About a year ago, I opened a dialup Internet access account with Earthlink using their ‘secure live sales chat’ feature. “Why a dialup account in this day of high speed internet?”, I hear you ask. Because we were renting a house about 30 miles outside Seattle and couldn’t get any form of high speed connection at all! But I digress.
So I needed a dial-up Internet access account. I’d used Earthlink before and – with the exception of some questions about their privacy practices – they hadn’t been too bad.
The Earthlink assistant on the other end of the live Internet chat was very helpful. Then we came to setting up the account. At this time, he said:
Roger P.: This is a secure 128 bit encrypted connection. Any information you send is entirely safe.
Roger P.: I will next need the account number, expiration date, and last three numbers on the back of the credit card that you will be using for payment on this account. I will also need the billing address for the credit card if that is not the address you have already given me.
I supplied these details as well as some personal information that he requested (telephone number, mother’s maiden name) and we completed the account setup.
When I finished, I was presented with a feedback screen and – without thinking – checked the box asking for a transcript of the chat. A short time later, I received an e-mail with the transcript of the chat and was shocked to see all of my credit card details – including the CVS number – and my mother’s maiden name listed there.
As I’m sure everyone reading this is well aware, plaintext e-mail is a highly insecure way of transmitting information. It can be intercepted and read at any number of intermediate points between the sender and recipient. And the e-mails could be preserved for an indefinite period of time on the mail servers themselves.
In addition, the sending of credit card details in unencrypted form across a public network is clearly in breach of the PCI Data Security Standards. It breaches all of Requirement 4 – in particular, part 4.2: “Never send cardholder information via unencrypted e-mail.” It also clearly breaches Requirement 3.2.2 which prohibits the storing of the CVS number at any time.
OK … I’m (now) very aware that I shouldn’t have checked on the box asking for a transcript of the chat. I immediately cancelled my credit card, had a new card issued, and canceled the Earthlink account. But I work in the information security industry and, if I can make such a mistake, I wonder how many other people have done the same thing. Surely there should have been some kind of warning on this screen, or the credit card details should have been deleted as soon as they were processed by the Earthlink representative?
I reported the problem to Earthlink customer support on Dec 20, 2005. Since that time – well over a year – I’ve heard nothing back other than a stock “We’re sorry for the inconvenience”. During several telephone conversations with Earthlink support staff, I repeatedly asked for the issue to be escalated to a group responsible for information security only to be told that’s “not possible”.
All of which points to two very major failings in Earthlink’s security procedures:
1) failure to secure the basic credit card transaction; and
2) the absence of any way to report a security problem and have it taken seriously.
Which brings me to the point of this posting. They say that information security involves people, processes and technology. But most of what we hear about is the failure of technology, or the failures of people to secure information. This was a case where the technology worked as designed, and the people involved did what they were told to do. This was a gross failure of process.
And I have one question that I would love to know the answer to:
What information security training (if any) was given to the person (or persons) responsible for “designing” this process?