Body Shop - are payment details encrypted ?

judexx

Was just about to place an order with the Body shop, when I noticed that the page that asks for your credit card details wasn't showing the padlock sign and the web page was http not https.

http://www.thebodyshop.co.uk/checkout/payment.aspx

Am I missing something or are they asking for these details on an unencrypted page ?

agrinnall

I'm not an expert on HTML but the page source does contain this code:

<script src="https://app.salecycle.com/salecycle.js"></script>

which might suggest that if you progress beyond the page you have linked to that it might take you to an encrypted payment page.

judexx

agrinnall wrote: »

I'm not an expert on HTML but the page source does contain this code:

<script src="https://app.salecycle.com/salecycle.js"></script>

which might suggest that if you progress beyond the page you have linked to that it might take you to an encrypted payment page.

Thanks for your prompt reply and you certainly know far more about HTML than I do (All I know is to be wary about putting personal info on a page that does not start https).

I'm now slightly confused, the http page that I gave was the actual page that requested your credit card details, would this make it safe or not ?

esuhl

I just had a look and it's a very poor design. There's no way for the user to confirm that an SSL (secure) connection is used to transmit the card number. I wouldn't put my details in there...

judexx wrote: »

I'm now slightly confused, the http page that I gave was the actual page that requested your credit card details, would this make it safe or not ?

I don't think there's any way to tell (unless you can pick apart the code running on the site and work out what it does with your card details).

Lifeforms

The part referring to SaleCycle seems to be an app that will monitor your basket and see whether you check out or not. If you abandon it, it'll save your details/basket and email you asking to please check out and buy their stuff.

Having got as far as the payment section, I wouldn't risk my details in there. They're probably sending via a hidden method, but personally I want to know up front that it's all secure. It starts all secure (https) from when you enter your details, until you go to the payment screen, very weird set up that doesn't really give customers confidence.

earthstorm

their is a way to check if they have an active SSL certificate and that is to replace http://www.thebodyshop.co.uk/checkout/payment.aspx with https://www.thebodyshop.co.uk/checkout/mybasket.aspx and see what you get.

in Firefox it gives this

This Connection is Untrusted

You have asked Firefox to connect securely to thebodyshop.co.uk, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

thebodyshop.co.uk uses an invalid security certificate. The certificate is only valid for secure.thebodyshop.co.uk (Error code: ssl_error_bad_cert_domain)

WilliamO

Depending on which computer system you use (i.e. Windows) you should see Green in the address bar (www bar) with a padlock and httpS when making payment. You might even see a notification pop up stating something like: Can you trust this Certificate.......all good secure websites have their own certificate and invest in SSL.

I cannot see a company like Body Shop failing this; they wouldn't live down the bad press if they did. Remember, when searching google for example "we" tend to go for the top search results on page 1 and not those on page 50 simply because "we" know they should be the trustworthy, top listed, websites with all the security bells and whistles in place.

Lifeforms

It does start out being secure, in the first pages where you enter your personal details, it will show the certificate/https etc, but it reverts back to a normal http page for the actual card numbers. I suspect they're doing it secure hidden into the page, as WilliamO does say, couldn't see Body shop failing with this, but in this day and age it needs to be physically shown, not just a little graphic saying it's secure.

judexx

Many thanks for all your replies - I thought at first that I must be overlooking something obvious.

Like WilliamO says I would be amazed if a company like the Body Shop were not securing details, but customers need to know this. They can't expect us to have the expertise to go digging around in the code to find out.

anotheruser

On the odd chance that your details will be caught, then remember it's not like your money will be lost forever.

But saying that it is the Body Shops awful design, which shouldn't be swapping between secure and not secure. Tried raising this on Twitter?

I have purchased using the website many times. Good deals to be had!