While it’s the data breaches at big companies that make headlines, small operations are often the sloppiest. A few days ago I started to register for Philcon. The only option was online registration. I chose one adult full membership and was taken to the following URL:
http : //2014.philcon.org/index.php/component/hikashop/checkout?Itemid=131
(WordPress automatically turns anything that’s syntactically a URL into a link, so I’ve put spaces around the colon to prevent this.)
That page asks for either a login with an existing password or registration with entry of an existing password. In either case, the password will be sent as cleartext. This is seriously bad security for any site that’s handling money.
I wanted to see if it would do the same when asking for my credit card information. If it did, that would be egregiously bad security. Here, though, things just got weird. I entered clearly fake information, selected Visa for my payment method, and clicked to continue. This brought me to a page that had a message at the top, “You cannot access the private section of this site,” but was still allowing me to proceed. It claimed that I had chosen PayPal for my payment method. I tried going back but couldn’t find any way to change the payment method.
When I clicked on “Finish,” I was taken to a secure PayPal page, where I stopped. I went back to the Philcon site and found that my shopping cart had been cleared; at least that’s worth something as a security touch. I tried to log in again, and kept getting “You cannot access the private section of this site,” this time keeping me from going further. (If I entered the wrong password I got a different error message, so I had successfully registered and was using the right password.) As a further check, I tried logging in from two other browsers, first clearing all cookies, and got the same error message about the private section. I don’t know what the “private section” is or why the server thought I was trying to access it; maybe that’s where credit card payment happens if you can get there.
I would have been happy to register with a paper form, but the site didn’t provide one. A couple of days ago I learned from another person with the same problem that he was being told that no one else was complaining. I gave him permission to say I was complaining too, and now there’s an option to download the flyer. Philcon’s online registration is frighteningly buggy, so I recommend using the paper form.
See you at Philcon, if they don’t ban me for posting this.