Shuttle bus firm Terravision belatedly adopts https for credit card sales
El Reg reader kicks up a fuss, and things get done
The pro-privacy 'https everywhere' campaign is gaining traction, but one e-commerce site is only just adopting the long-established technology in order to keep credit card details safe.
Airport shuttle bus firm Terravision has just moved to https for online sales following a El Reg reader complaint. Tom W complained to both Liverpool’s John Lennon Airport and us after recoiling in horror at been invited to transmit his credit card details in the clear to buy a bus ticket from, you guessed it, http://www.terravision.eu.
Tom writes: "I'm not sure what I'm more frustrated with, a site that transmits CC information in the clear or that Visa/Mastercard/etc don't have a system to report security issues."
“I am really shocked at the lack of concern from Visa and PCI compliance,” he added.
Infosec consultant Paul Moore confirmed the issue, describing the oversight as “astonishing”.
“There's absolutely no attempt to use encryption here," Moore told El Reg “The sad part of it ... its TLS is actually very good (https://www.ssllabs.com/ssltest/analyze.html?d=book.terravision.eu&hideResults=on) ... it's just a shame it doesn't use it.”
Firms, such as Virgin Media, get criticised for weak website crypto on their website. The absence of any crypto on a site used to take credit card information is a shocker.
El Reg contacted Terravision about the issue. A few days later the company responded by saying credit card transaction had been moved over to a secure site.
We would just like to inform you that the issue regarding a lack of encryption on our website has been fixed. The Terravision booking process is now under https.
The data is transmitted securely with encryption. I am taking this opportunity to thank you for your message and for pointing this out to us.
“I can confirm that the site looks to be fixed,” our tipster Tom confirmed.
Moore remains profoundly unimpressed that the e-commerce site was insecure in the first place. Those who used the site before it was made secure should consider cancelling their cards, Moore advised, adding that it was up to Terravision to contact potentially affected passengers.
El Reg asked Terravision to comment on how it intended to explain to customers about the changes to its website and the risk its previous card handling set-up might pose, but are yet to hear back from the shuttle bus firm. We’ll update this story as and when we hear more. ®