Gallery

Security without a smile

Posted on 8 Jul 2008 at 14:20

This month, Davey Winder isn't smiling about transactional security and gets his knickers in a twist over spam-address spoofing.

More stupid transactional security tales

While I'm on the subject of transactional security stupidity, I really couldn't let this one pass by - not least because it involves me rather than a reader. Okay, it's time to confess: my name is Davey Winder and I am a self-catering cottage renter. Yes, indeed, as the father of a couple of kids under ten, I find little relaxation value in dragging the family and their accompanying mountain of luggage onto an overcrowded aeroplane and being thrown into the chaos of an overseas holiday a couple of times a year. My idea of holiday relaxation is instead to stuff everyone and everything into the family truck and head for some secluded retreat within the British Isles, either deep in a forest or halfway up a mountain.

This year, it was North Wales again, and I managed to find the perfect place, courtesy of the magic that is the internet. Booking cottage rentals online is so easy, the only difficult bit is the search through the mass of accommodation on offer to find the right one, at the right place, that's available at the right time (well that and actually paying for it, of course). Which is where the fun stopped so far as I was concerned, thanks to the stupid transactional security measures implemented by my chosen provider of said rental property, Cottages4You.

Here's my beef. I found my cottage and paid a deposit on it back in July last year. Now fast-forward to May 2008 when the balance of my rental payment is due. No problem, just pop along to the online payment system - which just happens not to want to take my money, or to tell me why. The following morning I try again, get the server cold-shoulder again, and so pick up the telephone to pay that way as the error message advised. Debit card in hand I get through to the very nice lady at Cottages4You, who establishes that I am who I say I am, then asks if I've just tried to pay online. Well yes, I exclaim, but your computer won't let me and my payment is due tomorrow, so I'm talking to you instead.

This is when things become really silly. The young lady didn't actually utter the words: "I'm sorry Dave, but I'm afraid I can't do that," but she might just as well, because I had a very Kubrick moment when she revealed that Cottages4You's HAL 9000 transactional computer doesn't permit you to retry a payment within 20 minutes of a failed attempt. And what's more, it forbids Cottages4You from taking payment over the telephone as well (even if they know who you are and you want to give them some money).

To precis, then, we have yet another classic example of stupid transactional security in action because the payment server tells the customer to pay by telephone, and when the customer does that they find they can't because the computer won't allow it. That, I'm afraid, is how you lose business.

Spam spoofs aren't funny

Another reader got in touch recently to ask why it is that fraudsters and spammers can use his email address to send their junk? It's a good question, and one that's been sitting heavy on the shoulders of John Bishop, who runs a small consultancy business from home. He says: "Over the past few years, I have become accustomed to spammers hijacking my various email addresses with the result that sometimes I receive hundreds of returned emails a day. As the problem only lasts for a day or two, I do nothing and it goes away. But recently, more than one of my email addresses has appeared in emails attempting fraud. This appears to be more subtle, as our address is only in the "return path" line, not in the "from" line. Why do fraudsters and spammers use my email addresses like this? What do they gain?"

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site