Merchant911 - Fraud Prevention for Merchants

I blogged about this back in Early March, but I’m going to do it again. Yes, it’s THAT serious!

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product. I hope somebody has a copyright on this “SoftCard” thing!

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card. The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc.. Note that these folks use the word “security” in their corporate identity.

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them. My main objection, and there were several, was that their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates. “Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card. The form also requires a full name and DOB. I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert. If a company official can’t use his company’s domain for email, I’m not going to talk to him. I don’t know if he has any association with the company he claims to represent.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.

Update

The insecure form has been removed from the PinPay site. According to a comment posted on The Breach Blog the insecure pages “were copied to a marketing site in error.” The comment, however, gave no assurance that the site was not collecting personal information. I could give them the benefit of the doubt in this case. Still, I wonder why the pages were not taken down in January when I first contacted them about the issue. It took going very public to make things happen.