I’m annoyed. Maybe it’s because I just had to pay a R500 fine for not having renewed my license in time, but when after using the (very useful) facility at http://www.paycity.co.za to pay said fine, I was asked for some feedback (“What do you hate about PayCity?”) I gave them what follows. Summary: web security is serious, so stop mucking around. Here goes.
I heard that my PayFines account was automatically merged into PayCity, and when I went to www.payfine.co.za it redirected me to www.paycity.co.za so I again assumed that my account was now active on paycity.co.za.
But when I tried to log in nothing happened. Literally nothing. No error messages, no feedback, nothing.
I had to create a new account. That worked fine, at least.
The background of the username and password input textfields is a base64 encoded gif. To give a uniform orange background. Are you serious?!?! Take it out - it serves absolutely no purpose, and makes me wonder what your web team was thinking.
And the entire submit form is…wait for it…a TABLE! Yes, a TABLE! In 2013! That’s amazing. Give your web designers a pat on the back. And tell them 1995 called and wants its table back.
Whoever designed your payment forms needs a strong dose of usability. Hint: when there are two values in a dropdown select list, and the user could choose either of them, don’t automatically set a default value. How many Visa users have had to resubmit their transaction because “Mastercard” was automatically selected? And you get charged for each time a user submits a transaction! Fix this bug. Look, I just saved you R100,000 this year.
Example number two: if you’re going to ask me, in a feedback form, if I follow you on Twitter or Facebook, and then suggest I should, maybe it would be useful to, I don’t know, place a link to both accounts underneath those questions?! Hey, I just met you, and this is crazy, but I’m going to make it easy for you to find my social media accounts, so follow me, maybe.
Why should I care about this nonsensical display of web design skills? Because, and this is important, I am entrusting your site with my credit card details! If the quality of your web security is the same as the quality of your web design, I am very, very worried.
On that note, your Terms & Conditions say that my credit card details are “secured by a variety of security measures that are reasonable”. Nowhere in your Ts&Cs do you actually say that I can store my credit card details on your server (which I will NOT do), but even worse, you do not say exactly how they are stored, where they are stored, who has access to them, and how they are decrypted (because of course they’re stored encrypted, right?). If they are encrypted with the user’s password, do you enforce strong passwords? Do you salt the encrypted passwords with a secret key?
Have you heard of the Sony Playstation hack? Do you realize that your site is a magnificent target for hackers?
The most public website to launch recently was mega.co.nz. They have published details of how they do “secure, private storage” - which is a good way to know how secure the service is. Hint: merely saying “we use a variety of security measures” is NOT an adequate security policy. This allows people who know about security to know how secure the offering really is (because people are smart like that). And allows articles like this - http://arstechnica.com/business/2013/01/megabad-a-quick-look-at-the-state-of-megas-encryption/ - which show that, in Mega’s case, simply “using encryption” does not automatically make the service “secure” (and let’s not pretend there is such as thing as “secure”, there are only degrees of security - and if the world’s leading security expert, Bruce Schneier, says that, don’t claim that your offering is “secure”. That only tells me that when it comes to security, you don’t know what you’re doing).
The article I just linked to says that at one point: “It’s annoyingly unclear [from Mega’s documentation]…” and goes on to talk about such technical details like not knowing how the RSA private key is encrypted, or not knowing where it is stored. The same applies to the single line you devote in your Ts&Cs to ensuring me, your loyal user, that my credit card details are “secured by a variety of security measures that are reasonable”. I would like to know WHAT those “security measures” are, so that I can decide if they are reasonable.
It keeps getting worse. The email you sent me when I created an account on your site proudly proclaimed, “Paycity.co.za is now 3D Secure.” That’s fantastic! Except it isn’t (using 3D Secure, that is). How do I know? Because my credit card is 3D Secure enabled, and did 3D Secure come up during the process of paying my fine? No, it did not. So why tell me you’re using 3D Secure when you’re not? Just messing around? See the theme here?
And why tell me in an email that you use 3D Secure but there’s no mention of that in your Ts&Cs? Do your email content people not talk to your web content people?
I would like to know how my credit card details are stored, please. For all I know the details are stored unencrypted in a database table on the same server that the website is, in a table called “credit_cards”, and your website hasn’t been pentested for sql injection. You may as well hang a sign on the door saying, “Help yourselves, hackers!”
I would really like a response, please, which I will also gladly add to my post at http://rogersaner.tumblr.com - which is simply my above feedback, for public consumption and awareness.
PS - if you want useful and meaningful feedback, then try not restrict the number of allowed characters in your textarea to 512 characters. It’s silly.