Hey Daniel.
Its always tricky because you can very easily end up 6 steps into the
order process trying to explain that instead of typing "Credit Card
Number" you typed ' group by CCNum (an honest typing error?)
Of course, the fact that once you called it in, the guy at the other end
scribbled it on a piece of paper thats currently sitting on his desk
while janitorial staff walk around is another interesting side-effect
and hardly more secure..
[a] probability that someone is remotely hax0ring the database and
extracting your credentials - X %
[b] probability that someone is sniffing traffic inline and stealing
your credentials - X %
[c] probability that the person you spoke to is earning minimum wage and
knows how to use a credit card - XX %
/totally non-constructive post
/mh
Daniel wrote:
With more of my purchases being made on the web today, i'm always
concerned that the site I'm using is making use of decent security
standards.
Last night i was purchasing some art on line and when it came to the
payment section, the whole thing was iffy and didn't seem right. Even
on the most basic input field, there was no validation being performed
(yes i added a back tick, and even though some might find this wrong,
i would like to know that my banking details are being handled in
accordance with UK data protection laws)
I didn't go any further and decided to phone in my order via the phone.
Does anyone else do this?
I know that it opens up a whole can of worms regarding acceptable
usage of the site, and it would be interesting to see what other
people think.
Daniel
--
======================================================================
Haroon Meer MH
SensePost Information Security +27 83786 6637
PGP : http://www.sensepost.com/pgp/haroon.txt haroon@sensepost.com
======================================================================
