Time to show sloppy websites the red card

You can't get away with poor payment security in 2019, no matter how small your business

It's fair to say that I'm a fairly impatient person and that I wouldn't survive long under a stress test. But I don't think it's at all unreasonable for my patience to have snapped with business owners who take a cavalier attitude to my personal data.

To be clear, I'm not talking about the giant corporations that seemingly work on a rota to hand out my usernames and passwords to anyone attacking them with something stronger than a Commodore 64. They felt the weight of my disdain years ago. I'm talking about small business owners who still display infuriating levels of incompetence when it comes to taking care of sensitive data.

Advertisement - Article continues below

My trigger-happy temper was prodded recently when I tried to hire a piece of medical equipment for the football club I work with. This piece of equipment is made by a small UK firm and it's pretty much the sole distributor in this country.

The signs weren't great when I arrived at the company's website: it looked like it had last been updated in the Britpop era. The site was about 800 pixels wide and 400 pixels deep, doubtless designed to accommodate the limited resolution screens of yesteryear, but now looking like a piece of conceptual art.

Advertisement
Advertisement - Article continues below

I wanted to check if the company had a machine in stock and, having judged that a site designed for Netscape Navigator was unlikely to have a live stock ordering system, I rang the phone line. They've got one, the sales assistant told me, but if I wanted to hire it I had to fill out the form on the website.

Advertisement - Article continues below

It was at this point I began to wonder if I might need some medical treatment myself, because what I found on that website wasn't an encrypted web form ready to take and process my order, but a flat PDF download. The company wants its customers to fill in their personal details (full name, address, date of birth, email, mobile number) and payment details (card number, expiry date, even the three-digit security code), then scan it in and either fax(!) or email the form back to them. If you were tasked with inventing a payment system with the maximum possible chance of data theft, you'd be hard pressed to come up with a better one.

I rang the company back, uttering the despicable phrase "I'm an IT journalist" and advised them their ordering system was about as secure as Nigel Farage's chances of becoming president of the EU. The agent asked me to email my concerns to the managing director, who ten minutes later replied with: "If you cannot send the form back via a secure encrypted service then feel free to send all other details and someone from the office will call for payment details."

Advertisement - Article continues below

I tried explaining to Tim Berners-Lee's long-lost brother that I couldn't just encrypt an email and bang it off to them, without some prior sharing of encryption keys -- and, anyway, that's not what his order form was inviting customers to do. It just told them to email the form to a regular email address.

Advertisement
Advertisement - Article continues below

At this point, matey clearly Googles "email encryption", takes a note of the first result he can find and replies: "If you're not comfortable sending the completed form back via Egress or a similar secure file sharing service someone from the office can call and take card details," before adding: "We never ask for full card details to be sent via normal email."

Would you give your credit card details to a company that thinks it's fine for customers to just email them unencrypted scanned forms with all the details required for a spot of ID theft? Even if the sales assistant in the office will take the card details over the phone, what's to say they're not jotting them down on a paper form themselves? It's not as if the company has the first clue about data security in the place.

Advertisement - Article continues below

Desperate to get the equipment, I even offered to send the hire money via direct bank transfer, but the MD wasn't having it. The machine was worth 3,000 and he needed our credit card number on record in case we ran off with it. I pointed out we weren't the security risk and left him to it. A fortnight later, that insecure form is still on the firm's website.

I dithered over naming the company here -- and another one with the exact same form that also hires out these machines in the UK. But you're smart enough not to deal with such firms in the first place, and I don't want to give hackers the easiest of targets. Not because the firm deserves to be protected, but its customers don't deserve to have their cards stolen.

Yet, I'm miffed that companies still carelessly jeopardise people's security. Ten years ago, you might have forgiven a small business for basic e-security lapses, but not today. We shouldn't have to wait until data leaks occur before firms can be prosecuted. They should be prosecuted if they're doing something that blatantly puts customers at risk, or the nonchalance will never stop.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020
Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020
Visit/mobile/5g/355712/nokia-5g-speed-record
5G

Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020