Should there be a license for online credit card use?

[Short link to this article if you need it - http://goo.gl/uJWKM - or retweet me]

Since this is "Safer internet day", one thing that always surprises me is how many people use their cards online without properly understanding and appreciating the implications of security and encryption online. I've mentioned issues with SecureCode/VerifiedByVisa before and a lot of people don't even do security well enough to get to the issues I mention.

Let's take one example of SSL certificates. What would most people do when they see things like this dialog?




I suspect most end users would just try and find the most effective way to dismiss the dialog i.e. accept the invalid certificate - and firefox doesn't help by having the "always accept this certificate" checkbox selected by default.. Which is exaclty the sort of thing that leaves you open to talking to a different server from the one you think you are. How many people would actually know enough to even tell whether that meant he certificate had expired yesterday as opposed to just being a self-signed certificate, or not for the server it claims to be? What would your friends do if they hit this?

I'd almost like to see a "license" for online credit card use. Something that would cover things like these:
  1. Making sure that when you do type your card numbers online, it is to a secure site.
  2. Proper use of 3D-Secure (SecureCode/VbV) including checking your pass phrase and checking the oft-used IFRAME's certificate (Needs browser support - have you tried this on anything other than Chrome?) and verifying that the challenge is coming from a known server.
  3. Understanding the importance of NOT accepting invalid SSL certificates, especially for financial transactions
It will be the subject of a future blog, but HMV's web site in particular really annoyed me by having the VerifiedByVisa and SecureCode logos on their web site, but I was able to check out without being challenged by SecureCode. That to me is under the category of "not taking security seriously". If I can't trust you to tell me what security measures you have, why would I trust you with my details?

Perhaps such an "online security competence test" could be administered by a combined Visa/Mastercard partnership, as they are the ones who could block transactions from unapproved buyers using their cards. Granted, it could be seen that this would be a way of reducing liability on their part if it was used to shift blame for any violations onto the end user, but I do believe it is important for people to understand the risks of shopping online.

I would almost go as far as to say that online security of the form listed above, including basic SSL understanding, should be part of what children are taught in school. If they're given the proper grounding, then perhaps have the schools help people take the tests described in the previous paragraph, then online security would actually be more than just lip service. The tools are mostly there to stop you doing stupid stuff, it just needs a bit of education to avoid problems.

Comments

Post a Comment

Popular posts from this blog

macOS - first experiences from a Linux user perspective

Image
(Link to this article on twitter:  https://twitter.com/sxaTech/status/1628064140576059392 ) A while back I took delivery of a Mac Mini M1 system ("2020" model with 16Gb RAM running MacOS 11.6 "Big Sur" (It's now on 12.3). It came with no keyboard, mouse or screen (but I had plenty of them around, including a Unicomp Model M buckling spring keyboard with mac keycaps which I'd acquired a few months previously!) First problem was that the HDMI output didn't seem to want to talk to the 1600x1200 screen I had on my desk, so I switched it over to my 27" 1080p display ... So what's it like to use? I've used macOS systems as servers before but other than a small amount of GUI remote access I hadn't seriously used a desktop system before so I wanted to share "first timer" experience for some common use cases as a developer. Oh, and it's quick. Really quick. Whatever Apple have done in designing the M1 ("Apple Silicon") CP
Read more

Antisocial Networking: List of Top Tips

[Short link to this article if you need it:http://goo.gl/sWOd] Everyone's using social networks these days. Well ok not everyone, the people that don't usually give one of two reasons. Either they don't have time or they think it's all about posting what you had for breakfast. If it replaces other information sources in your life (e.g. using social networking instead of reading news feeds) then it doesn't have to take any extra time. The second reason, well, possibly valid, so here are my tips on how to make your social networking activities worthwhile I often see updates that are of no interest to me whatsoever, or I see things that just don't make sense. So here are my top tips to avoid for 'status updates' on social networking services to avoid me disconnecting from you. Don't be an antisocial networker: Status updates that don't stand alone - If I need a whole bunch of background information that only exists in your head instead of o
Read more

Customer service: contacting banks via the internet - how hard can it be?

I've recently spent quite a bit of time contacting banks via the internet to ask a question to them. Bearing in mind that it is the 21st Century and that email and the internet are no longer 'shiny and new' you would hope that communicating with a company online would be easy, wouldn't you? I was initially trying to contact banks as though I wasn't a customer, just to make an enquiry about a security issue. For some reason, this wasn't as straightforward as expected. I hope this information is useful to anyone who wants to decide on a bank to deal with based on more than just headline interest rates. Also, have you noticed how many banks don't let you have special characters on their web sites, including passwords in some cases? Seems a bit backwards these days to not allow better password choices for protecting your finances. I'll share my experiences: Barclays Contact was via this online form . You get a confirmation email that your message has been r
Read more