RISC OS news and information from Drobe


Beta! \| About us \| Contact \| RSS	Webspace \| Tech docs \| Downloads \| BBC Micro \| Gallery \| Wallpaper

Punter bitten by fraudsters after using R-Comp site

Published: 17th Jun 2006, 23:26:21.

Holy insecure HTTP, Batman!

Fears have been raised over R-Comp's apparent lack of a secure online ordering web page. The RISC OS dealer has a number of order forms on its website, all of which appear to send sensitive details in a plain text email to R-Comp. Anyone nefarious enough to intercept an unencrypted email could maliciously use the information inside to commit fraud.

The web pages that have left users concerned are here, here and here. The Office of Fair Trading recommends buyers check a company's privacy statement and the security of the payment before approaching a virtual checkout.

One RISC OS user used R-Comp's seemingly insecure order form to buy some products, and days later had two mystery payments on his account.

Richard Porter said: "I had two fraudulent transactions on my card on March 20 and had to have the card stopped and replaced. I only had to sign a declaration that I wasn't responsible for the payments. I was asked if I'd given my PIN to anyone, which I hadn't.

"Looking back through my statement, I find that a payment to R-Comp was made on March 15 via their web site. A coincidence?"

Richard added that he has no proof that his details were leaked through the rcomp.co.uk, but he was forced to get a new card and get the fraudulent charges reversed.

He added: "I didn't take this up with R-Comp as it was only some time later, after someone else had mentioned the security issue on the Messenger mailing list, that I checked the dates on my statement."

A spokesman for R-Comp said: "I think the situation, whilst distressing, is coincidence. We don't, in fact, ask for several of the items a fraudster would need for many fraudulent transactions.

"In all the years, the only fraud we've seen was one stolen card."

Links
R-Comp website

Discussion

Viewing threaded comments | View comments unthreaded, listed by date

lol I saw this coming. I thought about buying a RISCUBE untill I saw the unsecure order form.

MikeCarter on 18/6/06 2:05PM [ Reply | Report ]

I think it is only responsible for R-Comp to remove the offending pages as soon as possible until they are able to implement a secure online payment system. The fact they still exist is a sad sign of the ignorance of some RISC OS companies when it comes to matters of security.

fylfot on 18/6/06 6:53PM [ Reply | Report ]

fylfot: Quite right, though perhaps it's not so much a question of ignorance, rather laziness. I haven't seen any obvious changes in their website design in years! Nonetheless, it is inexcusable if a given company fails to implement a secure form of online payment on their website, especially in this day and age.

Certain companies, including R-Comp, should consider upping the design standards of their websites. Many simply look dated, as well as very unprofessional. I believe NetSurf, as a freely available browser for all users, allows the use of more modern designs. However, I'm not sure how well NetSurf is able to handle secure online ordering though.

hEgelia on 18/6/06 8:53PM [ Reply | Report ]

hEgelia:"I'm not sure how well NetSurf is able to handle secure online ordering though"

Netsurf has done SSL stuff for a long time so I don't think that should be a limitation.

Adam

adamr on 18/6/06 9:07PM [ Reply | Report ]

Interestingly, I had a phone call from my Credit Card company earlier in the year. They wanted to check with me about several transactions but said that the one concerning them was an Internet payment to R-Comp.

Now this was a legit transaction and there was no problem. However, it presumably arose because of monitoring, perhaps because of issues similar to those in this article.

R-Comp are the innocent party in all of this but, given the malicious intent of others, would probably be well advised to implement some security. In the meantime, there are plenty of other ways to order from them if anyone has concerns. It was Internet fraud that took down Spacetech, let's not let it (or fear of it) damage another important RISC OS supplier.

TonyStill on 18/6/06 9:10PM [ Reply | Report ]

Sorry - when I said "Internet payment", I meant an Internet order, of course, which contained my card number. That *wasn't* via the form on their site though, though R-Comp was definitely the issue.

TonyStill on 18/6/06 9:15PM [ Reply | Report ]

I have made a number of online purchases from R-Comp over the years from this side of the world. Embedding your CC details in a RISC OS proprietary format has seemed to be quite secure. (!Paint and !Squash) Unless of course we have criminals within our sphere I can't imagine too many fraudsters tracking and intercepting RISC OS material and being able to make sense of it.

rmac on 19/6/06 1:27AM [ Reply | Report ]

That worked for me too. In fact, it was the CJE Micros guys who suggested it to me.

terrahawk on 19/6/06 4:06AM [ Reply | Report ]

How about using Digital River? ([link]). They provide merchant services to thousands of shareware authors and small software companies. They've been trading for years, and (here's another RISC OS link) they provide payment services for Iain Macleod's Sphere's of Chaos :-)

sascott on 19/6/06 9:21AM [ Reply | Report ]

I notice that once again people do not actually read what is said and have jumped it seems to conclusions!

Richard Porter has admitted he has no proof whatsoever of his transaction via R-Comp being the cause of his unauthorised use of his card details. He thinks it might be, and in process does damage a RISC OS company

Tony Still mentions he had a phone call from his card company (hope it really was them, and not someone pretending to be them). He says they queried a transaction involving R-Comp, yet then go on to admit he did not enter his card details on the site. So which is it. If he never entered his card details on the site, then can't be R-Comp responsibilty.

I suspect its become a case 2+2=5 going on again.

But hey that would give no one anything to moan about.

Wakeman on 19/6/06 2:04PM [ Reply | Report ]

Wakeman: Yes, people have jumped, probably unfairly, to conclusions. However the presence of insecure web forms asking for credit card details is indefensible, in my view.

rmac&terrahawk: Please don't advocate this as a legitimate method. If people go through with this bizaare technique they are lining themselves up for serious trouble in future.

It is a disgrace that any company might suggest it as a legitimate means of payment

Adam

adamr on 19/6/06 3:33PM [ Reply | Report ]

wakeman:

The issue for me isn't whether or not fraud has occured because of R-Comp's insecure payment system, but that the signigicant potential for fraud is there at all. The solution is to remove it.

fylfot on 19/6/06 3:55PM [ Reply | Report ]

So what you're saying is that because you don't like the way they have their website, you post a (another) negative and highly damaging article about them on your site. I bet R-Comp are just loving Drobe right now.

fwibbler on 19/6/06 5:06PM [ Reply | Report ]

fwibbler:

Clearly people have been using R-Comp's web-site completely unaware of the security risk - I mean, if they were truly aware, would anyone be using it? It's unlikely that R-Comp will change their web site, so I think innocent users need to be warned.

As I've already said, the solution is to remove the offending pages, not shoot the messenger.

fylfot on 19/6/06 5:39PM [ Reply | Report ]

Regardless of whether the fraudulent card use in question is a result of ordering via R-Comp's website, I'd suggest R-Comp check the terms and conditions of being able to accept credit card payments.

Amongst other things, they will probably find that they are responsible for the security of customers' card details. For one example (Barclaycard), see [link] (bottom of page 5.4, top of page 5.5).

VinceH on 19/6/06 8:18PM [ Reply | Report ]

In reply to Wakeman: I obviously didn't make myself entirely clear but the post was already getting quite long. I had just placed an order, by E-Mail, with R-Comp before my Credit Card company called me. They said explicitly that the transaction that prompted the call was the one with R-Comp and explained that, given such a transaction, they also check a couple before and after. I think we can all see the sense in this.

And if they weren't my card company then they had access to all that company's security systems. I'm not embelishing the truth here.

Let me restate that there was no fraudulent transaction and no blame (whatsoever) on R-Comp. The fact remains that there is potential for fraud and, in my case, there was clearly concern at the card company. I was close to Spacetech when credit card fraudsters took them down and I saw the pain it caused - I don't want Andrew and co going the same way, either directly or through loss of customer confidence. Prevention is a whole lot better than cure.

TonyStill on 19/6/06 8:59PM [ Reply | Report ]

It's very cheap and easy to have secure online ordering. There is simply no excuse not to have it. It would be interesting to hear exactly why RComp have declined to offer this protection to customers, when it is standard on any Web site that requires you to enter credit card information.

VinceH, by the way, is absolutely correct. If a customer does not sign the receipt/enter his PIN then the seller becomes liable for any fraudulent transactions. As this is distance selling, the seller also has to offer greater consumer rights with regards to returning products (cooling off period) and so on.

By offering insecure payment facilities, RComp are simply exposing their customers and themselves to financial risk and legal headaches.

arenaman on 19/6/06 10:22PM [ Reply | Report ]

I note there's now a large warning on CJE's website (that I hadn't noticed before) informing me that the transaction system is not secure. I'm curious as to how long it has been there. Not casting aspersions, you understand; I'm quite prepared to accept that this has been there for ages and my attention has never been drawn to it before now.

I've always bought RISC OS stuff either at shows or over the phone, so it's never really come up.

Also, I'd like to emphasise Wakeman's (and others') comment: while one should be aware of any possible security risks, there's a fair chance that the R-Comp and the fraudulent use of Richard Porter's card are as connected as the pen I carry in my pocket and me having never been mauled by tigers on the way to work.

jymbob on 19/6/06 11:01PM [ Reply | Report ]

I wasn't originally going to comment, but seeing as several people have mentioned *online* ordering (as opposed to emails), my online shop has had secure ordering for years. It's needing a facelift but the option is there to buy almost anyone's RISC OS products securely.

www.liquid-silicon.com

liquid on 20/6/06 12:34AM [ Reply | Report ]

jymbob> that's a bad day you're having, checked the local zoos?

On a serious note, irrespective of whether the online ordering system that R-Comp use is secure or not, I simply won't purchase anything from a website not using SSL (there's no guarantee that your data is protected once it is on the third party's system of course but at least it gets there in one transaction). I certainly won't send my credit card number "encrypted" in a DrawFile/Squash combination - that's just ridiculous.

My personal view is that a simple web form collecting a credit card number and other details which are then sent in plain text across the public internet as an email (and therefore potentially being stored on mail hosts as it is relayed to its destination) is unacceptable. That is not to say that R-Comp use exactly this method, but from reading the HTML, this assumption can be made.

The article makes a good point in a bad way. I'd have been more comfortable if it had just pointed out that the R-Comp site uses an insecure method of transmitting CC details without the implication of actual fraud taking place as a result.

I would be happy to see R-Comp either remove the page (and point users at a telephone number/postal address) or use a third party internet payment company such as WorldPay.

jonix on 20/6/06 3:40PM [ Reply | Report ]

Or you could just phone Andrew with the order. I take it that we can all use the old fashioned dog 'n' bone.

I hope drobe do a full investigation of other RISC OS vendors and publish a similar article to convince them of their errors. One would hope that the article is not because R-Comp suggested we don't use Drobe for software updates. Now that would be a silly. :-)

Cheers Bob

nijinsky on 21/6/06 8:00AM [ Reply | Report ]

Please note that RISC OS proprietary formats, are not that difficult to unravel. Squash is standard LZW compression, a sprite is a simple uncompressed bitmap, and text in a drawfile is stored as ASCII strings in the file (unless converted to paths). I have on a couple of occations in the past submitted my details by drawfile, but all the text was hand drawn lines (using a graphics tablet and Artworks free hand mode), which is probably beyond effort threshold for interception.

However while doing this was just about acceptible for small companies more than 5 years ago, it certain isn't today when there are a number of payment brokers offering secure online systems (paypal only being one), which are also able to accept foreign payments. The ARM Club has been using [link] for a number of years for online DiscKnight purchases, and they have performed flawlessly handling payments, and working with RISC OS browsers.

druck on 21/6/06 10:10AM [ Reply | Report ]

Now that I'm back from being away, I'll answer this post. Firstly to Mike Carter (top post) the RISCube ordering page is SSL-based (it runs on a different server which allows SSL ordering). However, I would not normally expect people to order RISCubes over the internet - the communication benefits of talking your order through on the phone far outweight things! Since every machine is built to order, it is far better to talk to us, and get something spec'd up just right for you.

The main reason for not having SSL historically was that a lot of people were using Browse and non-SSL Fresco and other browsers which didn't do SSL. That, plus Demon's hosting not including it.

We will be moving over to the (less easy to handle - grrr) SSL system use for the RISCubes in the next couple of months.

And finally, yes, I think this is a "mountain out of a molehill" article, because as far as I know, mobile phones are just as "hackable" to anyone with the right equipment, yet people regularly order things via them! Still if customers want SSL, then SSL they shall get

arawnsley on 23/6/06 10:12AM [ Reply | Report ]

Oh, and the one incident of fraud we saw (a gardener using his employer's card) was down to the chap leaving a credit card receipt (or something) lying around with all the details on! Actually, while I was away I noticed one restaurant printed a receipt with my whole credit card number and expiry on, and just left it on the table!

Since many stores are obliged to keep credit card receipts for a period of time, there is often nothing to stop unscrupulous people digging such information out...

arawnsley on 23/6/06 10:16AM [ Reply | Report ]

The order form page is currently not secure, the Buy buttons go to [link] . You can get to a secure version of the same page at https://homepages.plus.net/rcomp/Machines/Order.html . An insecure page posting to a secure page is not secure, as the insecure page could easily be altered to send the form submission somewhere malicious. Also, it appears that the secure order submission script simply sends a totally insecure email, thus negating any point of the site being secure!

matthew on 23/6/06 10:02PM [ Reply | Report ]

In reply to arawnsley:

"Be careful what you wish for"...I think Andrew is very wise to make this change - the usual responsive R-Comp approach.

Now we must all remember that, should secure ordering prove a pain, it's what we asked for so we can't complain. Or we could pick up the phone and talk directly to the nice folks at R-Comp, of course.

TonyStill on 23/6/06 11:21PM [ Reply | Report ]

Please login before posting a comment. Use the form on the right to do so or create a free account.

Create a new account
Forgot your password?

Search this website