SoftCard Vendor Exposing Card Numbers
I blogged about this back in Early March, but I’m going to do it again. Yes, it’s THAT serious!
Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product. I hope somebody has a copyright on this “SoftCard” thing!
Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card. The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc.. Note that these folks use the word “security” in their corporate identity.
I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them. My main objection, and there were several, was that their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates. “Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card. The form also requires a full name and DOB. I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.
The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert. If a company official can’t use his company’s domain for email, I’m not going to talk to him. I don’t know if he has any association with the company he claims to represent.
I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
Update
The insecure form has been removed from the PinPay site. According to a comment posted on The Breach Blog the insecure pages “were copied to a marketing site in error.” The comment, however, gave no assurance that the site was not collecting personal information. I could give them the benefit of the doubt in this case. Still, I wonder why the pages were not taken down in January when I first contacted them about the issue. It took going very public to make things happen.
Excellent article Tom!
May 8th, 2008 at 2:36 pmWhy would the FDIC guarantee deposits up to $100,000 if this was an identity scam? It is more likely I think that the requirement for such a guarantee is that they must know exactly who you are.
Your implied assertions about this company lack an understanding of the context of money in the US these days. If you are afraid then don’t use them. Bashing in your way is, in my opinion rather unfair.
Have you contacted the company? Did they respond? If so you should publish it here.
Thank you,
Ted
October 17th, 2008 at 3:02 pmTed wrote:
Ted:
I’m not sure your comment was for this entry, but if it was, I don’t see you point at all!
The FDIC guarantees deposits - SoftCard is not a bank.
I made NO implied assertions at all; I simply stated that the company was collecting PII and credit card information on an insecure web page. Nor do I see how this has anything to do with my understanding of money. Money isn’t part of this.
Bashing - Where? How?
Contact them? Yes - read the post. I called it to their attention in January - they had not responded or corrected the problem in May when this post was made.
Did they respond? No - but read the update. The page was removed and they gave an explanation to Breach Blog.
October 17th, 2008 at 4:06 pm