Time to show sloppy websites the red card

You can't get away with poor payment security in 2019, no matter how small your business

It's fair to say that I'm a fairly impatient person and that I wouldn't survive long under a stress test. But I don't think it's at all unreasonable for my patience to have snapped with business owners who take a cavalier attitude to my personal data.

To be clear, I'm not talking about the giant corporations that seemingly work on a rota to hand out my usernames and passwords to anyone attacking them with something stronger than a Commodore 64. They felt the weight of my disdain years ago. I'm talking about small business owners who still display infuriating levels of incompetence when it comes to taking care of sensitive data.

Advertisement - Article continues below

My trigger-happy temper was prodded recently when I tried to hire a piece of medical equipment for the football club I work with. This piece of equipment is made by a small UK firm and it's pretty much the sole distributor in this country.

The signs weren't great when I arrived at the company's website: it looked like it had last been updated in the Britpop era. The site was about 800 pixels wide and 400 pixels deep, doubtless designed to accommodate the limited resolution screens of yesteryear, but now looking like a piece of conceptual art.

Advertisement
Advertisement - Article continues below

I wanted to check if the company had a machine in stock and, having judged that a site designed for Netscape Navigator was unlikely to have a live stock ordering system, I rang the phone line. They've got one, the sales assistant told me, but if I wanted to hire it I had to fill out the form on the website.

Advertisement - Article continues below

It was at this point I began to wonder if I might need some medical treatment myself, because what I found on that website wasn't an encrypted web form ready to take and process my order, but a flat PDF download. The company wants its customers to fill in their personal details (full name, address, date of birth, email, mobile number) and payment details (card number, expiry date, even the three-digit security code), then scan it in and either fax(!) or email the form back to them. If you were tasked with inventing a payment system with the maximum possible chance of data theft, you'd be hard pressed to come up with a better one.

I rang the company back, uttering the despicable phrase "I'm an IT journalist" and advised them their ordering system was about as secure as Nigel Farage's chances of becoming president of the EU. The agent asked me to email my concerns to the managing director, who ten minutes later replied with: "If you cannot send the form back via a secure encrypted service then feel free to send all other details and someone from the office will call for payment details."

Advertisement - Article continues below

I tried explaining to Tim Berners-Lee's long-lost brother that I couldn't just encrypt an email and bang it off to them, without some prior sharing of encryption keys -- and, anyway, that's not what his order form was inviting customers to do. It just told them to email the form to a regular email address.

Advertisement
Advertisement - Article continues below

At this point, matey clearly Googles "email encryption", takes a note of the first result he can find and replies: "If you're not comfortable sending the completed form back via Egress or a similar secure file sharing service someone from the office can call and take card details," before adding: "We never ask for full card details to be sent via normal email."

Would you give your credit card details to a company that thinks it's fine for customers to just email them unencrypted scanned forms with all the details required for a spot of ID theft? Even if the sales assistant in the office will take the card details over the phone, what's to say they're not jotting them down on a paper form themselves? It's not as if the company has the first clue about data security in the place.

Advertisement - Article continues below

Desperate to get the equipment, I even offered to send the hire money via direct bank transfer, but the MD wasn't having it. The machine was worth 3,000 and he needed our credit card number on record in case we ran off with it. I pointed out we weren't the security risk and left him to it. A fortnight later, that insecure form is still on the firm's website.

I dithered over naming the company here -- and another one with the exact same form that also hires out these machines in the UK. But you're smart enough not to deal with such firms in the first place, and I don't want to give hackers the easiest of targets. Not because the firm deserves to be protected, but its customers don't deserve to have their cards stolen.

Yet, I'm miffed that companies still carelessly jeopardise people's security. Ten years ago, you might have forgiven a small business for basic e-security lapses, but not today. We shouldn't have to wait until data leaks occur before firms can be prosecuted. They should be prosecuted if they're doing something that blatantly puts customers at risk, or the nonchalance will never stop.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020