E-Commerce Security: Only Credit Card Fields Encrypted?!
Posted
by bizarreunprofessionalanddangerous
on Stack Overflow
See other posts from Stack Overflow
or by bizarreunprofessionalanddangerous
Published on 2010-05-20T10:48:24Z
Indexed on
2010/05/20
10:50 UTC
Read the original article
Hit count: 318
e-commerce
|security
I'd like your opinions on how a major bricks-and-mortar company is running the security for its shopping Web site.
After a recent update, when you are logged into your shopping account, the session is now not secured. No 'https', no browser 'lock'. All the personal contact info, shopping history -- and if I'm not mistaken submit and change password -- are being sent unencrypted.
There is a small frame around the credit card fields that is https.
There's a little notice:
"Our website is secure. Our website uses frames and because of this the secure icon will not appear in your browser"
On top of this the most prominent login fields for the site are broken, and haven't gotten fixed for a week or longer (giving the distinct impression they have no clue what's going on and can't be trusted with anything).
Now is it just me -- or is this simply incomprehensible for a billion dollar company, significant shopping site, in the year 2010. No lock. "We use frames" (maybe they forget "Best viewed in IE4"). Customers complaining, as you can see from their FAQ "explaining" why you aren't seeing https.
I'm getting nowhere trying to convince customer service that they REALLY need to do something about this, and am about to head for the CEO. But I just want to make sure this is as BIZARRE and unprofessional and dangerous a situation as I think it is.
(I'm trying to visualize what their Web technical team consists of. I'm getting A) some customer service reps who were given a 3 hour training course on Web site maintenance, B) a 14 year old boy in his bedroom masquerading as a major technical services company, C) a guy in a hut in a jungle with an e-commerce book from 1996.)
© Stack Overflow or respective owner