Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Security of Forms and Information
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Topic ClosedSecurity of Forms and Information
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
xeerex View Drop Down
Senior Member
Senior Member


Joined: 19 November 2002
Location: United States
Status: Offline
Points: 601 		Direct Link To This Post Topic: Security of Forms and Information
    Posted: 28 May 2004 at 2:58pm

Hey everyone,

I've got a client that I am going to design a new website for. They want users to be able to submit credit application information via a form which submits to an email address. The information is everything on a standard credit application including ssn, addresses, etc.

This client already has a website that does this and it is NOT under an SSL session. I've tried to convince them that they may as well post the information under a neon sign.

Does anyone have any feedback and/or links to information that I can gather up and present to them on the merits of web form security?
Need Hosting, Domains, Dedicated Servers?
web design | pc support | training | podcasts | video production
Back to Top
dpyers View Drop Down
Senior Member
Senior Member


Joined: 12 May 2003
Status: Offline
Points: 3937 		Direct Link To This Post Posted: 28 May 2004 at 3:50pm

First ask them if they have ever done any business over the web - bought or applied for anything that involved personal information being transmitted. Then ask them if it was done through email or a form.

Secondly, download one of the traceroute programs and trace the route to their web site. Copy the output from various times of day/days of week. Note that the routes are not always the same depending upon internet load. Explain to them that each point along a traceroute can be examining their mail for nifty things like SSN's and CC info. Some will be already be harvesting email addresses, picking up SSN and bank info is gravy.

In the US, failure to conform to commonly accepted business practices opens you up for liability if information collected is misappropriated. Securing personal information to prevent identity theft is such a common business practice. You may want to google for recent US federal legislation regarding identity theft and the obligations of businesses to protect customer information. there's a lot of state legislation about this as well.

Most credit card companies have specific rules for using their cards over the web which entail how the information is secured. I would expect that those same rules apply when applying for the card. VISA for instance expressly requires SSL. Bank1 cards - the most widely used type of private label cards are Visa.

I would think that failure to use SSL when collecting the information, and then enclosing that info in an un-encrypted email violates the terms of service of whoever they are collecting the info for. There's always the possibility that their game is identity theft.

Quite frankly, I would drop the client for a couple of reasons.

  1. What they want to do is an accident waiting to happen. I wouldn't care to be associated with it when it does. One lawsuit, and you and your company are on the six o'clock news.
  2. It's just not good web design or technique. In fact, it's lousy. I get a chunk of income doing overflow work or acting in collaboration with other web developers. wouldn't want the word getting around that that's the kind of stuff I do.
  3. I have to carry business insurance - some of my clients require it. Applying for the insurance was an effort as I had to give examples of how I always protected against errors of omission or comission. They are particularly interested in my conformance to industry accepted practices around securing financial data and transactions.

Every job that comes along in not a good job. There are some you just need to walk away from.



Edited by dpyers

Lead me not into temptation... I know the short cut, follow me.
Back to Top
xeerex View Drop Down
Senior Member
Senior Member


Joined: 19 November 2002
Location: United States
Status: Offline
Points: 601 		Direct Link To This Post Posted: 28 May 2004 at 4:39pm

Thanks for the information. I already knew most of it, but sometimes it's easier to hear it from someone else as opposed to wringing the client's neck.

This client is a very successful multimillion company in the autoleasing business. They have several websites already but don't actually use e-commerce transactions; however, they do have existing credit app forms not under SSL.

I have the final say in what happens on this particular website, but sometimes trying to convince the "suits" of what needs to happen is nothing short of nuts.

Again, thanks for the well-worded post and advice.
Need Hosting, Domains, Dedicated Servers?
web design | pc support | training | podcasts | video production
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.