Hi
We have set up an online store for a customer of ours using actinic. They are receiving questions about the security of actinic and was wondering if anyone could help clear up a few points for us. Below is a copy of the emails that have been sent: -
============
> Hello,
>
> I would like to order this book from you.
> The http://www.cordee.co.uk/securesite.htm page states that:
>
> Here at Cordee we feel that our customers security is of the upmost
> importance.
> Our on-line shop features 128 bit encryption, ensuring the
> highest degree of
> security, allowing you to shop without any worries.
>
> Despite of this I found that the order form uses no HTTPS or
> other sort of
> encryption during transmission of the credit card number. It
> uses simple
> HTTP post so all data submitted can be intercepted using
> simple network
> tools.
> May I ask you what kind of encryption your on-line shop uses
> or how can one
> securely submit the sensitive information using the current system?
>
> Thank you in advance!
>
> Regards,
> Peter
> Dear customer,
>
> reg the security of our website, we can assure you that
> everything is at its
> best.
> We have attached a copy of our webmasters comment on the
> choice of security
> system:
>
> 'Re actinic, this is the text on the actinic site
>
> Is Actinic software secure?
> Yes. Actinic Catalog and Actinic Business both use 128-bit
> encryption to
> safely encrypt credit card information. This means that only
> the purchaser
> and vendor can read customers' credit card information. The vendor can
> process the credit card numbers in the normal way.
>
> Barclays Bank, HSBC and the Royal Bank of Scotland approve
> Actinic software
> for their merchants to use.'
>
>
> KATRIN FISCHER
Dear Katrin,
First of all, sorry for my mistrust, but I'm working in the IT business, and
although security is not in my focus, I have some experience on this field
too.
Actinic software may be secure, but it's not at random that all Example
Sites referred to on Actinic page
(http://www.actinic.co.uk/examples/index.htm, I've checked, for example,
Shop At Digital, The Cake Store, Johnsons Seeds, Simply Superb Gifts, Toys
Express etc.) use HTTPS in the step when transferring credit card data. It's
not because of the limitation of the Actinic software, it's the limitation
of the HTTP protocol itself (I know from my practice that the most secure
system can be implemented to be non secure at all).
Just make a little test with a network sniffing tool available on the net,
and you will see that the form data is transmitted without any encryption.
You wrote you know of no documented cases of credit card fraud using your
shopping system over the Internet, that may be true, but I currently feel it
is more for luck or the goodwill of hackers than the security of the system.
I may be wrong, but it would be reassuring for me to know how the system
guarantees the encryption?
I can imagine the following options:
- HTTPS, the standard encryption method on the web: the form is not posted
using HTTPS, instead it uses HTTP
- Using Java applets to encode form data: I found no applet on the page
- Some JavaScript tricks when making the post (for example, in the OnSubmit
event handler): Although there is some JavaScript block (including
actiniccore.js andactinicextras.js), a meta tag called ActinicKey (with some
hexadecimal value, like a hash) and some hidden fields on the form with
random numbers but there is no code that encrypt the data.
The Actinic security white paper (attached to the mail) states that:
"Actinic allows orders to be placed and sent over the Internet. Encryption
can be
disabled for non-sensitive orders eg requests for further information about
a house
advertised for sale. If encryption is enabled, it can happen in one of two
ways : using
SSL or using a Java Applet. An alternative is where all secure payment
information is
collected by an payment service provider such as NetBanx, Authorize.net,
WorldPay,
Secure Trading or SECPay. In this case, the security is provided by these
companies.
This particular option will not be considered further in this paper."
In the credit card data page there is no Java Applet nor HTTPS nor using
third party service, so I could not imagine how encryption works. Maybe it
is disabled (e.g. non-sensitive orders)?
Please, reassure me with a more technical answer than the quote from the
Actinic Product FAQ, as I would really like to do my shop, but I feel it
currently like a russian roulette.
Regards,
Peter Holpar
==========================
Apologies for ther length, if you could have a read through for us and maybe give us something that we would be able to go back to the customer with it would be most appreciated.
Many thanks
Martin.
We have set up an online store for a customer of ours using actinic. They are receiving questions about the security of actinic and was wondering if anyone could help clear up a few points for us. Below is a copy of the emails that have been sent: -
============
> Hello,
>
> I would like to order this book from you.
> The http://www.cordee.co.uk/securesite.htm page states that:
>
> Here at Cordee we feel that our customers security is of the upmost
> importance.
> Our on-line shop features 128 bit encryption, ensuring the
> highest degree of
> security, allowing you to shop without any worries.
>
> Despite of this I found that the order form uses no HTTPS or
> other sort of
> encryption during transmission of the credit card number. It
> uses simple
> HTTP post so all data submitted can be intercepted using
> simple network
> tools.
> May I ask you what kind of encryption your on-line shop uses
> or how can one
> securely submit the sensitive information using the current system?
>
> Thank you in advance!
>
> Regards,
> Peter
> Dear customer,
>
> reg the security of our website, we can assure you that
> everything is at its
> best.
> We have attached a copy of our webmasters comment on the
> choice of security
> system:
>
> 'Re actinic, this is the text on the actinic site
>
> Is Actinic software secure?
> Yes. Actinic Catalog and Actinic Business both use 128-bit
> encryption to
> safely encrypt credit card information. This means that only
> the purchaser
> and vendor can read customers' credit card information. The vendor can
> process the credit card numbers in the normal way.
>
> Barclays Bank, HSBC and the Royal Bank of Scotland approve
> Actinic software
> for their merchants to use.'
>
>
> KATRIN FISCHER
Dear Katrin,
First of all, sorry for my mistrust, but I'm working in the IT business, and
although security is not in my focus, I have some experience on this field
too.
Actinic software may be secure, but it's not at random that all Example
Sites referred to on Actinic page
(http://www.actinic.co.uk/examples/index.htm, I've checked, for example,
Shop At Digital, The Cake Store, Johnsons Seeds, Simply Superb Gifts, Toys
Express etc.) use HTTPS in the step when transferring credit card data. It's
not because of the limitation of the Actinic software, it's the limitation
of the HTTP protocol itself (I know from my practice that the most secure
system can be implemented to be non secure at all).
Just make a little test with a network sniffing tool available on the net,
and you will see that the form data is transmitted without any encryption.
You wrote you know of no documented cases of credit card fraud using your
shopping system over the Internet, that may be true, but I currently feel it
is more for luck or the goodwill of hackers than the security of the system.
I may be wrong, but it would be reassuring for me to know how the system
guarantees the encryption?
I can imagine the following options:
- HTTPS, the standard encryption method on the web: the form is not posted
using HTTPS, instead it uses HTTP
- Using Java applets to encode form data: I found no applet on the page
- Some JavaScript tricks when making the post (for example, in the OnSubmit
event handler): Although there is some JavaScript block (including
actiniccore.js andactinicextras.js), a meta tag called ActinicKey (with some
hexadecimal value, like a hash) and some hidden fields on the form with
random numbers but there is no code that encrypt the data.
The Actinic security white paper (attached to the mail) states that:
"Actinic allows orders to be placed and sent over the Internet. Encryption
can be
disabled for non-sensitive orders eg requests for further information about
a house
advertised for sale. If encryption is enabled, it can happen in one of two
ways : using
SSL or using a Java Applet. An alternative is where all secure payment
information is
collected by an payment service provider such as NetBanx, Authorize.net,
WorldPay,
Secure Trading or SECPay. In this case, the security is provided by these
companies.
This particular option will not be considered further in this paper."
In the credit card data page there is no Java Applet nor HTTPS nor using
third party service, so I could not imagine how encryption works. Maybe it
is disabled (e.g. non-sensitive orders)?
Please, reassure me with a more technical answer than the quote from the
Actinic Product FAQ, as I would really like to do my shop, but I feel it
currently like a russian roulette.
Regards,
Peter Holpar
==========================
Apologies for ther length, if you could have a read through for us and maybe give us something that we would be able to go back to the customer with it would be most appreciated.
Many thanks
Martin.
Comment