One of the easiest ways to steal your money is through your credit card. It should be secure but some online businesses make it easy to steal your credit card details.

Ideally  firms that have your credit card data should make it impossible for anyone to access it.  It costs however to  keep people's credit card data secure. That's why it often makes good sense to use big companies such as PayPal as credit card intermediaries. THEY take care of  the risks and they are big enough to make things secure.

Some small and medium sized businesses, however, try to take credit card details themselves on the cheap and fluff the security.

The case study described below is - a mid-size parcel freight company providing a specialist service for booksellers, publishers and eBay shopholders. Its name is XXXXXXXXXX.

To use its services, you have to open an account with them. Great! That's a good start is security.

They email you an initial password and activate your account - good so far.

Then things start to drift off in securiy terms:

Security concern #1

No insistence you change password immediately before being able to do anything on the website

Security concern #2

The initial password is too simple (8 letters All caps) and there is no requirement that users MUST immediately change their password.

Security concern #3

No obvious process for users to change their password. Later I found it stored under the section on changing one's address!

Security concern #4

After I found the password change possibility, I exchanged the password to a random 16 letter password generated from a password manager. The website accepted and saved the new password. Then it wouldn't let me in!

In between time, I had filled in the online forms to set up 6 shipments to send 65Kg of books  to New Zealand.

During the process I had to enter my credit card information. Jut before I finished, I realised I'd used the wrong card. No problem. In theory it should be easy to change and delete the old password

That is when I discovered what is perhaps the biggest security fail

Security concern #5

ALL the credit card details (including the three letter security code and date) are stored live and prefilled in clear text  on the website (given as a choice from dropdown).

Security concern #6

Following that It became clear there was no obvious way to delete credit card details. The website presents all credit card details in cleartext forever.

I've contact the company owners to ask them to remove my credit card details but at time of writing they haven't replied.

Security analysis

The company emails the user a password in clear text easily accessible to anyone on route using Wireshark or similar to do doing network analysis

The company provides users with a weak password and makes it hard to find how to change it.

The company then makes all the user's credit card details visible to anyone with the password (which is likley to be the same one that was sent in clear text and easy to skim on route using a network analyser.

The company holds user's credit card details in a way that provides easy access for their administration staff. We know this because they weigh each shipments when they receive them through their central depot in NSW. It is then that they bill the charge onto the user's credit card. I technical terms, this means the company is insisting that the capture of the funds  is not necessarily linked to the amount of the authorization of the funds.

In addition, the company reserves the right to charge anything they wish against the user's credit card - the implicaition of insisting on the right to adjust the charge after weighing the shipment. This opens the door to a moral hazard of the 'finger on the scale' sort.

With the weaknesses in  security practices on the website side and the potential for moral hazard, its hard to envisage that the security of credit card information would be any more secure than on the web side and easy to see how it could be even less secure.

Many company freight buyers would be unhappy with the level of web security of this company. This suggest that the larger clients must pay on account by bank transfer against invoice. This leaves the security problems only with the smaller traders using the service.

Possible security and business process improvements

The first and most obvious change would be to have credit card transactions managed by an outside financial intermediary such as PayPal, Stripe or a bank.

The business process challenge of doing that is the company wants to decide LATER what to charge you - long AFTER you have made the contract. And they want to be the authority that decides whether they have charged you the right amount. There is something a little dodgy about that process.

Another alternative is they could take the money in two bites as separate transactions. The first bite which you would pay before taking the freight to the post office would be the proportion of the cost for AustPost to deliver the shipments to the company's warehouses. At that point, they could send and instant invoice -e.g. a emailed PayPal invoice button that could be easily and instantly paid.

For the services, this company is offering and their target client groups (booksellers, small publishers and eBay shopholders), the majority of clients will be regular and long term customers.

The practicality of this business situation opens up other possibilities. One is to have each client business on a credit account (direct debit might be a friend here), OR for customers to pay an up front lump sum with any residue held as credit for future transactions (or to be returned on request).

Conclusions

The company has weaknesses in its online security that reflect badly on it. The age and less than effortless usability of its website echoes this. Both likely hold back the company growth from what appears to be an excellent innovation of intermediating in frieght to provide what is a specialist service appropriate to customer groups with highly specific needs.

To do this means carefully rethinking through the security, usability and business process issues  and then developing the website to address the current problems.