The title of this quick post says all… evenmore in the security field! This story has been reported by a friend of mine. His wife would like to dispute a transaction made with her credit card. Never a funny story but it may always happen! (my own card was also compromized two years ago even if I use it always very carefully). She called the help desk of the card provider and was redirected to a nice website called “www.macarte.be“. Here again, that’s a classic process, companies tend to simplify procedures and to ask the customer to help himself.
Basically, the website contains a lot of useful information about payment cards. You could see it as a big “FAQ“. The website also give some tips to use your cards in a safe way. That’s important, security is crucial in the payment card industry! Of course, they give warnings about transactions on the Internet:
For my readers who do not understand French, they give here the classic advice:
“A safe website can be identified by the small closed lock displayed by Microsoft Internet Explorer or a key displayed by Netscape Communicator in the lower-left corner. The URL has also an extra letter ‘s’ and looks like ‘https://www…”
(Note to the webmaster: Netscape Communicator is considered as dead for years…)
As you, infosec professionals, I know that this small lock or key does not mean nothing but for Mr John Doe (or my parents), it’s an easy way to identify a “safe” website. For me, the problem is the following: On the same website, people are able to fill a form to complain about a suspicious transaction. They are asked to give for a huge amount of information:
And guess what? The website is running in full HTTP! Innocently, I tried manually to connect via SSL by adding the magic small “S” (just in case they forgot to implement a redirect), no luck! Is it not worth the price of a SSL certificate? GoDaddy.com, 3.89€/y!