I’ve done a lot of Christmas shopping online this year. It’s perfect for the gift giving I like to do: I prefer to give experiences instead of products because most of the people I shop for don’t need more material possessions. It’s all samsara anyway, right?
I’ve found that many of these experiential type places are small and don’t pay attention to online security. They’re asking for credit cards etc without SSL certificates. That’s credit card info in plain text, everyone! I recall two sites in particular because I called them on the -gasp- telephone to buy gift certificates “securely” instead of over the internet:
- Gold Lake Spa (http://goldlake.secure-shops10.com/view_category.asp?cat=32)
- Great place to relax and visit, terrible place to shop “securely“ despite the word “secure“ in the URL. It doesn’t work with https, either, so this is clearly a case of somebody not spending a few hundred bucks to secure their shoppers’ experience.
- Another fine Colorado mountain escape, but no SSL on that form action. Submit at your peril!
When I spoke to these places, they were all very concerned that I didn’t want to enter my payment information through their website — they both explained that they never had anyone comment about SSL and that they figured their sites were as secure as amazon.com. In the words of the great movie Zoolander: Am I Taking CRAZY Pills?
I guess I can’t really fault the hotel owners, it’s whoever set the sites up and gives them technology advice that are really at fault. As a public service, I’m linking to a good summary of how you can tell if you’re in a secure online shopping situation. Most shared hosting solutions have very reasonable SSL shopping plans, so just because you’re a small business doesn’t mean you can’t be secure.
I suppose I need all the SSL caveats here, to head some of you commenters off at-the-pass:
- SSL does not guarantee 100% privacy, but it is the standard for secure online communications and relied on by the majority of online businesses. I read a Dan Brown book about web security to the contrary, but he’s a fiction writer after all . . .
- Yes, I realize my telephone calls could have been intruded upon and somebody could have stolen my credit card info that way.
- Yes, I realize my credit card info could be abused by whoever takes my phone call on the other end of the line.
While I realize the odds of somebody intercepting HTTP packets to grab credit card information is slim, it’s all in plain text for anybody to see if you aren’t in an SSL session. This is 2004 and the internet and internet consumers should be mature enough to know secure from insecure. Maybe I’m still up in my ivory tower and expecting too much from the public.