discountcycleparts.com is insecure
 

Everyone,

This post is to let everyone know that at the time being it is insecure to use credit cards on discountcycleparts.com. I've used this site in the past and it has not always been this way. Went to place an order last night and during the checkout process they were not using SSL to protect the transmission of credit card data from my client to their server.

This is very important to watch for during the check out process. Without properly encrypting this information its possible for someone to grab your credit card information enroute to the server. If you are using a wireless network that is misconfigured or if you are using a public Internet connection at the airport, coffee shop or any other wireless network with multiple people on it becomes very easy to steal this information.

I went ahead and placed my order but used Paypal to do it instead of using a credit card. After placing the order I received an error from discountcycleparts.com that said there was an error in the order even though the paypal money was sent. I sent an e-mail to the paypal address of: discountcycleparts@discountcycleparts.com but that e-mail bounced back as undeliverable from their mail server at register.com.

After all this I sent an e-mail letting them know the problems to sales@discountcycleparts.com and this is the response I received:

************************************************** *********
You are the first person to have this problem since we started this site, so i guess it is on us right, right. Your Paypal account will be refunded. Good luck finding what your looking for. Please do not write me and tell me that we need to fix what works fine, We have nearly 6000 satisfied customers, and nobody has ever contacted us with information such as this. We use the X-cart Shopping System and have Programming on our site that is very Unique. If Our Web mail Address comes back to you as invalid, I would check into what problems YOUR CPU has.

Good Day to You
-josh
************************************************** *********


Here are some screenshots showing that they are NOT using SSL during their checkout process. This could just be a simple misconfiguration in their Xcart software or this could be because they are cheap and do not want to purchase a valid SSL certificate. (Less than $50 per year from some sources)

This image shows their form collecting the credit card information. As you can see circled in red they are not using SSL to protect this connection.
http://peekconsultingllc.com/images/...cycleparts.jpg

This screenshot shows the actual packet going from my client to their server. This is the POST data from the packet itself. As you can see in the URL at the top they are NOT using SSL to protect the packet.
http://peekconsultingllc.com/images/...creditcard.jpg


If you are going to order from them the only safe way is to call them and place your order or use paypal. I do not recommend using credit cards with them at all until they fix these problems.

感謝您的信息。

With the response they gave you I wouldnt order from them anyway. That was just rude and uncalled for. I dont know how your mail was worded but I would assume you werent being an ass about it. A small semblance of customer service would have been nice from them.

+1

That attitude will make me WANT to spend more money for the same item somewhere else, just to make sure they don't ever get my money.

And his comment about a bounced email address being something to check on "your CPU" shows he doesn't know a damned thing about computers or the internet...so how does he know that his site "works fine"? He probably doesn't even know what an SSL certificate is.

Screw him. And thanks for the info, so I know NOT to ever give him my business. Let those "6000" chumps keep him going, the rest of us will find a place worth a crap to spend our money at.

I'm surprised his payment gateway hasn't stopped service. I'm in the industry, and took a look at the site... and that's some of the weakest security I've seen online.

Self-hosted, or through a service?
(if through a hosting service, makes me wonder if the rest of their stuff is sloppy as well, or just that they only put on what 'the customer' asks & pays for)

thanks for posting this.

"Josh" fugged with the wrong guy on this one (great customer service by the way) - and I'm glad he did.

Their true colors are flapping in the wind.

I agree this seems to be a totally inappropriate response to a customer who believes there is an issue with a website's security. A simple "we'll look into it and thanks for the heads-up" would have been better.

Thanks for the post... I know someplace that won't be getting my hard earned dollars.

I sent them two e-mails. One after the paypal order was placed and one after I realized that their paypal address was bouncing.

I wasn't cheery in my e-mail but I wasn't as asshole either.


**************************************
Just placed an order through your website for Custom Chrome part: 31658. I was going to use a credit card on your site but you are not using SSL to protect the data from me to your server. This is actually against PCI standards and you need to fix that.

I then placed the order and paid with Paypal. I have the confirmation from paypal that the order went through but I got an error from your site that said the order was not placed.


*************************************

I placed an order through your site and payed with PayPal. Please cancel this order and return the money. Your paypal address is bouncing back undeliverable and your website is not using SSL to transmit credit card information. I received an error after being redirected to your website after paying via Paypal.

****@*****.com is the paypal address used. Total was $64.98.


**************************************