getting your card replaced (if you even spot the problem!)

Then all you've got to take care of is ensuring you don't fall for phishing scams trying to get hold of your PayPal or Google passwords. You do make sure that you use different passwords for your online services, don't you?

Take care,

No comments:

Post a Comment