Paying on the web? Look for the small padlock, not the big one

A friend drew my attention to a security issue on thetrainline.com, a UK website for purchasing train tickets.

She planned her journey and then entered her credit card details, noting that the browser confirmed that she was on a secure page:

In this case, Internet Explorer shows the url in green, which means it uses an Extended Validation (EV) SSL certificate, giving extra confidence that all is well. Indeed, in normal circumstances it would have been.

Unfortunately she made a small error with the card details. The site then bounced her to an insecure page, inviting her to re-submit her details but this time over HTTP. The image below shows part of the web page, including the credit card details (albeit with whatever errors caused the validation to fail) and the IE property dialog confirming that the page is not encrypted:

Now the comforting green url is gone, replaced by plain black on white:

However, the big padlock graphic is still in place, along with logos for Verified by Vista and MasterCard SecureCode.

It looks to me as if the card details are sent in plain text twice, first when bounced back to the user for correction, and second when re-submitted.

The site was advised of the problem 24 hours ago, but I was able to replicate the issue just now. Moral: look for the small padlock in the address bar, not the big reassuring graphic on the page itself.

Is this a big security risk? As far as I’m aware, the chance of a criminal intercepting internet traffic to look for useful information is slim. That’s just as well, given the number of sites that do bad things like emailing password reminders in plain text. The risk is not just theoretical though; the traffic could be logged or intercepted.

Let me emphasise: thetrainline.com is a respectable web merchant and I am sure this is no more than a bit of careless coding. After all, there is no advantage to the web site if you send your card details unencrypted. They get them anyway.

Technorati tags: , ,

6 thoughts on “Paying on the web? Look for the small padlock, not the big one”

  1. Dear Tim,
    I’m not technical, but found your page due to security certificate error on http://www.thetrainline.com:

    “Safari can’t verify the identify of the website “www.thetrainline.com”
    The certificate for this website was signed by an unknown certifying authority. You might be connecting to a website that is pretending to be http://www.thetrainline.com which could put your confidential information at risk. Would you like to connect to the website anyway?”

    “This certificate was signed by an unknown authority”

    My problem is: do I use the site or not? Do I ignore the error and book or not? (sigh!) For newbies like myself, this is a dilmna

  2. “Safari can’t verify the identify of the website “www.thetrainline.com”

    I get this too – but only with Safari on the Mac. FireFox on the Mac is happy with it; so is IE and FireFox on Windows. That suggests to me that Safari has it wrong; but it’s curious.

    Tim

  3. I was just purchasing my tickets on the trainline and have found the exact same problem.

    I promptly phoned the number on the website and they tried to convince me that it was a problem with the firewall settings on my machine! I tried to tell them i had a wireshark dump proving that the credit card number was sent in plain text but this was clearly over their heads.

    They told me I should complain in writing!

    Perhaps someone should report these guys to Visa so that their ‘Verified By Visa’ status gets revoked.

    – Dave

  4. globus has had nothing but trouble with thetrainline over the past two months. they advised to contact the card issuer, but barclaycard advise it is a problem with thetrainline. it’s still not fixed, and globus is still frustrated having to contact them by telephone to book travel – grrr.

Comments are closed.