Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Websites Still Failing Basic Privacy Practices

kdawson posted more than 4 years ago | from the after-all-these-years dept.

Privacy 205

DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"

cancel ×

205 comments

secure (-1, Troll)

Anonymous Coward | more than 4 years ago | (#24746043)

post

It's a good thing (5, Insightful)

XanC (644172) | more than 4 years ago | (#24746053)

That Firefox saves the nasty warnings for Web sites that are encrypted!

Re:It's a good thing (5, Informative)

stfvon007 (632997) | more than 4 years ago | (#24746861)

Well i went to the site and changed http to https, and it brought up the page on an encrypted connection. looks like they aren't forcing you to submit it in the open after all.

Re:It's a good thing (3, Insightful)

palegray.net (1195047) | more than 4 years ago | (#24747387)

While the responsibility does lie with the consumer to take appropriate technical measures to safeguard his personal information, is it too much to ask for a company to make SSL the default when submitting information?

It only takes adding an "s" in the form element...

Re:It's a good thing (2, Informative)

robo_mojo (997193) | more than 4 years ago | (#24747863)

It only takes adding an "s" in the form element...

And a valid signed cert, if the site owner doesn't want his users getting annoying warnings...

Re:It's a good thing (1)

robo_mojo (997193) | more than 4 years ago | (#24747853)

Just a warning: that doesn't always work.

Sometimes, even if you change http to https, the form still submits to plain http (though that isn't the case this time).

But if you want to be sure without having to wade through HTML, you can just set security.warn_submit_insecure to true in Seamonkey/Firefox, which should be true by default if you haven't already turned it off.

but realistically (5, Insightful)

Anonymous Coward | more than 4 years ago | (#24746073)

HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it. Also, address and date of birth aren't usually considered confidential, even if you might not want to publish them.

This isn't a lot different than many of those post-card questionnaires many people fill out and mail in.

I think in this case, it's more important what they do with the information once they receive it.

That said, I think there should be default encryption wherever possible automatically.

Re:but realistically (0, Insightful)

Anonymous Coward | more than 4 years ago | (#24746301)

HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it.

You've fallen for the birthday paradox. The relevant probability is not whether somebody who wants your data is on the same subnet as you. The relevant probability is whether somebody who wants personal data is on the same subnet as somebody who doesn't want to give it to them. This is a massively more probable event.

Re:but realistically (3, Informative)

blueg3 (192743) | more than 4 years ago | (#24746683)

That's not at all the birthday paradox.

Re:but realistically (1, Informative)

gringer (252588) | more than 4 years ago | (#24746943)

I think they're trying to point out that it's a problem if anyone gets anyone else's data, rather than anyone getting a particular person's data (namely your own). This seems fairly similar to the Birthday Paradox.

http://en.wikipedia.org/wiki/Birthday_paradox#Same_birthday_as_you [wikipedia.org]

Re:but realistically (0)

Anonymous Coward | more than 4 years ago | (#24747027)

nonono, they're saying that if somebody has the same birthday as somebody else on the same subnet, they're likely to be using unencrypted HTTP to send birthday e-cards. I think.

Re:but realistically (4, Insightful)

blueg3 (192743) | more than 4 years ago | (#24747507)

What they're trying to point out is that while it may be rare that anyone is out to steal your personal information, people stealing personal information in general is quite common.

While this may bear a passing resemblance to the birthday paradox, it isn't the birthday paradox. It's like when people claim that X has something to do with relativity. They're almost always wrong. The birthday paradox is a very particular statistical error, and this isn't it. :-)

It's actually easier, anyway, to point out that someone trying to specifically steal "your" credentials just isn't the way it's done. That's a rare attack, because the investment is high compared to the reward. It's far easier to, say, run a credential-harvesting script in a local Starbucks with free wireless every day for a couple of weeks. (It's also rare, though more devastating, to just grab the personal information off of their server.)

Re:but realistically (2, Insightful)

Anonymous Coward | more than 4 years ago | (#24747671)

The birthday paradox is a very particular statistical error, and this isn't it.

Yes, it is. The birthday problem is simply this:

Given a set S, what is the probability P(S) that there exist elements (x, y) in S such that x <> y and p(x, y) is true?

The "paradox" comes about because most people misread the above to mean:

Given a set S and an element of the set x, what is the probability P(S, x) that there exists an element y in S such that x <> y and p(x, y) is true?

They're two different problems, but when worded right most people don't recognize that they're different.

Re:but realistically (0)

Anonymous Coward | more than 4 years ago | (#24747063)

yea but it still sounded cool.

Re:but realistically (4, Funny)

Anonymous Coward | more than 4 years ago | (#24746309)

I sniffed the password to a Slashdot account! Yours! And I'm using it to post a reply to your post!

Re:but realistically (5, Interesting)

Anonymous Coward | more than 4 years ago | (#24746853)

I run a copy of Wireshark whenever I'm at a coffee shop, airport lounge, or anywhere else there is a wireless hotspot. You would be amazed at the volume of info that gets sent in the clear - passwords, personal info, you name it. My favorite are people who log onto their webmail using HTTP:// not HTTPS://..... Simple rule I use and push is - if you are on a public (or untrusted) network, use a VPN or SSH tunnel.

Re:but realistically (5, Interesting)

jd (1658) | more than 4 years ago | (#24746911)

Information is context-sensitive. The VERY first thing you learn when using encryption systems is that it's much easier to crack something where you know what the plaintext should look like. The second thing you learn is that the information around the encrypted data is often far more valuable intelligence-wise than the encrypted stuff. That's why those of you who have ever been instructed on the use of STU-III phones were told NOT to chat before inserting the encryption card. (You WERE paying attention to those talks, right? Right???)

Next, there's this thing called the European Union. They're getting, oh, just a little sensitive about personal information these days. You know, what with German banks freely selling personal data (such as bank account details) to anyone who calls up, despite some of the toughest data protection laws in the world. Americans may view them as unimportant nobodies, but they are at least grasping the idea that ANY unnecessary exposure of personally-identifying information is a very high risk to the individual (identity theft) and a fairly substantial risk to the economy as a whole (such theft costs - and it costs a whole lot more than any "terrorist" threat ever did).

Name and address "high risk information"? If it can be used in a social engineering attack on a bank, credit card company or Government department (and usually such people do not make much effort to validate who a person is), then it is high risk. It doesn't matter if such information has always been viewed as public, as long as human operators (and computer programs) are satisfied that such information proves identity, it is not safe to expose.

Oh, and as for the fact that this information is actually used as a substitute for secure passwords, The Cheshire Catalyst [spaceyideas.com] was responsible for publishing a rather pointed song [poppyfields.net] on the subject by breaking into the PRESTEL account of a BBC presenter whilst he was demonstrating the service live on BBC television. The lyrics should be required reading material for anyone who uses any kind of online service, and failure to heed its warnings should be considered no different from reckless driving or setting off fireworks inside a furniture store.

Re:but realistically (1)

arminw (717974) | more than 4 years ago | (#24747809)

....If it can be used in a social engineering attack on a bank, credit card company or Government department ....

That is a burden that should be on these institutions to diligently ensure for any given transaction, that the information given is truly connected to the person the information is about. As you go through life doing business with others you are required to give them information about you. Eventually there will be so much information about you all over the place, you might as well post it on the Internet.

If some impostor is using stolen information of yours, the burden of determining whether the person requesting a given transaction is really you or that impostor, should be on that agency or institution. Biometric data might be used to accomplish this.

Re:but realistically (1)

Ichijo (607641) | more than 4 years ago | (#24747247)

HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it.

Unless you're both on an unencrypted (or underencrypted) wireless hotspot.

Re:but realistically (1)

arminw (717974) | more than 4 years ago | (#24747669)

....I think in this case, it's more important what they do with the information once they receive it....

I think it is more important for the financial institution or merchant to ensure that if someone gives them this information, which may be stolen, this really is a person that belongs to. Information theft is really a misnomer. Your identity cannot really be stolen, only misappropriated by someone who is not you or is not entitled to use it for their own purposes. Any time you want to do business with anyone else, you have to give them identifying information about yourself. Eventually that information is given out to so many people, you might as well publish it on the Internet.

It is the receiver of this information who is asked to provide money, goods, or services, who should be forced to make certain, that the person who presents the information is really the person entitled to make this particular transaction. Trying to keep everyone's information private is an exercise in futility in the digital age. What we need is transaction verification, not identity verification.

Re:but realistically (3, Insightful)

holophrastic (221104) | more than 4 years ago | (#24747817)

I certainly agree with your first sentiment -- not everything needs to be encrypted. I certainly see the value in encrypting cash and effetively-cash information -- like credit card information. But honestly when it comes to simple privacy information, https is way over-kill. I don't want to slow the web down by 300% just to encrypt everything. Not only is it not necessary -- it's not like packets are intercepted frequently -- but it's by far no where near the weakest link.

I've been to, and photographed, bank machines that use external modems, loose and visible cables, and simple network jacks that could be easily by-passed. You're mail in most physical mailboxes is wide open for viewing. Hey, your licence plate is just sitting in your driveway.

But by far, don't worry about the guy stealing your packets. Worry about the 16 year-old at the gas station that takes your credit card. The secretary at whatever company that answers the phone, the customer service agent. These people are all effectively able to intercept your packets, and you talk to them willingly as customer service for every company you've ever called where you weren't talknig to the owner.

Our industry here is one where the principles of security have matured to the point where it seems like everything needs to be high-security. But in reality, every other industry on this planet is wide open by comparison.

I'm reminded of something as simple as the sign at my local performing arts theatre that reads "no audience members beyond this point", engraved into a plackard beside the door to back-stage. However the door itself is unlocked. I go back after every performance to express my appreciation.

Security for security sake is not only stupid, it's dangerous. It's what had me removing my shoes crossing the border last week. And in the end, after all of the security, I still wound up flying into and out of the U.S. with a knife in my pocket that everyone -- including myself -- missed entirely.

Security is necessary only to the point where something needs securing -- that means it has value, someone wants it, and someone is trying to take it. That last part is vital to the equasion. Securing something that no one is trying to steal is a waste of effort, money, resources, time, and other liberties. You know, like three hours at an airport to take a $35, 25 minute flight.

Nobody considers that import (4, Interesting)

topham (32406) | more than 4 years ago | (#24746077)

That level of privacy is not considered important by anybody. Seriously.

Credit Card data - encrypted; you're first and last name? short of being in the witness protection program it is NOT considered a privacy issue. sorry.

(I know, I know, it would be nice if it was).

Re:Nobody considers that import (4, Funny)

linear a (584575) | more than 4 years ago | (#24746201)

The big sites *must* be interested in privacy. They're plastered with security and privacy notices.

Re:Nobody considers that import (4, Funny)

Anonymous Coward | more than 4 years ago | (#24746233)

No, I'm not "first and last name."

Re:Nobody considers that import (4, Insightful)

DigitAl56K (805623) | more than 4 years ago | (#24746241)

That level of privacy is not considered important by anybody.

It is by me (obviously) ;)

You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?

With specific regard to "trust", here you have a website asking for a bunch of personal information without taking the most basic precautions to protect it in transit and without an SSL certificate that identifies the owners to inform you where the data might really be going to.

It was enough to make me cancel out.

Re:Nobody considers that import (0)

Anonymous Coward | more than 4 years ago | (#24746359)

If you're willing to cancel out when more information than that is probably printed on the outside of your water bill... you're probably paranoid. But don't worry, I'll come over to your house on your birthday to give you a consolation present.

Re:Nobody considers that import (2, Insightful)

dreohio99 (963130) | more than 4 years ago | (#24746395)

Your information is already out there in public records. Google your phone number and see what comes up. If the form asked for SSN or driver's license number I would be a bit more cautious. As far as passwords, it is already considered a bad practice to use the same one on a shopping website as your bank or credit card account websites.

Re:Nobody considers that import (2, Insightful)

Ash-Fox (726320) | more than 4 years ago | (#24747253)

Your information is already out there in public records.

And I know which ones too.

Google your phone number and see what comes up.

Three results, all of which, not even related.

Re:Nobody considers that import (4, Insightful)

Zero__Kelvin (151819) | more than 4 years ago | (#24746515)

You missed the real story, to wit:

"Internet users still can't seem to get the basics of privacy and security on the Web pulled together. Web users still offer up information they consider to be private and sensitive, on the almost zero chance they will win a Wii, to companies about which they know little or nothing. They still believe the company can and should be trusted with their data, based solely on the fact that the companies products have a little brand recognition ..."

Re:Nobody considers that import (4, Insightful)

Kent Recal (714863) | more than 4 years ago | (#24746671)

Exactly. This "article" is yet another bad joke (slashdot disappoints a lot lately).

Dear "DigitAl56K": If you're so worried about losing your first and lastname on the interwebs then why the hell do you participate in retarded lotteries?
Here's a little secret: If you don't push that submit button then nobody will ever get your information!

Re:Nobody considers that import (2, Insightful)

antic (29198) | more than 4 years ago | (#24746871)

Easy publicity for Duracell. Have someone complain about a non-issue with your competition, and get free press.

Re:Nobody considers that import (1)

Kent Recal (714863) | more than 4 years ago | (#24747139)

Hm, I somewhat doubt that slashdot is the right target audience for that kind of PR.
If someone really paid for it then I'd say they just wasted their money...

Re:Nobody considers that import (1)

knewter (62953) | more than 4 years ago | (#24746889)

Why did you mention password? I didn't see that listed as an item in the form. Esp. why did you emphasize it, when it's not even supposed to be in the list?

Re:Nobody considers that import (3, Informative)

telbij (465356) | more than 4 years ago | (#24747115)

I don't challenge your thesis, but your example stinks. First of all, the biggest problem as far as privacy is concerned is the database being sold to other companies. The next biggest problem is the database being outright stolen by crackers. Sniffing your POST as it goes across the wire is the least of your worries.

Second, it's just not reasonable to call https standard privacy practice in this case. Standard security practice is to use SSL for "sensitive" information. But it's not standard to consider name, birthdate and address sensitive. You can argue that it should be, but don't try to redefine reality by calling something standard that's not.

Re:Nobody considers that import (1)

arminw (717974) | more than 4 years ago | (#24747889)

.....First of all, the biggest problem as far as privacy is concerned is the database being sold to other companies....

The truth of the matter is, that in the digital age you have no privacy. Every time you do business with someone, of necessity you have to give them your personal information. In most cases that will be your true name and address, phone number and perhaps e-mail. If money is involved, most likely a credit card or bank account number will also be needed.

As you go through life, this information will be located in so many places and accessible to so many people, that trying to keep this information private is an exercise in futility.

The institutions that exchange information, possibly stolen information, for money, goods and services should be the ones that check whether the information given and the person giving the information are legitimate. If the value of the transaction is very high, a fingerprint or other biometric information could be used to verify the identity of the person requesting the thing of value.

Stop making stuff up. (1, Informative)

Anonymous Coward | more than 4 years ago | (#24747121)

"You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?"

1. The form did not/does not require a password.

2. No password recovery systems I've seen in the last 10 years use either your address or DOB as the key. That information is too readily available in the public records...like the phone book. (If you disagree please point out a site/system that does use it).

3. You're worried about the privacy of your address and yet you're signing up for a contest that collects your name for marketing purposes...

4. P&G clearly states they use SSL for sensitive information and they clearly state what they believe sensitive information to be: "When we collect or transmit sensitive information such as a credit card number or health information, we use Secure Sockets Layer (SSL) encryption for added protection. Your browser indicates that SSL is in place by displaying either an unbroken key or a closed lock at the bottom of your browser window." http://www.pg.com/privacy/english/privacy_statement.html#tab2

Umm... (0)

Anonymous Coward | more than 4 years ago | (#24747201)

Your summary didn't say a thing about a password... I think that is really the only relevant item.

Re:Nobody considers that import (5, Insightful)

tokenturtle (765853) | more than 4 years ago | (#24746263)

Exactly. The junk mail that's in my mailbox every day has more detailed information on the outside of the envelope. This is really a non-issue.

Re:Nobody considers that import (4, Insightful)

DigitAl56K (805623) | more than 4 years ago | (#24746361)

If your junk mail shows your date of birth and password I'd be worried. It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

BTW what has happened to /. tonight? If Google switched their login page to http would nobody care?

Re:Nobody considers that import (1)

mhall119 (1035984) | more than 4 years ago | (#24746461)

I have companies sending me "Birthday discount" mailers all the time. Anybody with your first and last name, and even a vague idea of where you live, can figure out what your birthday is.

Re:Nobody considers that import (1)

tokenturtle (765853) | more than 4 years ago | (#24746529)

Well, OK, not passwords, but I do get plenty of happy birthday cards. With those and the rest of the junk mail, I'm pretty sure the postman knows more about me than the people I would consider close.

Re:Nobody considers that import (3, Informative)

CRC'99 (96526) | more than 4 years ago | (#24746757)

It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

Riiight - because people can easily sniff traffic at an ADSL DSLAM, wait no, at the L2TP router, wait not even there, oh - at the upstream to a Tier 1 ISP, no, not their either... So where exactly is someone going to sniff your data?

Oh, you're talking about someone on your LAN or Wifi access point? Well then, you have bigger issues!

Even if you're stuck on a cable node, most of the equipment I've seen filter other peoples data out via MAC of the cable modem - so you can't even sniff there...

This being said, where would the so-called 'privacy breech' sniffing take place?

Re:Nobody considers that import (0)

Anonymous Coward | more than 4 years ago | (#24747825)

I think my Gmail password is a little bit more important than my Duracell Nintendo Wii contest password.

Re:Nobody considers that import (3, Funny)

Anonymous Coward | more than 4 years ago | (#24746267)

you're first and last name?

Oh c'mon - it's YOUR not you're

Re:Nobody considers that import (0)

Anonymous Coward | more than 4 years ago | (#24746369)

The law considers it important. But companies break the law with impunity. That's what's so galling. People crying out for new legislation to punish errant companies, completely unaware that clear and powerful laws have existed since 1984. See data protection act [wikipedia.org] .

If even one tenth of the criminals were prosecuted we would see striking changes. But the legal system is a corrupt, rotting , spineless and toothless whore of the corporations. The police are inept and stupid. The public are apathetic and clueless.

I guess you're right. Nobody gives a fuck. So why don't we just abolish these hopeless, unenforcable laws and admit that corporations are above scrutiny?

Perhaps because every computer related law written in the last 20 years is really to protect the corporations from what would happen when people realise the cost and take their grievences into their own hands to sort things out.

Re:Nobody considers that import (3, Insightful)

cycleguy55 (1351277) | more than 4 years ago | (#24746697)

Yeah, the only people that want that level of data are those involved in identity theft. Given the number of people who have had their lives turned upside down through identity theft, we should all be vigilant - including challenging any and all Web sites that don't use proper practices to protect personal information.

Re:Nobody considers that import (0)

Anonymous Coward | more than 4 years ago | (#24747343)

It takes 3 pieces of information to steal your identity.

Name and DOB are 2 of them

Re:Nobody considers that import (1)

Nefarious Wheel (628136) | more than 4 years ago | (#24747471)

It's not the data, it's the context. Name, address and phone number for most people is not a problem to divulge (except for those who consider the White Pages in the phone book a threat). Name, address and phone number on a list of people who carry strategic defense codes around in a briefcase handcuffed to their wrist, however, might be.

White House site (4, Funny)

Anonymous Coward | more than 4 years ago | (#24746085)

Whitehouse.com seems to have no regard for the security of web visitors.

Re:White House site (4, Funny)

bonekeeper (1294622) | more than 4 years ago | (#24746747)

Nor for the privacy and freedom of speech, actually !

Right... (4, Insightful)

Anonymous Coward | more than 4 years ago | (#24746087)

"XXXXX is committed to maintaining your trust by protecting personal information we collect."

Means nothing when every website harvesting your info says that.

Re:Right... (4, Insightful)

Ethanol-fueled (1125189) | more than 4 years ago | (#24746203)

Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form

People actually do that? Legend has it that some folks still fill out meatspace paper rebate forms so that they could wait 60 days to receive a 65-cent check in the mail.

Please hit submitter with cluebat. (0)

Anonymous Coward | more than 4 years ago | (#24746097)

You can manually change the URL on the linked site to https:// and achieve an SSL-secured session. HTH, HAND.

Slim chance (-1)

Anonymous Coward | more than 4 years ago | (#24746137)

The chance that someone has the ability and desire to capture that packet which contains your data is very, very slim. The more likely breach is with the back-end database. As long as that's protected, then your data is secure enough.

Chances are most of that information you mentioned is already freely available (facebook/myspace, phone directories, etc).

Taxcut http (5, Interesting)

Anonymous Coward | more than 4 years ago | (#24746139)

A few years ago I was buying a state tax program and realized that their form that asked for all my private data was an http page! I was shocked. Then I added "s" after http and it happily connected me over SSL. How many people who buy Taxcut will check the protocol and change it?

Re:Taxcut http (3, Insightful)

rriven (737681) | more than 4 years ago | (#24746285)

It does not matter when you fill the form. As long as when you clicked submit and it went to a https page you are safe.

That is how all the sites that don't handle CC or SSN's do it. It reduces overhead and load time. Even gmail did until recently.

Re:Taxcut http (4, Interesting)

SpottedKuh (855161) | more than 4 years ago | (#24746443)

It does not matter when you fill the form. As long as when you clicked submit and it went to a https page you are safe.

Now if only you had some assurance that the http-based form hadn't been MitM'ed, such that the "Submit" button no longer submits where you want it to. E.g., if the form were sent over https.

Re:Taxcut http (3, Insightful)

FLEB (312391) | more than 4 years ago | (#24746479)

Actually, I've heard this discussion come up before-- generally, you want the login form SSL encrypted, as well, to verify the identity and integrity of the form. Otherwise, it leaves the possibility for phishing, poisoned DNS, or a man-in-the-middle attack that rewrites the form to submit to a malicious intermediary. (Granted, a person viewing the code could see that last one, but I know I certainly don't eagle-eye the action param on every form I submit before I hit "go".)

Re:Taxcut http (0)

Anonymous Coward | more than 4 years ago | (#24746539)

That is not strictly correct. If you receive a page over ordinary HTTP, there is no protection against someone intercepting and modifying or spoofing the form content. On an untrusted network, if you request form.html, a malicious agent could craft you a form.html that looks legit and submits over HTTPS but, before submission, uses Javascript to send all your form information to someone who shouldn't have it.

First clue that something is amiss (1)

XanC (644172) | more than 4 years ago | (#24746191)

"Flash Player of 7 or above is required" on a blank page.

Some Just Lie About It... (0)

Anonymous Coward | more than 4 years ago | (#24746221)

What irks me the most is when they'll flat-out lie on the form with language like "this form is protected by ssl and secure" while asking for your credit card details for a purchase.

Then you look at the post action, it's HTTP, and posting to a circa 2001 perl form mailer.

VegNews.com, I'm looking at you.

Re:Some Just Lie About It... (0)

Anonymous Coward | more than 4 years ago | (#24746405)

It's amazing to what people will admit to doing on the interweb when they think they're anon. Dirty Vegan.

website supports https (1)

spotter (5662) | more than 4 years ago | (#24746225)

so just stick an s after the http and you're golden.

unsure if that makes it better or worse for them though.

Re:website supports https (1)

Ash-Fox (726320) | more than 4 years ago | (#24747195)

so just stick an s after the http and you're golden.

Failed to Connect

The connection was refused when attempting to contact *domain here*

Though the site seems valid, the browser was unable to establish a connection.

        * Could the site be temporarily unavailable? Try again later.

        * Are you unable to browse other sites? Check the computer's network connection.

        * Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.

Re:website supports https (1)

spotter (5662) | more than 4 years ago | (#24747791)

not the duracell page, the softcoin page the duracell page takes you to, that actually contains the form. sheesh

I'm with them (0)

Anonymous Coward | more than 4 years ago | (#24746299)

Sounds sensible to me.

I challenge any reader to name a single known incident, in the entire history of the Internet, where there was a commercially significant crime or wave of identity theft arising from intercepting IP traffic in the cloud. (*)

Yeah, "commerically significant" are weasal words here, but the point I'm making is to exclude things that actually happen: phishing, DNS hacks, viruses and other malware, and most importantly, accessing stored data (i.e. NOT in transit), or at a pinch local (within enterprise
or within home) snooping.

Phishing seems rather unlikely (for a game entry??) so IMO P&G seems to be making a totally justifiable choice to ignore purely theoretical
risks. There are SO MANY more, real dangers, if one cares to worry about such things.

(*) Ok, I concede, if you use a technology that (wireless) that it agressively broken out of the box wrt privacy, the equation is sligthly different. But if you do this and don't take precautions, you are beyond the help of any server-side technology.

Read The Fine Print (2, Informative)

candude43 (998769) | more than 4 years ago | (#24746371)

Or the official rules.

Neither Sponsor nor SoftCoin are responsible for lost, late, incomplete, stolen , misdirected or illegible plays, registrations, entries, Code requests, email, postage due mail or replies to Code requests which are returned as undeliverable mail; or for any computer, telephone, satellite, cable, network, electronic or Internet hardware or software malfunctions, failures, connections, or availability, or garbled, corrupt or jumbled transmissions, service provider/Internet/website/use net accessibility, availability, or traffic congestion, or any technical error, or unauthorized human intervention , or the incorrect or inaccurate capture of registration, Code, entry or other information, or the failure to capture, or loss of, any such information. Neither Sponsor nor SoftCoin are responsible for any incorrect or inaccurate information, whether caused by Website users, tampering, hacking, or by any of the equipment or programming associated with or utilized in the Promotion and assume no responsibility for any error, omission, interruption, deletion, defect, delay in operation or transmission, communications line failure, technical error, theft or destruction or unauthorized access to the Promotional Website.

It's hard to believe that they are "committed to maintaining your trust by protecting personal information" when they disavow any responsibility if it's stolen. But I think that's pretty standard boilerblate.

Re:Read The Fine Print (1)

Darkness404 (1287218) | more than 4 years ago | (#24746517)

Honestly, what are you going to do if the servers gets hacked? You can't exactly go to the hacker's computers and erase the data can you?

Ignorance at work (2, Interesting)

horatio (127595) | more than 4 years ago | (#24746411)

Many, many people that I've tried to talk to about this very thing completely don't understand encryption at the most basic level - why it matters or if they have it. My guess from past experience is that if you tried to talk to P&G about it, the people responsible would try to tell you that it didn't need encryption, because the site is on *their* servers, so the data only goes on their network, and no amount of convincing would get them to think otherwise. The site you mentioned was probably farmed out anyways.

The state of affairs when it comes to the most basic data protection is really sad. One case was where I was applying for a job which required my SSN (a federal gov't position). The instructions were to download the form and email it. I called the number listed and explained why I wasn't going to include my SSN in an email, and they weren't mad, but they were annoyed. So you tell me a) did they wait for my app and trash it because I put "withheld for security reasons, will provide offline" (something like that) b) if the folks running the federal jobs website think it is okay to email around sensitive information (this was another one of those "your email is stored in our secure servers" things), then it must be okay, right?

Even in the physical realm, things aren't much better. A couple of months ago, I called a local business to complain that they'd charged my creditcard a fee for canceling an appointment. (The number shouldn't be on file, I know. At the time I didn't realize that it was.) I explained to the person that when I canceled the appointment I was aware of the fee, but to send me a bill for it and I'd pay it when I got the bill. They sent me an invoice in the mail, with the charges and showing the balance was paid. I asked the guy which credit card they'd charged - and he proceeded to read off the type, entire number, and expiration date - without any authentication from me except my name and one other non-secret item, derived from the start of the conversation. I've since canceled that card, but people really don't understand.

Re:Ignorance at work (2, Informative)

Ritchie70 (860516) | more than 4 years ago | (#24747209)

Afraid I don't understand actually.

OK, the merchant shouldn't have your card # on file.

But wait, actually, according to my understanding of current PCI rules, they can have it on file, so long as it's secure from hacking. Not fraud, hacking.

Fraud = an employee steals the number or is fooled into giving it away.
Hacking = IT security breach causes the loss.

So if they wrote it on a piece of paper and put it in a file drawer, it's fine.

If it's in electronic format, that's something they have to prove is secure - or, assuming they're a minor merchant, they have to claim is secure.

Now, we all know how easy it is to fool someone into giving you the card number, but once again, that would be fraud, and is not really covered by the PCI standard afaik.

Re:Ignorance at work (0)

ShaunC (203807) | more than 4 years ago | (#24747467)

But wait, actually, according to my understanding of current PCI rules, they can have it on file, so long as it's secure from hacking. Not fraud, hacking.

That's the crux of the problem. If the current standard allows a merchant to store your credit card number in such a manner that it's available for their customer support phone-jockeys to look up on a whim, unobfuscated, then the standard is broken.

Re:Ignorance at work (1)

candude43 (998769) | more than 4 years ago | (#24747771)

But wait, actually, according to my understanding of current PCI rules, they can have it on file, so long as it's secure from hacking. Not fraud, hacking.

That's the crux of the problem. If the current standard allows a merchant to store your credit card number in such a manner that it's available for their customer support phone-jockeys to look up on a whim, unobfuscated, then the standard is broken.

The problem is the phone-jockey read all the CC-info back to some random voice on the telephone.

Here's An Example...VegNews.com (1)

uits (792760) | more than 4 years ago | (#24746415)

Great example of poor coding and carelessness...VegNews.com

Trying to register for a launch party at VegNews I come across this (from google site cache)

google site cache of insecure page [209.85.141.104]

Problems
1. No SSL, ssl not supported if you change the URL manually.
2. Lies about being secure, right there on the form. Nope.
3. The "action" points to an email *FormMailer* (http://vegnews.com/cgi-bin/SaveForm.pl [vegnews.com] ).

So, not only does it lie about encrypting your credit card, it goes and emails it out afterward to who-knows-where to sit in personal archives for who-knows-how-long.

Suffice to say I didn't attend, but I'm still pissed I almost fell victim to that.

Really... (1)

Darkness404 (1287218) | more than 4 years ago | (#24746471)

Honestly, your date of birth, age, address, full name is worth absolutely nothing to the average person. Secondly, how many people actually run packet sniffers for malicious purposes? Not that many, then take that number and see how many really care about your address and name? Few, very few. Now, if this contained our social security number, we might be worried, but for this? It is making a mountain out of a molehill.

Solution for sites that have both http and https (1)

ilovesymbian (1341639) | more than 4 years ago | (#24746557)

All they have to do is force all http requests to go to https [aruljohn.com] and presto, its done.

Expecting the user to manually add an 's' after http isn't very good or safe, IMO.

Re:Solution for sites that have both http and http (1)

Ash-Fox (726320) | more than 4 years ago | (#24747131)

All they have to do is force all http requests to go to https and presto, its done.

I will perform a MitM attack and just intercept all HTTP requests and have it query the HTTPS URL while I read all their data unencrypted.

Slashdot isn't secure enough for me... (1)

blckholehorizon (957701) | more than 4 years ago | (#24746577)

so i'm going to snail-mail my post in. I can only pray that it will be added online after this is oldnews by cmdrTaco. In other news, my mom caught me playing with my Wii, and I wasn't ashamed.

Don't use Plimus (0)

Anonymous Coward | more than 4 years ago | (#24746583)

I noticed the e-commerce gateway "Plimus" making the usual mess of security/privacy the other day by exposing order details to anyone who could pick the right querystring (16 hexadecimal characters) - i.e. addresses, names, phone numbers, license code for the software i purchased etc.

I contacted them about it and received no reply.

HRC & NLGTF (0, Troll)

Anonymous Coward | more than 4 years ago | (#24746587)

I am gay but will not give to national gay organizations. They look up your telephone number and sell your information to other organizations. Give once and soon your phone will be ringing off the hook by telephone solicitors. Plus they disclose none of this on their web sites. They do not seem to regard privacy as any concern.

Don't blame P&G or Duracell (3, Informative)

bugs2squash (1132591) | more than 4 years ago | (#24746687)

It probably wasn't really their website you were entering your details into anyway...

Who Cares - Who Even Reads These (0)

Anonymous Coward | more than 4 years ago | (#24746711)

Speakeasy's new privacy statement says that they can share information, including credit card data with "affiliates", without defining "affiliate", but presumably including Best Buy.

Enough for me to cancel service, but I don't think that anyone else even read it.

Re:Who Cares - Who Even Reads These (0)

Anonymous Coward | more than 4 years ago | (#24746815)

Well, I could certainly cancel, but AT&T is my other option.

Email address already in use (3, Funny)

teh moges (875080) | more than 4 years ago | (#24746789)

I put in some fake credentials to test it out, but unfortunately the email address asdf@asfd.com was already in use...

"maintaining your trust" (3, Insightful)

iminplaya (723125) | more than 4 years ago | (#24746805)

How can they maintain something they'll never have?

Worst ever is lycos.de (0)

Anonymous Coward | more than 4 years ago | (#24746893)

For me the worst case is lycos' mail service at http://mail.lycos.de. Why?

Because they are deceiving, deluding bastards.

Check that page and note how the bullet point

o E-Mails and data encrypted with SSL

is one of the key points they market their service on.

On top of that they have a "SSL secured" checkbox directly below the login button.

What's wrong with it?

The checkbox is a NOP. Yeah, it does nothing.
After you have HTTP POST'd your credentials into the wifi ether in the plain, all your transactions are highly secure by using SSL.

I found out just out of curiosity maybe 3 years ago, and, not believing what I found, googled evidence of this being know.

I found a posting to the vuln-dev or bugtraq mailing list from another 3-4 years earlier. So this is known for almost a decade now.

ngrep output of post request:
http://www.gedankenverbrechen.org/~tk/lycos_ssl_noop.txt

One Time (1)

JimboFBX (1097277) | more than 4 years ago | (#24746967)

One time I went to buy a night vision scope from a website. After filling out all of the shipping/billing information except for the credit card information itself, I noticed that it wasn't a secure submittal form. I immediately....

Accidentally hit the enter key, for which my incomplete order was submitted, no confirmation or anything.

a month later a strange box showed up C.O.D. It was the night vision.

I'm Astounded! (1)

hyades1 (1149581) | more than 4 years ago | (#24747013)

"Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect."

Corporations, especially North American ones, tell great, honking lies all the time and get away with it. The business media are their whores, and what private individual has the time and/or money to challenge them?

A large corporation might actually tell the truth if a lawyer told them it was the most profitable course of action. Otherwise, believing one word uttered by a corporate spokesdrone, earns you the richly deserved reaming you're going to get. Mostly, these people would have to climb three steps up the evolutionary ladder just to qualify as douche bags.

Who was it that invented the phrase, "Your call is important to us"?

Washington Post says more data breaches than b4 (1)

Banaticus (736440) | more than 4 years ago | (#24747017)

In "completely unsurprising news", the Washington Post just announced that "More data breaches have been reported so far this year than in all of 2007..." Hmm, I wonder if the subject of this page could have had something to do with those breaches... http://www.washingtonpost.com/wp-dyn/content/article/2008/08/25/AR2008082502496.html?nav=rss_email/components [washingtonpost.com]

Etos Worldline (0)

Anonymous Coward | more than 4 years ago | (#24747035)

Just over a year ago, Etos Worldline, formerly known as Banksys, together with the major Belgian Mobilephone Telcos started a service to do payments via SMS. The subscription form https://www.m-banxafe.be/pay2me/startRegistration.do was not protected by https for several weeks. The whole security infrastructure, with the security question to reset your password, is still compromised to this day for whoever subscribed before https was activated.

Name, Address and Dob are a joke (5, Interesting)

jbsooter (1222994) | more than 4 years ago | (#24747053)

"It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST"

If I wanted a list of names, birth dates and addresses to use for nefarious purposes I don't need to steal yours from some dinky website or sniff packets. I'd just take one of the plentiful lists of birth records on the internet like this one [rootsweb.com] then cross reference it with property tax records of the area which are more plentiful than the birth records and it'll give probable name, dob, and address combinations. A good portion of probable matches can be confirmed through freely available court records. All of that data is fairly trivial to collect in bulk (i used to collect databases, was a pretty fun hobby actually), is perfectly legal and will provide a much better profile of matches than just name/dob/addr combinations stolen from a website or data stream.

Being that anal about your name, birth date and address is actually quite silly. Theres so much low hanging fruit as far as collecting that type of data is concerned (and you're probably already included in it) that all you really did by not continuing with that form was taking yourself out of the running for a Wii.

The best thing you can really do is just keep close tabs on your credit report and get signed up for all the fraud alerts or freezes they offer. Thats the best place to prevent and quickly repair most identity theft. Stop being so anal about info thats almost guaranteed to be out there already, set up your defenses where they're most effective and go get your Wii.

Stopped using SSL (4, Informative)

Ash-Fox (726320) | more than 4 years ago | (#24747069)

I stopped providing security on my websites when browsers made it too difficult for the average user (that I deal with) to continue using the site with a self signed certificate.

Sure, it won't help against a man in the middle attack. But that is truly the only attack that using self signed certificates is vulnerable to. Unlike completely unencrypted content.

If godaddy, verisign etc. didn't charge insane prices like £107 per year for a wildcard certificate for one domain, I would do actually buy the certificates needed. I already find 10USD too much for a wildcard certificate for the numerous domains I operate, so it would have to be quite a significant drop. It's not like they do any verification with the £107 certificates, they just want a credit card number.

BZZZT Error... phone home or go EOF someone else! (1)

HuckleCom (690630) | more than 4 years ago | (#24747269)

Phone book. Names, phone numbers addresses, all public. get over it!

I work at a college in IT and students don't think twice about raveling off stuff that's even considered private.

My dad sells cars, he brought me with because there's public data available at the county recorders office, I walked out of there with my dad after emailing some 34,000 names, addresses and phone numbers to my dad's email account for his silly mailers. All 100% legal.

So in short, nothing to see here, move along...

Sallie Mae e-mailed me my SSN number regularly (4, Interesting)

knifeyspooney (623953) | more than 4 years ago | (#24747333)

They stopped this practice recently, but for over a year, my student loan company required me to sign up for monthly paperless statements if I wanted to pay electronically. The statements were e-mailed in the form of a PDF attachment. The e-mail body assured me my privacy was intact because the file was password protected -- by my Social Security number!

Brilliant! If an interloper intercepted my e-mail, not only could he brute force my password with easy to find, easy to use tools (in a matter of minutes, since he knows the number of characters in it), but he'd know my SSN once he cracked it. I would have been better off with no password protection.

When I e-mailed Sallie Mae with the above information, the representative brushed it off. It was safe, he said, as long as I opened it on a non-public computer, because my SSN was not being sent over the Internet when I typed it in.

(The Consumerist didn't find it interesting, either.)

Re:Sallie Mae e-mailed me my SSN number regularly (1)

knifeyspooney (623953) | more than 4 years ago | (#24747401)

I shoulda said, it could have been cracked in minutes because the key space was small and known: the set of all nine-digit integers. Hope I got that right now. :)

ticketwizard 5000 (0)

Anonymous Coward | more than 4 years ago | (#24747337)

I got a parking ticket last week from an officer in my fair city and was referred to this site to pay it:

https://www.ticketwizard5000.com/ [ticketwizard5000.com]

You have to see it to believe it. In its defense, it uses SSL.

But after seeing this, I think I'll pay the ticket in person.

Re:ticketwizard 5000 (1)

symbolset (646467) | more than 4 years ago | (#24747621)

That is a remarkable site. What style, what innovative use of Frontpage. I especially like the inclusion of the HEAD section inside the form. Classy. Keep it real, TicketWizard5000! The clever use of submit buttons on a form rather than links must improve their site security considerably.

This is not a privacy problem (0)

Anonymous Coward | more than 4 years ago | (#24747607)

Privacy != Security

Re:This is not a privacy problem (0)

Anonymous Coward | more than 4 years ago | (#24747815)

Would you still claim that Privacy isn't security if someone else can read your payment statements, change your account settings etc...?

And Atos Worldline is a company that tries to follow PCI (Payment Card Industry) security standards!!!!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...