Avalon Coach Tranfer (Sita) breach basic internet security

[mh75]

Just to be different, I am flying out of Avalon this weekend, as it was half the price of getting a flight from Tullamarine. Looking at the Sita Website for the Avalon Coach Transfer, they recommend bookings from Southern Cross, to avoid turning up to a full bus ... Ok no issue, securred site all looks good.

I got an email back from sita this morning, to say bookings are not necessary from Southern Cross, only from Werribee or from City Hotels ... OK, conflicts with the website, but can handle that

What I can not handle, is the fact that the email contained my full contact and credit card details. A total breach of basic internet security, to provid a credit card number over an insecure connection.

When I noticed this email this morning, I emailed sita back, for a please explain. No response has been received.

Yes, my credit card is being cancelled, but be warned if booking an Avalon Transfer on the sita website, as your details are not secure!

 

[reductionist]

Not only that, the Sita order page (whilst utilising SSL) is actually hosted on another domain (pixeltech.com.au) which appears to belong to the developer of the Sita coaches web site.

This is an extra set of hands that can potentially get their hands on your personal details. Absolutely horrible stuff.

 

[markis10]

Its actually a breach of PCI DSS standards, specifically requirement 4:

"Encrypt transmission of cardholder data across open, public networks".

Until the payments industry and the government authorities get more serious about the requirements and start naming/penalising offenders who openly fail to protect your data, such instances are going to continue to occur.

 

[reductionist]

Until the payments industry and the government authorities get more serious about the requirements and start naming/penalising offenders who openly fail to protect your data, such instances are going to continue to occur.

Exactly this.

I wish there was a process for complaining to the cert provider too.

Oh wait, their cert provider is a joke of a company.

 

[straitman]

Exactly this.

I wish there was a process for complaining to the cert provider too.

Oh wait, their cert provider is a joke of a company.

Maybe the best answer is to put a post on notgoodenough.org and then send Sita an email showing the links to both that and this thread.


Sent from my iPhone using AFF Mobile

 

[thewinchester]

Maybe the best answer is to put a post on notgoodenough.org and then send Sita an email showing the links to both that and this thread.

The best action would be to identify who their merchant processor is (this information should be identified on your receipt). If this information is not on your receipt, a call to your Credit Card company will be able to secure this information.

Once you have that information (and specially if a big name bank), call their Fraud/Corporate Security unit and make an official complaint.

Pretty much every merchant agreement on the known universe that I've had the displeasure of reading requires compliance with PCI DSS rules for internet-originated transactions regardless if processed live or later via MOTO functionality.