I have to make several transaction through credit card. Sometimes, unsecured sites due to business.
When transacting through unsecured (have no ssl), is there any way to save my data from hackers proxy server?
Asked
Active
Viewed 1,654 times
2
-
Is this a personal credit card transaction? – Mike Pennington Sep 28 '12 at 10:27
-
3**NEVER** enter your credit card information on an insecure web form, or to a site that you know is not using SSL/TLS. If it's a company you must do business with, contact them by some other means (e.g. email, phone) and report the problem with their web site. But don't actually place any orders until they fix it. – Michael Hampton Sep 28 '12 at 11:13
3 Answers
1
EDIT: It is not secure to transmit credit card information over a plain connection.
If your transacting site is using SSL, but your are not sure is that safe; then Utilize OCSP (online certificate status protocol) methods.
- Protect yourself from visiting web sites featuring fraudulent security.
- Make sure you are using a browser that checks for revoked publisher and server certificates – includes CRL (certificate revocation list) and OCSP (online certificate status protocol) methods.
- Go into your browser settings and make sure these safeguards are turned on.
- In Firefox you will find the CRL and OCSP settings under Tools -> Options -> Advanced -> Encryption -> Validation.
- In Explorer you will find options to check for publisher and server certificate revocations under Internet Options -> Advanced -> Security
For more #
Md Mahbubur Rahman
- 424
- 2
- 7
- 15
-
2I don't see how this answer relates to the question: if the server does not support access over SSL, then OCSP won't help, as there are no certificates to check. – MvG Sep 28 '12 at 10:10
-
@MvG, You are right. I didn't think regarding No SSL. I told to check/verify existing SSL. – Md Mahbubur Rahman Sep 28 '12 at 10:22
1
If the site is unsecured, i.e. does not use SSL at all, then your information must travel to that server in plain, and anyone capable of listening in on that last hop will have your data. That might be a bad proxy server, introduced e.g. through some form of cache poisoning, but it might as well be some maintainer of an intermediate transport network listening in on the traffic under his control.
So I'd suggest not to transmit credit card information over a plain connection, ever.
MvG
- 1,813
- 15
- 18
-
Credit card information is not transmitted. Banks, VISA, PCI doesn't allow you to transmit it in any way. – GioMac Sep 28 '12 at 11:02
-
PCI must allow for credit card details to be transmitted seeing as it's done millions of times a day - just only over secured connections. Regardless of whether banks prohibit non-SSL credit card transactions, it doesn't stop Joe Bloggs Co setting up an unsecured webpage asking you for payment details which is what the OP is talking about. These companies are probably putting the details through a customer not present PDQ machine and the bank have no idea how they are getting the details but they'd probably cancel the businesses credit card processing services if they found out. – USD Matt Sep 28 '12 at 11:27
-
Pages may ask for credit card details over insecure channels, but credit card owners should never provide such. If the data actually gets abused, it's its owner who suffers immediate damage, and might have a hard time convincing a judge that the site owner is at fault and should be held responsible. – MvG Sep 28 '12 at 12:21
1
You shouldn't enter your credit card details on any unsecured website regardless of what it's for, ever, there's just no justification for a company to have gone to the trouble of providing a webpage to take these details and not secure it. If they're not bothering with SSL I'd also worry about how they're storing the details. In my country (UK) businesses should also be PCI compliant which also covers how the details are stored, who can access them, how often passwords are changed, quarterly 3rd party scans any servers involved, etc, etc.
Ring these companies up and give them the details over the phone, and then tell them that they are seriously risking their customers security by not paying a tiny amount of money each year for an SSL certificate. (They could even install a self-signed certificate for free if it's a private site only taking details from known people that are happyto do it this way)
EDIT: Just to answer the actual question rather than point out anyone that does this is an idiot, the information travels from your machine to the web server in plain text and can be seen by anyone in the path. It could end up being seen by anyone who has access to equipment along the way, it may even end up in logs if ISPs are logging packets. The correct way to secure this is to use SSL.
USD Matt
- 5,381
- 15
- 23
-
Merchant-level PCI might be in effect or VISA 3D Secure protocol. Both will require encryption, VISA 3D Secure requires SSL. Contact your partner bank for details. Usually card data is entered on processing provider site, not on yours. You only pass authorization messages. – GioMac Sep 28 '12 at 10:59
-
There are many gateways that allow you to take details via your own site and then pass via an API, I assume they will demand SSL for your payment pages though. I personally prefer to use payment systems where you are sent to the providers website to enter details and let them handle security but lots of businesses want to keep everything on their own site. There are also gateways designed to work in iframes so it looks like the customer never leaves your site but details actually go direct to the payment provider. – USD Matt Sep 28 '12 at 11:12
-
-
Just to add, the reason I said I would worry about the security of the details is that the fact these sites have no SSL suggests to me they are not using a gateway and are just taking the details for manual processing. This could mean they are being emailed to employees in the company, stored in a database or god knows what else – USD Matt Sep 28 '12 at 11:18