WebApp Sec mailing list archives
Re: as security pro's, how do you use the web now?
From: Matthew Caston <mattcaston () mchsi com>
Date: Wed, 19 Jan 2005 09:37:50 -0600
ACMurray () cmp com wrote:
...how many times have you withdrawn cash from a quickie-ATM at the local bar/gas station or been to the local dive bar; your local coffee house; a car wash; book store or corner store....and so on, and made a purchase with either your credit card; or paid by check and had to show ID? Have you ever asked the local store owner what kind of security s/he has in place; have you ever asked what kind of screening process their employees are subject to; have you ever performed a business check on one of the many thousands of ATM vendors now dotting the landscape?Hi Daniel, This is an interesting issue. I can see why it's tempting to poke around the site to see if it's secure--after all, you have a right to protect yourself. That said, I still think it's unethical, even if it was just a half-hearted cracking attempt; breaking the law just to check whether someone else might be able to break the law isn't a defensible position. Ethics aside, doing a half-hearted crack job probably isn't that helpful anyway; just because you didn't break in doesn't mean someone else can't. And if you did break in, what makes you think that putting in an order via phone makes your data more secure than doing it via the Web site? Your credit card info is still going to be entered into a database that may or may not be secure, and will be handled by employees who may or may not be trustworthy. If you're really that worried about the security of the site, I think you're better off not doing business with them. Just my two cents. Best, Andrew Andrew Conry-Murray Technology Editor Network Magazine acmurray () cmp com (415) 947-6342Rogan Dawes <discard@dawes.z To: Daniel <deeper () gmail com> a.net> cc: webappsec () securityfocus com bcc: 01/14/2005 08:15 Subject: Re: as security pro's, how do you use the web now? AM Please respond to "lists AT dawes DOT za DOT net"Daniel wrote:With more of my purchases being made on the web today, i'm always concerned that the site I'm using is making use of decent security standards. Last night i was purchasing some art on line and when it came to the payment section, the whole thing was iffy and didn't seem right. Even on the most basic input field, there was no validation being performed (yes i added a back tick, and even though some might find this wrong, i would like to know that my banking details are being handled in accordance with UK data protection laws) I didn't go any further and decided to phone in my order via the phone. Does anyone else do this? I know that it opens up a whole can of worms regarding acceptable usage of the site, and it would be interesting to see what other people think. DanielHi Daniel, I think that in the absence of any other means of determining the overall security of a site (some recently issued reputable security certification, perhaps), that sort of test is roughly equivalent to rattling your front door after you have locked it, to ensure that it stays locked. While perhaps conflicting with the letter of the law, I don't think that it is an entirely unreasonable thing to perform one or two "peace of mind" tests before you hand over your details. What I'm trying to say is that I commend you for your vigilance, even if I am not that vigilant myself. Regards, Rogan "Back ticks" (``), however, are unlikely to reveal much about the security of the site. They are generally used by a Unix shell for command interpolation, rather than as string delimiters in a SQL command. Did you mean "single quotes" (''), perhaps? -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net" __________________________________________________________________________________________ Any views or opinions are solely those of the author and do not necessarily represent those of CMP Media LLC, 600 Community Drive, Manhasset, NY 11030. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this message please do not read, copy, use or disclose this communication and notify the sender immediately. It should be noted that any review, retransmission, dissemination or other use of, or taking action or reliance upon, this information by persons or entities other than the intended recipient is prohibited. __________________________________________________________________________________________
At the end of the day we all take a leap of faith when it comes to making purchases on or offline - just protect yourself as best as is possible...don't use your debit card, use a CC with purchase protection - AND - make sure you check the statement carefully.
So, to answer the subject line question: I use the web the same way I always have and in much the same way as I make purchases offline...with a healthy dose of paranoia; I use only CC's with 100% fraud/purchase protection; I subscribe to a credit monitoring service which also provides ID theft coverage/protection; I question (read: refuse) requests for superfluous information (you know the ole' "can we have your zip/phone number to help us better market our services line) With that said, I'm certainly not going to waste time poking around trying to find "holes" in my local book stores'/watering hole security schema and wouldn't do it online either - chances are, and as Andrew points out, whether it's by phone/email/web your data will end up in the same database anyway.
Current thread:
- as security pro's, how do you use the web now? Daniel (Jan 14)
- Re: as security pro's, how do you use the web now? Haroon Meer (Jan 14)
- Re: as security pro's, how do you use the web now? Rogan Dawes (Jan 15)
- <Possible follow-ups>
- RE: as security pro's, how do you use the web now? Sorensen, Clark C (Jan 15)
- Re: as security pro's, how do you use the web now? ACMurray (Jan 19)
- Re: as security pro's, how do you use the web now? Matthew Caston (Jan 23)