Local eCommerce website user details exposed

fluffypony said:
Their site design is shocking. Actually, so is Twangoo's. Have none of these people done any usability studies?? And don't get me started on Twangoo - do you know they're in the ISPA hall of shame for spamming? (http://www.ispa.org.za/spam/hall-of-shame) Apparently when you refer a friend they just SUBSCRIBE that friend without an opt-in. A due diligence would have exposed that Twangoo contravene the ECT act.
Click to expand...

i brought that to their attention a few weeks ago and they said they have fixed that problem. Apparently it was a case of them not realising that people would spam their friends en masse to get referral fees.. Again.. naive.. but in general i do find them very responsive to issues (yes i am a twangoo user but not a wicount user, mainly b/c twangoo 'looked' more professional)
 
Dan from Wicount here. I would just like to respond to some of these and posts and to this issue in general. First of all, we owe all of those customers that have been exposed a sincere apology. We screwed up. Just to clarify some of the above issues, we aren't owned by Shopdirect. We used Shopdirect to develop our initial system for us and I think, other than this security breach, they've done a pretty good job and the system has gotten us where we are today. About 2 months ago, we mutually agreed with Shopdirect that it was time to move on from them as we wanted to bring the tech "in-house" and to upgrade the system in general. Since then, we have been working with a fantastic team of developers to upgrade our technology. We are currently in the testing process of the new system and hope to do the final "hand-over" from SD by the end of next week. The site currently live is still the SD site and, unfortunately, this security issue did slip through the cracks. We would like to emphasize that our system is secure, particularly in terms of credit card information - we use SSL - and the details are passed directly to the payment gateway so we don't have access to it. Feel free to contact me directly at [email protected] should you have any questions about this, or, if you are a customer that would like to discuss this with me further.
 
Hi all,

I have been following this thread keenly and wanted to clarify the following.

The nature of the Wicount shopping cart is highly specialized and many customizations have been performed specifically for them, and do not affect our core system. The creation of a deal list for supplier verification purposes as requested by Wicount was implemented per thier specification and has absolutely no impact on any of our standard shopping cart customers.

ShopDirect maintains the highest security and has never before experienced the exposure of user details since its inception in 2004. Please feel free to contact me on 086 161 7467.

James
 
Reports have emerged that one of the local deal websites, WiCount, is exposing user details, including names, email addresses, customer numbers and even transaction details
Click to expand...

*whew!* I don't use them. And after this, probably never will! ;)
 
Hi Dan - I stand corrected on the point of ownership, but I still find myself surprised that you have not build your site to exclude Google's spider from certain areas? I mean, this is old, but have you guys gone through stuff like this: http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html ? These are beyond basic security measures. You say your system is secure because you use SSL...but you're at least partly talking to a technical audience. Waving the SSL flag doesn't satiate us - SSL 2.0 is horribly insecure, by means of an example.

James - you say that you built this supplier verification thing as "per thier specification" (sic) but if a client's specification includes "must be completely available on the open Internet and must not require any form of login or security" surely you go "woah that's a bad idea"? As a company that CLAIMS to run a secure service, I would hope that you have the presence of mind to assist people paying you for your development services to implement very basic security? You are JUST AS RESPONSIBLE for this breach of confidentiality and user details as the company that requested the work, if not more so. You cannot play this pawning-off-of-responsibility game.
 
Another fat black paint on the face of online shopping. I hope it doesn't bring all the sharks to SA shores cause I dont think our internet trading is yet secure to the letter.
 
This is why you choose to do business with one or two established and reliable online sites. The more small sites have your details the greater your chance of getting shafted by cowboys like this.
 
BobsLawnService said:
This is why you choose to do business with one or two established and reliable online sites. The more small sites have your details the greater your chance of getting shafted by cowboys like this.
Click to expand...

Whilst that is true, I have had exceptionally good experiences with PayFast, so I also tend towards sites that use them. If you are technically minded, their implementation documentation speaks VOLUMES for their attention to security. Plus, the reality is that you can use a shortened form of your name and a throwaway email address with smaller sites if you're super worried. I wouldn't go so far as to sound the death knoll for ecommerce startups or vow never to buy online. Besides, if you don't buy online, how are you going to get a Poken? (I love my Poken!!)
 
I see friends of mine's name on that list... shame.
 
Have you guys seen the blog post at http://itgeeks.bundublog.com/2011/01/19/wicount-statement-regarding-email-address-security-lapse/ ?

So far my favourite quotes are:
- "a single page on the site" (when I checked it was almost 50 pages generated by the one ASPX page?)
- "exposing a few of the users" (in my discussions with someone that ripped the whole thing he said that he has 1007 unique user details)
- "email addresses and usernames" (let's try that again: full names, email addresses, coupon ID's, and buying history on the site. No usernames.)
- "quickly rectified" (if taking like 12 hours to delete a page is quick for them, I don't want to know what slow is)
- "A user error accidentally placed some email addresses outside the security layer" (I thought it was ShopDirect? Or it was the old development? Or it was their specification? Now it's a USER that placed the email addresses there?!!??)

Starting to get sick of the lies, shilling, and blame-shifting.
 
Hah - have you guys seen the site today? Can I get a pwned? Eish...
 
NM - was maintenance. But their SSL certificate is invalid:

"www.wicount.co.za uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

(Error code: sec_error_unknown_issuer)"
 
I find that many companies go cheap on certificates in the first place. There should be no excuse (other than having to pay 600 USD p.a. for the cert) to use extended verification certificates - I guess most companies go through the hassle as it is a rigorous process requiring a few days of work during the verification process. To leak customer data or make those accessible without authentication is blatant neglect. Makes one wonder how those companies manage their credit card information and how well they comply with legislation (PCI).
 
Given the leak they had I doubt they've ever even heard of PCI...
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X