- Making sure that when you do type your card numbers online, it is to a secure site.
- Proper use of 3D-Secure (SecureCode/VbV) including checking your pass phrase and checking the oft-used IFRAME's certificate (Needs browser support - have you tried this on anything other than Chrome?) and verifying that the challenge is coming from a known server.
- Understanding the importance of NOT accepting invalid SSL certificates, especially for financial transactions
Tuesday, 7 February 2012
Should there be a license for online credit card use?
Since this is "Safer internet day", one thing that always surprises me is how many people use their cards online without properly understanding and appreciating the implications of security and encryption online. I've mentioned issues with SecureCode/VerifiedByVisa before and a lot of people don't even do security well enough to get to the issues I mention.
Let's take one example of SSL certificates. What would most people do when they see things like this dialog?
I suspect most end users would just try and find the most effective way to dismiss the dialog i.e. accept the invalid certificate - and firefox doesn't help by having the "always accept this certificate" checkbox selected by default.. Which is exaclty the sort of thing that leaves you open to talking to a different server from the one you think you are. How many people would actually know enough to even tell whether that meant he certificate had expired yesterday as opposed to just being a self-signed certificate, or not for the server it claims to be? What would your friends do if they hit this?
I'd almost like to see a "license" for online credit card use. Something that would cover things like these:
It will be the subject of a future blog, but HMV's web site in particular really annoyed me by having the VerifiedByVisa and SecureCode logos on their web site, but I was able to check out without being challenged by SecureCode. That to me is under the category of "not taking security seriously". If I can't trust you to tell me what security measures you have, why would I trust you with my details?
Perhaps such an "online security competence test" could be administered by a combined Visa/Mastercard partnership, as they are the ones who could block transactions from unapproved buyers using their cards. Granted, it could be seen that this would be a way of reducing liability on their part if it was used to shift blame for any violations onto the end user, but I do believe it is important for people to understand the risks of shopping online.
I would almost go as far as to say that online security of the form listed above, including basic SSL understanding, should be part of what children are taught in school. If they're given the proper grounding, then perhaps have the schools help people take the tests described in the previous paragraph, then online security would actually be more than just lip service. The tools are mostly there to stop you doing stupid stuff, it just needs a bit of education to avoid problems.