Announcement

Collapse
No announcement yet.

actinic security questions from a customer

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    actinic security questions from a customer

    Hi

    We have set up an online store for a customer of ours using actinic. They are receiving questions about the security of actinic and was wondering if anyone could help clear up a few points for us. Below is a copy of the emails that have been sent: -

    ============

    > Hello,
    >
    > I would like to order this book from you.
    > The http://www.cordee.co.uk/securesite.htm page states that:
    >
    > Here at Cordee we feel that our customers security is of the upmost
    > importance.
    > Our on-line shop features 128 bit encryption, ensuring the
    > highest degree of
    > security, allowing you to shop without any worries.
    >
    > Despite of this I found that the order form uses no HTTPS or
    > other sort of
    > encryption during transmission of the credit card number. It
    > uses simple
    > HTTP post so all data submitted can be intercepted using
    > simple network
    > tools.
    > May I ask you what kind of encryption your on-line shop uses
    > or how can one
    > securely submit the sensitive information using the current system?
    >
    > Thank you in advance!
    >
    > Regards,
    > Peter


    > Dear customer,
    >
    > reg the security of our website, we can assure you that
    > everything is at its
    > best.
    > We have attached a copy of our webmasters comment on the
    > choice of security
    > system:
    >
    > 'Re actinic, this is the text on the actinic site
    >
    > Is Actinic software secure?
    > Yes. Actinic Catalog and Actinic Business both use 128-bit
    > encryption to
    > safely encrypt credit card information. This means that only
    > the purchaser
    > and vendor can read customers' credit card information. The vendor can
    > process the credit card numbers in the normal way.
    >
    > Barclays Bank, HSBC and the Royal Bank of Scotland approve
    > Actinic software
    > for their merchants to use.'
    >
    >
    > KATRIN FISCHER



    Dear Katrin,

    First of all, sorry for my mistrust, but I'm working in the IT business, and
    although security is not in my focus, I have some experience on this field
    too.
    Actinic software may be secure, but it's not at random that all Example
    Sites referred to on Actinic page
    (http://www.actinic.co.uk/examples/index.htm, I've checked, for example,
    Shop At Digital, The Cake Store, Johnsons Seeds, Simply Superb Gifts, Toys
    Express etc.) use HTTPS in the step when transferring credit card data. It's
    not because of the limitation of the Actinic software, it's the limitation
    of the HTTP protocol itself (I know from my practice that the most secure
    system can be implemented to be non secure at all).
    Just make a little test with a network sniffing tool available on the net,
    and you will see that the form data is transmitted without any encryption.

    You wrote you know of no documented cases of credit card fraud using your
    shopping system over the Internet, that may be true, but I currently feel it
    is more for luck or the goodwill of hackers than the security of the system.

    I may be wrong, but it would be reassuring for me to know how the system
    guarantees the encryption?
    I can imagine the following options:
    - HTTPS, the standard encryption method on the web: the form is not posted
    using HTTPS, instead it uses HTTP
    - Using Java applets to encode form data: I found no applet on the page
    - Some JavaScript tricks when making the post (for example, in the OnSubmit
    event handler): Although there is some JavaScript block (including
    actiniccore.js andactinicextras.js), a meta tag called ActinicKey (with some
    hexadecimal value, like a hash) and some hidden fields on the form with
    random numbers but there is no code that encrypt the data.

    The Actinic security white paper (attached to the mail) states that:
    "Actinic allows orders to be placed and sent over the Internet. Encryption
    can be
    disabled for non-sensitive orders eg requests for further information about
    a house
    advertised for sale. If encryption is enabled, it can happen in one of two
    ways : using
    SSL or using a Java Applet. An alternative is where all secure payment
    information is
    collected by an payment service provider such as NetBanx, Authorize.net,
    WorldPay,
    Secure Trading or SECPay. In this case, the security is provided by these
    companies.
    This particular option will not be considered further in this paper."

    In the credit card data page there is no Java Applet nor HTTPS nor using
    third party service, so I could not imagine how encryption works. Maybe it
    is disabled (e.g. non-sensitive orders)?

    Please, reassure me with a more technical answer than the quote from the
    Actinic Product FAQ, as I would really like to do my shop, but I feel it
    currently like a russian roulette.

    Regards,
    Peter Holpar

    ==========================

    Apologies for ther length, if you could have a read through for us and maybe give us something that we would be able to go back to the customer with it would be most appreciated.

    Many thanks

    Martin.

    #2
    Martin,

    I'm assuming you've set it up using the 'capture credit card details for later processing' option in which case the question you need to answer is how did you configure it?

    There are three options:

    1. 'Standard SSl or unencrypted (depending on whether SSL is enabled)'

    2. Shared SSL

    3. Actinic Inbuilt encryption (java Applet)

    It sounds to me like you might have selected the first but not have SSL enabled.

    Mike
    -----------------------------------------

    First Tackle - Fly Fishing and Game Angling

    -----------------------------------------

    Comment


      #3
      I just had a quick look at your website http://www.cordee.co.uk/

      and it appears you do not have a SSL cert for your domain, normally you can type https://www.cordee.co.uk/ and it will still show the webpage if the Certificate has been installed.

      Comment


        #4
        You really need to suspend ordering online until you have a secure method of payment in place. The most secure method would be to sign up with a merchant such as world pay or natwest. At the moment, anyone who places an order on yoour site risk having their details 'Stolen'. Also i think there may be some illegalities or at least making yourself highly liable if fraud does occur by saying you have 128bit encryption when in fact you have 0 encryption.

        Worth considering and would definately sort out ASAP.

        Nick
        Nick Smith
        Web Developer
        extrinsica Limited

        Comment


          #5
          also

          another point to consider is that with your current system you have no method of verifying card information. This will cause problems such as mistakes with card details etc etc etc.
          Nick Smith
          Web Developer
          extrinsica Limited

          Comment


            #6
            Online Payment:

            WorldPay: http://www.worldpay.co.uk/

            Streamline: http://www.streamline.com/index_frame.htm

            What is SSL:

            Secured Sockets Layer is a protocol that transmits your communications over the Internet in an encrypted form. SSL ensures that the information is sent, unchanged, only to the server you intended to send it to. Online shopping sites frequently use SSL technology to safeguard your credit card information.

            Where can you get it:

            You can have full SSL or Shared SSL. Contact your hosting company and they will be able to give you information on the two. (actinic offer a shared SSL service):
            http://www.actinic.co.uk/products/sssl.htm
            Nick Smith
            Web Developer
            extrinsica Limited

            Comment


              #7
              While Nick is correct, there's no need to panic. Sending credit card unencrypted isn't really any more risky than giving them over the phone and most people will happily do that.

              You should really be using a secure method though. The easiest thing to do is to just select the javascript encryption which will get around the security question.

              For customers peace of mind, SSL and the little padlock is the best option and as Nick says, using a payment service provider has many advantages.

              Mike
              -----------------------------------------

              First Tackle - Fly Fishing and Game Angling

              -----------------------------------------

              Comment

              Working...
              X