back to article British Gas security scare as payments page springs a leak

A British Gas website that allows homeowners to pay bills leaves consumers exposed by inviting them to submit credit card information across an unencrypted link. Consumers logging on to pay their bills through house.co.uk initially go through a secure server. But once they create an account and login they may be transferred …

COMMENTS

This topic is closed for new posts.
  1. Andy

    Direct Debit

    has no one heard of using direct debit???.. then their is no need to use their site to pay your bill

    cant get safer than that....

  2. Adam Bishop

    Re: Direct Debit

    Ah yes, the wonders of Direct debit, giving permission for them to take any amount of money they see fit to take, when they see fit to take it...

    I'm sure I'm not the only one who has been sent quite deep into the red, due to a "billing error".

  3. Neil Drinkall

    DD not always suitable

    DD is fine, but doesn't always cover your usage, leaving an outstanding amount.

  4. A J Stiles

    Even safer

    Or you could get a card meter fitted, and pay for your gas in the local newsagent's shop or petrol station using actual coins. That way, there's no risk of a payment going through on the wrong date, overdrawing your account and exposing you to outrageous bank charges.

  5. Ian Ferguson

    Simple fix

    This is such a schoolboy error, especially when it's so easy to fix. Every page I code that takes credit card details or something equally private, I insert a simple check for HTTP, in which case it redirects to the same address over HTTPS. Then, even if I'm a muppet enough to link to it over the insecure address from somewhere else, it's still caught.

    Mind you, short of the browser screaming at the user and bludgeoning them with a e-sledgehammer, it's very hard to get people to check for the secure link. Maybe browsers should start panicking and warn the user if they start filling out a form with credit-card-like details over an insecure connection.

  6. Chris

    Ian is right

    Ian's method is the best way -- always make your page checks for HTTPS on its own; never trust that the user got to the page via HTTPS. Check for HTTPS, and if it's not secure, redirect to HTTPS. Simple, easy, secure.

    However, while Ian's suggestion of having browsers scream at the users if they start to enter information into a non-HTTPS form, I don't think that would do any good. I can't even count the number of times I have been at a client's and I saw them click OK on an error screen; when I ask them what it said, it's always the same answer -- "I don't know". Users are in the habit of clicking "OK" (which explains why so many are infected by spyware), that they don't even bother reading the error screens anymore.

  7. Dillon Pyron

    Even IE warns me

    Even IE warns me if I'm leaving a secured site for an insecure one. So unless I a) disable the warning or b) blindly click on OK, I don't go there unless I know it. Of course, as Chris points out, you can't protect the idiots.

  8. Silas Humphreys

    Yes, you could get a card meter...

    if you LIKE paying well over the odds. Much the same as the way calls cost more from a pre-pay mobile phone, and so on and so forth.

This topic is closed for new posts.