Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

WebFree E-Commerce "Secure Data" Is Not Secure

From: "Jonathan G. Lampe" <jonathan () stdnet com>
Date: Wed, 21 Nov 2001 17:52:17 -0600
On its WebFree home page ("Smartest way to sell on the Internet"), checksnet.com (aka Glenn Welt Studios) says WebFree offers "* 100% secure data for you and your customer ... not 1 theft reported since 1995".
The "secure data" part isn't true, and I get the feeling they had to stick the "reported" piece in there to satisfy some kind of "what you don't know can't hurt you" clause.
WebFree offers a service which entices people to type in information about their personal checking account so WebFree customers can initiate "check-like" payments through the usual check clearinghouse forum we all know and love. Nothing unusual so far.
However the service relies on a form and some Javascript WebFree customers must place on their own web sites and ALL transactions are sent IN THE CLEAR to a central server ("http://www.checksnet.com/cgi-bin/autocsv.pl";).
Most shocking perhaps is that the WebFree form appears to base its claim of secure data transfer on its use of an ENCTYPE="x-www-form-encoded" attribute in the form tag. I can't tell if the author of WebFree is being stupid or intentionally deceptive, but this is probably not the "secure transport" you would want to use to submit your checking account information across the Internet.
(I kind of doubt this one affects anyone with a serious e-commerce site, but you may want to let your grandmother, your brother-in-law and the guy down the street who "just set up a web store" know about this one and remind them to "look under the hood" before investing in or giving their personal information out to cut-rate e-commerce clowns!) 

* * * HISTORY
I "found" this site as I was reading through some back issues of Bruce Schneier's "Crypto-Gram" newsletter. (http://www.counterpane.com/crypto-gram-9906.html) Since the "DogHouse" mention of this site came out way back in June 1999, I wondered what the site owner had done to improve security since Bruce's visit and clicked it up. The surprising answer: not a damn thing!
I sent the following note to the email address listed on checksnet.com's site: (glennwelt () netzero net) 

> It appears a form on your site is both available without SSL and submits
> its results without SSL.
>
> (http://www.checksnet.com/order.htm)
>
> In other words any information anyone submits from this form is passed
> through the Internet in the clear for anyone to see. You may want to
> install a certificate (from Verisign or Thawte) on this server to fix this
> problem.

Here was the official company reply: (in full from Glenn Welt Studios)

> Considering we've NEVER lost an order in 7 years nor
> have any of our customers who use the same HTML,
> I'm happy just the way it is.

* * * EXCEPT FROM ORIGINAL SOURCE, CITATION

"The Other Doghouse: ChecksNet
You too can send your bank account name and routing information in the clear over the net. Order your checks from these people. Their Web page clearly states: "ChecksNet protects your personal and bank account information from theft or misuse by encoding and scrambling the data as it is transmitted from this website to us." However, the order form is sent in the clear; they don't use SSL." 

Bruce Schneier, June 15, 1999
http://www.counterpane.com/crypto-gram-9906.html

* * * LINKS

http://www.checksnet.com/webfreed.htm
http://www.checksnet.com/order.htm

- Jonathan Lampe
- jonathan () stdnet com
Previous By Date Next
Previous By Thread Next

Current thread: