We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Call 18866 POTENTIAL SECURITY HOLE!
avidreader_3
Posts: 7 Forumite
in Phones & TV
I was issued a new bank card recently and had to update my debit card details on the call18866.co.uk website for payment. I noticed the update page was encrypted using SSL, as you would expect HOWEVER ... my card details (card number, security code, expiry date and name on card) were all transmitted as PLAINTEXT through the URL. I.E. - my details appear NOT TO HAVE BEEN ENCRYPTED when sent to call 18866, meaning administrators at my company, ISP etc could have access to logs which contain my card details.
I have since cancelled my card (which I have had for about 3 days!) and sent call 18866 an email. As yet, I have had no response. Has anyone else had a problem with this?? Would anyone with in-depth knowledge of web systems like to investigate further?? This is concerning me to say the least!
I have since cancelled my card (which I have had for about 3 days!) and sent call 18866 an email. As yet, I have had no response. Has anyone else had a problem with this?? Would anyone with in-depth knowledge of web systems like to investigate further?? This is concerning me to say the least!
0
Comments
-
i shall be checking this as i recently updated my card as wellI owe £3233 @ 0%0
-
avidreader wrote:I noticed the update page was encrypted using SSL, as you would expect HOWEVER ... my card details (card number, security code, expiry date and name on card) were all transmitted as PLAINTEXT through the URL. I.E. - my details appear NOT TO HAVE BEEN ENCRYPTED when sent to call 18866, meaning administrators at my company, ISP etc could have access to logs which contain my card details.
It looks absolutely rock solid secure to me !
How do you know the data was transmitted unencrypted ? Did you use a sniffer ?
I think you will find that the data was encrypted - unless there is a security flaw (which would affect every company and not just 18866)
Besides all that - why on earth would 18866 want to screw up the security so that other third parties unknown to them would be able to take advantage ???To infinity and beyond!0 -
Hi there,
Why don't you use DD to pay? Wouldn't that be safer?Mortgage-free wannabe!0 -
You are wrong! This may indeed only affect Call 18866 depending upon their use of the GET and POST command on their web page. The card update form indeed uses the correct method - POST but the PHP script this is submitted to is different to the one that displays the "Thank You for Changing Your Details" junk. Check the URL on THIS PAGE! and you will find your CARD No., Car Name, Security Code and Expiry Date IN THE URL. URL's are transmitted as plaintext - how many websites have you seen that do this?? Does Hotmail display your password in the URL when you login?? Does Amazon or Play.com display your Card Number when you pay - The answer is NO! and neither should Call 18866!0
-
As far as I know you can only pay by Credit or Debit card - perhaps I am wrong on this one - but I would much rather pay by DD.ruyareece wrote:Hi there,
Why don't you use DD to pay? Wouldn't that be safer?0 -
Hi avidreader,
I've been signed up to 18866 for 2 months and I'm paying by DD, I think it's only been going for 3 months or something.Mortgage-free wannabe!0 -
I stand corrected - just been looking at their FAQ and they do indeed offer DD. I shall be signing up for that. I have been registered for months. Thank you!ruyareece wrote:Hi avidreader,
I've been signed up to 18866 for 2 months and I'm paying by DD, I think it's only been going for 3 months or something.0 -
avidreader wrote:I stand corrected - just been looking at their FAQ and they do indeed offer DD. I shall be signing up for that. I have been registered for months. Thank you!
You're welcome!
I distinctly remember going for 18866 cos of the DD option, I don't really like to do regular payments from my CC!Mortgage-free wannabe!0 -
You are wrong!
If I understand your description correctly then he is not wrong.
SSL (used by browsers when the address begins with "https") is an end-to-end encryption scheme which means that the data remains encrypted from the browser to the end server. This means that the entire request be it a GET or POST is encrypted including the request URL which appears in the first line of the request message.
Having said that I don't think it's such a good idea to have details such as this in the query string of the URL because it can cause this sort of confusion to users.0 -
I've just gone through the process myself and I can confirm that the site does use the secure https protocol. So there's no risk of your card details being seen by anyone else. As ericpode says, the request URI is also sent encrypted, so there's really no problem.
Personally I wouldn't have cancelled my card anyway as the chances of somebody intercepting it and actually being able to use it are so ridiculously tiny. There's far more risk involved in giving out your card number over the phone!
0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.8K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards