Big news in Australia this week concerning the security of online shopping, where database of Roses Only was breached earlier this year, and many have their credit card details stolen and used by fraudsters around the world.

Quite an unfortunate event for those whose credit card information has been stolen. What is the point of 128 bit RC4 or 256 bit AES encryption between the browser and the eCommerce website, when the sensitive information is stored in plain text (or trivially ciphered) on the database? It is easy to verify how strong the front-door a website has (from how many “VeriSign Secured” seal it has on the homepage of course :) but how can you verify the process of handling and storing sensitive information, once it has been transmitted?

Your budget IT computer-parts osCommerce sites probably won’t tell you that.

In my opinion, SSL certificates is nothing more than marketing hype — it gives you a false sense of security, when the only thing that is verified is their email addresses (when they buy those $20/year RapidSSL certs), and the only thing encrypted is the TCP connection. It is useful nevertheless, but which fraudster is still sniffing the wire these days?

Use a more secure middle man, like PayPal or Google Checkout, might be a solution, so that the “dodgy eCommerce sites” will never receive your credit card detail. Big gateways like PayPal and Google Checkout are also more likely to be properly audited by security experts. However I would be kidding myself if no fraudulent activity has ever occurred at PayPal and friends…

Sorry about the rant. Although I’m not affected by this Roses Only incident, these security issues have certainly put me off from using my cards online.