I just finished a series on how hard security is. Here’s another little anecdote that Matt just sent my way.
It turns out that the National Tap Ensemble, which bills itself as America’s national tap dance company
, has been had. Question #6 from their FAQ contains the following nice quote:
This is a professional, highly-respected organization so if we state that you can safely send an online transaction, you can. This site is secure. For your safety (and our peace of mind) we do not use “standard” security procedures such as SSL- which only secures PART of the process – but proprietary protocols which we won’t disclose in detail here but permit immediate transfer of any data you submit to a completely secure location. In other words the data never stays on a server “floating in cyberspace” which allows us to keep potential malfeasants in the dark. One of the TRUE signs of a secure and/or encrypted transaction is NOT just a SSL “certificate” on a web page (those can just be bought, some are actually completely fake) or whatever your browser says to make you THINK that a site is “secure” (these schemes only enrich the Verisigns of the world) but the “shtml” part of a URL, which if fact you DO see in the URL immediately after you click “register” or “submit” on this site. For the record we have processed thousands of registrations and purchases over the years and I have never had one problem. However if you still have any doubt, you always have the option of printing a form and faxing it. That will delay its processing but the job will eventually get done.
This is entirely incorrect. Whoever wrote this is incompetent. The whole site may be a hoax; I don’t know. But I *do* know that there is a blank for your credit card number, and it does NOT use SSL for the form post. (In fact, it seems to use the FrontPage extensions, if you remember that far back).
Suzanne and I have had a series of conversations going on recently about why you cannot trust your intuition any longer. This page is more evidence. Hopefully people will recognize that this is not a site they should type their credit card numbers into, but if we as an industry learned nothing else from the rise of phishing, we’ve certainly learned that’s not the case.