Post image for When a Non-Secure Site Wants Personal or Financial Information

When a Non-Secure Site Wants Personal or Financial Information

March 24, 2009

in Internet,privacy & security

by Gabe Goldberg

Twice recently, e-commerce Web sites have taken me to dangerous checkout screens — that is, Web pages which transmit data “in the clear” (unencrypted) — to complete online purchases. One of them even assured me “All orders are processed on secure servers.”

But without the reassuring padlock (or other secure-page symbol displayed by the browser when viewing a secure Web page) and Web address beginning “https” (instead of the usual “http”) I wasn’t about to provide information requested such as address, mother’s maiden name, credit card number, etc.

I complained to both sites. At first, the owner of one site argued with me until he realized that his Webmaster had allowed a security certificate to expire; he was then annoyed with his staffer, not me. The owner of the second site replied immediately, “I see what you mean. We will get on this right away. Thank you for bringing that to my attention.”

It’s clear that managers of both Web sites understood the need for security and that their technical staff simply let them down. The lesson here is NOT that online purchases are risky — in fact, many experts say that letting your credit card out of sight in a restaurant is riskier than making online purchases. But still, experiences such as these are a reminder to always check Web site credentials and security configurations before entering anything more sensitive than your eye color.

OK, that’s an exaggeration — I’ll enter my email address and postal address on non-secure pages. But I don’t like doing so and wish that all Webmasters understood the need for privacy and security. In the meantime. It’s a personal choice how much information to enter on non-secure (no padlock, no “https”) sites.

Most worrisome are Web sites with mixed secure/non-secure content on the same page, so browsers may not accurately reflect the status of sensitive data fields. Annoyingly, my bank uses such a page for logon. At first I refused to use the Web site; then I talked to the bank and parsed the Web page’s internal structure to verify that the userid/password were in fact encrypted for transmission.

But that’s hardly something a financial institution can expect customers to do. In the meantime, some such Web sites can be made more secure by clicking the initial-page Logon button without entering any data; they respond with a fully-secure Web page — perhaps with an error message that can be ignored — allowing comfortable and secure logon.

Perhaps if enough customers complain about inadequate security, such financial institutions will configure logon pages so their appearance matches their internal security.
"Remember me" feature
Finally, be careful about “Remember me” options. Only use them – to remember logon information and such — on your own computers whose security is maintained with protective software (anti-virus, anti-spyware, etc.) and which cannot be accessed by other people.

Gabe Goldberg (tiplet@gabegold.com), a lifelong computer pro and technology communicator, has written three books and hundreds of articles for audiences including techies, baby boomers and senior citizens. He enjoys sharing tips and pointers that help people use and have fun with technology.