Oil

Bad Graphics == Bad Security?

For a while I was unemployed and living off of credit cards. While unemployed, I racked up some credit card debt (surprise, surprise). Today, I was most pleased to pay off one of my cards. I paid online and that, I think, was a big mistake. I was rather concerned because their Web site was poorly designed. It was slow, it wasn't clear how to navigate and had graphics worthy of a third-grade HTML page. I ignored that but frankly, that should should have been a tip-off. If they couldn't spend the money to make it look professional, why should they care about professional code on those areas where you can't see it?

After paying my bill, I started thinking about that and figured I would check out what they set for my cookie. I like reviewing cookies from time to time because they can be rather informative. If I had access to your computer and you used this site to pay off your credit card, here's what I could learn just by glancing at your cookie:

  • What company (if any) the card was issued to.
  • Your login name on the site.
  • Your first and last name (as it appears on the card).
  • What email address you used to register with the site.
  • The last date you logged into the site on.
  • Your credit card number.
  • Your PIN number.

Gosh, at least they weren't foolish enough to list the expiration date! Then we might have a security problem.

Oh, and the cookie doesn't expire for a year.

Jesus H. Christ. Fucking idiots. Seems like they're exposing themselves to a major lawsuit.
Stupid designers
It amazes me how some designers can lose all common sense when designing a web page. We recently redid our web-site at work. The designer had designed it so that the customers orders were e-mailed to us on a non-secure site. This part was okay, but he thought he should include the entire credit card number and expiration date. He actually seemed confused when I questioned it. What the fuck was he thinking???? Let's share our customers credit card info with everyone on the web.