TheTrainline revamps security handling after glitch
Back on track
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
TheTrainline.com, the UK website for buying train tickets, has revamped its procedures for dealing with security reports following an incident where a security bug meant that customers could be invited to submit credit card details over an insecure link. The flaw had an effect only when users made an error in submitting their credit card details, so it didn't affect the majority of customers.
Nonetheless it was a serious slip-up, which went unresolved even three weeks after it was reported to the firm by Tim Anderson, a Reg Developer contributor, on 8 October. Another Reg reader reported similar problems. Our initial attempts to contact the firm also proved fruitless, but less than a day after our story was filed on the problem TheTrainline.com implemented a fix.
The passenger transport etailer said on Monday that it has now updated its procedures for handling reports of security bugs, following a review after our report in November.
"I cannot express firmly enough that security is an issue that this company takes very seriously," Ben Pearson, commercial director of TheTrainline.com, told El Reg. "It was with considerable dismay that I learned of this fault and the problem was resolved within a day of it being brought to my attention. Subsequent to your article we have also introduced new procedures such that customer reported faults of this nature get escalated immediately for diagnosis and remedy."
TheTrainline.com deserves credit for its willingness to review how it handles security bugs. It's a lesson other firms in the transport sector - who in our experience at least are far more difficult to contact about problems over security than other ecommerce firms - would do well to note.
The original problem - now resolved - kicked in when customers made an error on the final payment page after choosing a journey they wished to purchase. Customers who made an error were bounced over onto an insecure page, inviting them to submit corrected details over an unencrypted HTTP link, as a result of a coding error. Inattentive users could be forgiven for missing the change. Although the HTTPS signifier in the URL was absent, a falsely reassuring padlock graphic remained in place, along with logos for Verified by Visa and MasterCard SecureCode.
There's no evidence that the bug was used to carry out fraud, but the potential for abuse was clearly there. ®
COMMENTS
they also charge for postage now
I stopped using thetrainline when they also started charging for the postage to send you your tickets. Now use the FGW site which doesn't, nor for using credit cards. However it suffers from the same problem as ttl where you have to go through about 5 screens confirming the same details for each ticket you buy (eg. yes, I still understand the terms and conditions; no, I haven't changed address since adding the previous ticket to my basket etc.) when buying more than one. Also haven't found a quick way yet of getting to the screen where you can select from your 'favourite journeys', which is easy in ttl.
National Express
Has anyone here tried the new National Express East Coast ticket booker?
http://www.nationalexpresseastcoast.com/en/Travel-Information/
Web 2.0 to the max! Oh yeah, and it's actually rather good...
RE: B2B vs B2C
The difference between qjump and trainline (which i found out the hard way) is that while qjump was by fare, trainline was by availability. So on qjump you could see a £10 ticket, try to buy it, wait a few seconds..... oh, it's not available. Ok, try the £20 one....again, not available. £30?..... etc etc. On the trainline you would only see what was available right then.
Totally agree about the insurance thing though, that really annoys me too.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
