A friend drew my attention to a security issue on thetrainline.com, a UK website for purchasing train tickets.
She planned her journey and then entered her credit card details, noting that the browser confirmed that she was on a secure page:
In this case, Internet Explorer shows the url in green, which means it uses an Extended Validation (EV) SSL certificate, giving extra confidence that all is well. Indeed, in normal circumstances it would have been.
Unfortunately she made a small error with the card details. The site then bounced her to an insecure page, inviting her to re-submit her details but this time over HTTP. The image below shows part of the web page, including the credit card details (albeit with whatever errors caused the validation to fail) and the IE property dialog confirming that the page is not encrypted:
Now the comforting green url is gone, replaced by plain black on white:
However, the big padlock graphic is still in place, along with logos for Verified by Vista and MasterCard SecureCode.
It looks to me as if the card details are sent in plain text twice, first when bounced back to the user for correction, and second when re-submitted.
The site was advised of the problem 24 hours ago, but I was able to replicate the issue just now. Moral: look for the small padlock in the address bar, not the big reassuring graphic on the page itself.
Is this a big security risk? As far as I’m aware, the chance of a criminal intercepting internet traffic to look for useful information is slim. That’s just as well, given the number of sites that do bad things like emailing password reminders in plain text. The risk is not just theoretical though; the traffic could be logged or intercepted.
Let me emphasise: thetrainline.com is a respectable web merchant and I am sure this is no more than a bit of careless coding. After all, there is no advantage to the web site if you send your card details unencrypted. They get them anyway.