Time to show sloppy websites the red card
You can't get away with poor payment security in 2019, no matter how small your business
It's fair to say that I'm a fairly impatient person and that I wouldn't survive long under a stress test. But I don't think it's at all unreasonable for my patience to have snapped with business owners who take a cavalier attitude to my personal data.
To be clear, I'm not talking about the giant corporations that seemingly work on a rota to hand out my usernames and passwords to anyone attacking them with something stronger than a Commodore 64. They felt the weight of my disdain years ago. I'm talking about small business owners who still display infuriating levels of incompetence when it comes to taking care of sensitive data.
My trigger-happy temper was prodded recently when I tried to hire a piece of medical equipment for the football club I work with. This piece of equipment is made by a small UK firm and it's pretty much the sole distributor in this country.
The signs weren't great when I arrived at the company's website: it looked like it had last been updated in the Britpop era. The site was about 800 pixels wide and 400 pixels deep, doubtless designed to accommodate the limited resolution screens of yesteryear, but now looking like a piece of conceptual art.
I wanted to check if the company had a machine in stock and, having judged that a site designed for Netscape Navigator was unlikely to have a live stock ordering system, I rang the phone line. They've got one, the sales assistant told me, but if I wanted to hire it I had to fill out the form on the website.
It was at this point I began to wonder if I might need some medical treatment myself, because what I found on that website wasn't an encrypted web form ready to take and process my order, but a flat PDF download. The company wants its customers to fill in their personal details (full name, address, date of birth, email, mobile number) and payment details (card number, expiry date, even the three-digit security code), then scan it in and either fax(!) or email the form back to them. If you were tasked with inventing a payment system with the maximum possible chance of data theft, you'd be hard pressed to come up with a better one.
I rang the company back, uttering the despicable phrase "I'm an IT journalist" and advised them their ordering system was about as secure as Nigel Farage's chances of becoming president of the EU. The agent asked me to email my concerns to the managing director, who ten minutes later replied with: "If you cannot send the form back via a secure encrypted service then feel free to send all other details and someone from the office will call for payment details."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
I tried explaining to Tim Berners-Lee's long-lost brother that I couldn't just encrypt an email and bang it off to them, without some prior sharing of encryption keys -- and, anyway, that's not what his order form was inviting customers to do. It just told them to email the form to a regular email address.
At this point, matey clearly Googles "email encryption", takes a note of the first result he can find and replies: "If you're not comfortable sending the completed form back via Egress or a similar secure file sharing service someone from the office can call and take card details," before adding: "We never ask for full card details to be sent via normal email."
Would you give your credit card details to a company that thinks it's fine for customers to just email them unencrypted scanned forms with all the details required for a spot of ID theft? Even if the sales assistant in the office will take the card details over the phone, what's to say they're not jotting them down on a paper form themselves? It's not as if the company has the first clue about data security in the place.
Desperate to get the equipment, I even offered to send the hire money via direct bank transfer, but the MD wasn't having it. The machine was worth 3,000 and he needed our credit card number on record in case we ran off with it. I pointed out we weren't the security risk and left him to it. A fortnight later, that insecure form is still on the firm's website.
I dithered over naming the company here -- and another one with the exact same form that also hires out these machines in the UK. But you're smart enough not to deal with such firms in the first place, and I don't want to give hackers the easiest of targets. Not because the firm deserves to be protected, but its customers don't deserve to have their cards stolen.
Yet, I'm miffed that companies still carelessly jeopardise people's security. Ten years ago, you might have forgiven a small business for basic e-security lapses, but not today. We shouldn't have to wait until data leaks occur before firms can be prosecuted. They should be prosecuted if they're doing something that blatantly puts customers at risk, or the nonchalance will never stop.
Barry Collins is an experienced IT journalist who specialises in Windows, Mac, broadband and more. He's a former editor of PC Pro magazine, and has contributed to many national newspapers, magazines and websites in a career that has spanned over 20 years. You may have seen Barry as a tech pundit on television and radio, including BBC Newsnight, the Chris Evans Show and ITN News at Ten.