OK, one for the more technically minded. OK, one for those less stupid than me. I'm concerned. I've successfully bought products from a particular website of fairly impeccable credentials (i.e backed by well knowns and encrypted). I've now noticed that when I access this site and go through the purchase process I need only input my email address and then the first number of my credit/debit card and the whole number appears. This seems a bit dumb as obviously anyone gaining access to my PC can identify my email address relatively easily and therefore secure my card details. I've notified the site by email twice, on their customer services and bug notification email addresses (requesting removal of my details without me having to erase all cookies from my PC), but had no response.

So can anyone tell me if I'm right in thinking this is a stupid security loophole and, if it is, if I can get protect my card details without a load of hassle.

Cheers all.

When you say "the whole number appears" does it appear as you are typing or do you put one bit in, press a button, and then the rest appears.

If it is appearing as you type it sounds like you have got the option turned on in IE that enables it to remember things that you have previously typed into forms.

You can turn this off and it should solve your problem.

Let me know if I'm on the right track.

Raist.

Just had a look at IE (I'm using FireFox at the moment) in order to turn this option off you need to go to:

TOOLS > INTERNET OPTIONS > CONTENT (Tab)

Click on the button marked "Auto Complete..."
Untick any of the boxes that you don't want IE to remember your inputs for, now click on the "Clear Forms" button and then OK, now (if you don't want these remembered) click on the the "Clear Passwords" button and then click OK.

Click OK to close the Auto Complete dialogue box, Click Ok to close the Internet Options dialogue box.

Now close IE and then restart it.

Go back to the offending web page and see if that has helped.

HTH

Raist.

Raistlin,

From memory (i.e without going through the whole purchase process again) I just input one number and the whole caboodle comes up. But, I woud say that I no doubt do have IE configured to remember stuff as it does on other forms. But again, I buy stuff of other sites and they don't remember my CC details.

Just seen your second post. Not sure if I want to lose the timesaving benefit of form filling prompts but.... !

Raistlin,

From memory (i.e without going through the whole purchase process again) I just input one number and the whole caboodle comes up. But, I woud say that I no doubt do have IE configured to remember stuff as it does on other forms. But again, I buy stuff of other sites and they don't remember my CC details.

Just seen your second post. Not sure if I want to lose the timesaving benefit of form filling prompts but.... !
I know it can be a pain sometimes filling out endless forms on the web but when you compare that to the potential for problems that could arise if somebody got at your PC....... But I'm sure you don't need me to tell you that :D

Don't know why it's only behaving this way for the one site, it may be that you previously said yes when IE asked if you wanted it to remember that particular field but you have since disabled the function within the browser.

It certainly doesn't sound like a function of the site that you are visiting...

Raist.

Raistlin,

Just been back on the site and yes, just need to input first digit and the whole lot comes up. Worse, don't even need to input email address. There's no password protection unlike, say play.com.

Hmm, I suppose the actions you need to take will depend on how likely it is that somebody else could get to your computer (and therefore, your account / card details).

Personally I would always err on the side of caution, I prefer to have to type the details in each time I visit a site rather than have my machine remove that control (and extra level of security) from my hands.

Obviously this is a matter of personal preference and circumstance.

I have the same concerns about another site (Next's online shopping site). The only information that you need to access an account there is the Postcode and Account number of the account holder. Both of these bits of information are on the invoices they send out in the post. No passwords, no email addresses, nothing.

Some sites store a cookie on your PC and use that to check that it's you - this is pretty weak. At the very least you should be logging in with a username and password, and should be prompted for the password again when accessing key areas of the site. Raistlin is correct about the autocomplete. It all depends on the (hidden) name given to the box where you input the card number. I think some sites might use unique names. Never ask IE to remember passwords - very bad idea :)

Raistlin,

You are a top man/woman/being. Cheers for your help. I've followed your advice and cleared me forms and that's done the trick (though it's gonna be a ball ache I'm sure). I'm just perplexed why this site (seetickets.com, fact (and security) fans) remembers my card details when others (play, firebox, etc) appear not to. Equally, Im perplexed why them buggers at See couldn't reply to my mails to suggest how I could erase details when you did it as quick as a ferret up a Yorkshireman's trousers.

Cheers mate.

You will probably find that one of two things has happened:

1. The good sites that you mentioned have purposefully coded / built their sites to avoid just this sort of problem. I think that you can set forms up in such a way that they don't give IE the opportunity to store values for them.

2. You may have (some time in the past) told IE to remember the value for that field and not asked it to remember any of the others.

Either way, I'm glad you got it sorted and that I was able to help you out.

Have a good evening.

Raist.

Some sites store a cookie on your PC and use that to check that it's you - this is pretty weak. At the very least you should be logging in with a username and password, and should be prompted for the password again when accessing key areas of the site. Raistlin is correct about the autocomplete. It all depends on the (hidden) name given to the box where you input the card number. I think some sites might use unique names. Never ask IE to remember passwords - very bad idea :)

Greencreeper,

Cheers to you too. I don't ask passwords to be remembered. Any idfea what IE's default is though, as a matter of interest.

I order a lot off Play and always have to input my password and then my full card details. Just looks like seetickets doesn't apply the same security levels. They don't seem much bothered. After I first emailed them about this and didn't get a response I ordered off another site then emailed See again to remind them that I'd queried their security and to ask if it bothered them that their lack of response had sent me packing to another supplier. The deafening silence suggests not (unless they just think I'm a ****** who wasn't aware of IE's 'clear forms' option, in which case they were right on at least one count.)

Postscript: Hey! Didn't know I'd get auto censored! For other fact fans it was the 'T' word ending in 'osser' I used, not the 'w' word rhyming remarkable closely to 'anchor' which would have been much ruder.

Lets say that www.bras4u.com has the card number box name as CardNumber. IE will store the card number against CardNumber.

CardNumber:1234567890

Every time IE encounters a box called CardNumber, it will autocomplete the card number.

Now, another site might call the box "CCNumber" - IE will NOT know to autocomplete with the card number stored against CardNumber. The boxes are named differently.

If you wanted to be really secure, the site programmer could write code to generate a unique name for the box - 1hfkd98eeud2. So IE can never autocompletes the number - every time you visit the site, the card number box name will be different.

[edit] Default is to remember everything except passwords, I think.

The most important things are:

Does the website have a landline phone number and address at which the owners can be contacted?
Does the lock symbol appear in the bottom right when you click to enter payment details?

No to either of these and it's sensible to avoid the site like the plague :)

You will probably find that one of two things has happened:

1. The good sites that you mentioned have purposefully coded / built their sites to avoid just this sort of problem. I think that you can set forms up in such a way that they don't give IE the opportunity to store values for them.

2. You may have (some time in the past) told IE to remember the value for that field and not asked it to remember any of the others.

Either way, I'm glad you got it sorted and that I was able to help you out.

Have a good evening.

Raist.

Cheers mate,

You're no doubt right on point one but I'm not sure about asking it to remember that partricular field. Still, cleared my numbers and won't be buying off for them again so who cares?!

For info, not that you are likely to wantr it, my evening is seeing me half watching Celebrity whilst typing this... and finding it quite entertaining. Has my life come to this you may well ask?!!

Have a good 'un yourself.

The deafening silence suggests not (unless they just think I'm a ****** who wasn't aware of IE's 'clear forms' option, in which case they were right on at least one count.)
To be honest, they probably didn't even have a clue what to suggest (assuming that they read your email in the first place). I would do exactly what you have already done, walk away and find another site. If they can't be bothered to respond to a security issue like that (whether it was a real perceived threat or not) then what are they going to be like when something else goes wrong?

Sounds like you made the right decision to find another retailer / supplier.

Raist.

Lets say that www.bras4u.com has the card number box name as CardNumber. IE will store the card number against CardNumber.

CardNumber:1234567890

Every time IE encounters a box called CardNumber, it will autocomplete the card number.

Now, another site might call the box "CCNumber" - IE will NOT know to autocomplete with the card number stored against CardNumber. The boxes are named differently.

If you wanted to be really secure, the site programmer could write code to generate a unique name for the box - 1hfkd98eeud2. So IE can never autocompletes the number - every time you visit the site, the card number box name will be different.



[edit] Default is to remember everything except passwords, I think.

The most important things are:

Does the website have a landline phone number and address at which the owners can be contacted?
Does the lock symbol appear in the bottom right when you click to enter payment details?

No to either of these and it's sensible to avoid the site like the plague :)

Greencreeper,

Gutted to see bras4u.com isn't a real site as it sounds jolly good (and might have successfully diverted me from Janet Street Porter and friends). Site is kosher, backed, I understand, by ugly bloke famous for writing a ton of rubbish musicals.

Bit crap that IE or retailers would help people to save their CC details... about as safe as that stupid new chip and pin system if you ask me, but then that's a whole other debate.

Raistlin,

You are spot on. If they want my business a diplomatic note which prissily said, you are a 't*sser clear your forms, would be better than ignoriong me and losing my custom. Gig-goers take note, ticketline doesn't remember your card details.