The Cobbler’s Children Go Barefoot Also in Security

Open lockThe title of this quick post says all… evenmore in the security field! This story has been reported by a friend of mine. His wife would like to dispute a transaction made with her credit card. Never a funny story but it may always happen! (my own card was also compromized two years ago even if I use it always very carefully). She called the help desk of the card provider and was redirected to a nice website called “www.macarte.be“. Here again, that’s a classic process, companies tend to simplify procedures and to ask the customer to help himself.

Basically, the website contains a lot of useful information about payment cards. You could see it as a big “FAQ“. The website also give some tips to use your cards in a safe way. That’s important, security is crucial in the payment card industry! Of course, they give warnings about transactions on the Internet:

Screenshot
(Click to enlarge)

For my readers who do not understand French, they give here the classic advice:

“A safe website can be identified by the small closed lock displayed by Microsoft Internet Explorer or a key displayed by Netscape Communicator in the lower-left corner. The URL has also an extra letter ‘s’ and looks like ‘https://www…”

(Note to the webmaster: Netscape Communicator is considered as dead for years…)

As you, infosec professionals, I know that this small lock or key does not mean nothing but for Mr John Doe (or my parents), it’s an easy way to identify a “safe” website. For me, the problem is the following: On the same website, people are able to fill a form to complain about a suspicious transaction. They are asked to give for a huge amount of information:

Form
(Click to enlarge)

And guess what? The website is running in full HTTP! Innocently, I tried manually to connect via SSL by adding the magic small “S” (just in case they forgot to implement a redirect), no luck! Is it not worth the price of a SSL certificate? GoDaddy.com, 3.89€/y!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.