Ask HN: Liability due to lack of SSL

33 points by stevenhubertron ↗ HN
I have family member who sells stuff online. As part of his checkout experience he asks for CC info as well as SSN info on a HTTP website. I am trying to explain to him why this is bad, but he doesn't really care. What can I say to him factually that might help him make the investment in SSL (and not storing PII in SQL db) for that matter.

32 comments

[ 3.3 ms ] story [ 77.9 ms ] thread
Beside the point, but why in the world is he collecting SSN numbers? That in itself is more concerning to me than not having SSL. But that's just me. I have had my identity stolen and know first hand how difficult, to almost impossible, it is to clean up.

With that said, I do know that many states have strict laws regarding the collection/use of SSN numbers via websites and/or for the sale of goods.

As for the credit card info, I believe most processors have in their terms that SSL is required for live transactions. I was also going to point to PCI compliance, but I am not sure how aggressive they are at going after the "little guy". Although with credit card theft in the US being a hot topic right now, I am sure anyone that is non-compliant will be a target for violations.

EDIT: To add link, starting at Page 12 talks about various state laws regarding SSN collection: http://www.gao.gov/new.items/d051016t.pdf

Can someone explain how identity theft is even possible in the US? I hear a lot about it, but I can't understand how broken a system must be that makes it possible for someone to steal your identity just by having one identifier.
That's the problem, it really is that easy. All it takes is someone to know you SSN and, depending on what they are trying to do, a little bit of information about you.

SSN numbers were originally only supposed to be used as a government identifier for social security, however, they have evolved into a unique identifier for all US citizens. They are used in every facet of the banking/credit industry here and are relied upon in determining financial decisions. For example, it is completely possible to simply know someone's SSN and date of birth to obtain a credit card. Although many banks/credit card companies are asking for increasing amounts of information to confirm it is really the person applying.

Wow, how on earth is it acceptable to get anything just by knowing an SSN and a DoB? Banks here require proof of ID (physical or certified copy), proof of address and signature to give you anything. Looks like the problem is that some companies don't really have strong KYC rules, not that the SSN is an identifier.

We have our national ID number uniquely identifying us, our VAT record number as well, but neither is secret (companies will ask them for verification, or to issue an invoice for purchases for the latter). There's no identity theft I know of, as you have to show your ID to do anything sensitive anywhere.

Hypothetical situation: what do you do if you lose all of your ID (e.g. house fire)? You have to start somewhere, and your SSN is a good choice.

You can't do it solely based on one single number, but in this case a data breach would include name, address, credit card number, SSN, and probably security questions. You can turn around and use that information to play the part of a person to another organization, and then go from there. Combine that data with social engineering, and you can get a lot of information about someone and then use it in further attacks.

That's not to say the US's system isn't broken; lots of companies ask for (and require!) the SSN even though they shouldn't. The problem is that it's not just one identifier that holds the key to your life, but that the SSN is an extremely strong identifier which is assumed to be secret.

Well, sure, but the government's information on you will also include... parents, other family, a photograph of your face, and so on.

It should never be possible to do what you're suggesting, not unless the USA is failing to collect that info in the first place.

stolen identity doesn't usually mean that someone has convinced a government office that they are you, that would be a lot harder for the reasons you say. It's more often someone having enough information to open a credit card in your name and start using it, or take out a loan—things for which the government is not really involved.
That's a good hypothetical, but, as the sibling said, you'll have family to vouch for you, or the police will have your photo and fingerprint.
US banks lack any care about security in this area and rely on being able to eat the costs of fraud. This is clearly obvious even from logging into their sites. Many sites require weak passwords, have no two factor authentication, mix secure and insecure items, etc. They also are not very scrupulous when approving loan and credit card applications (for small amounts) and will do so even when the application has obviously been shredded and taped back together, for example, a clear sign of someone having grabbed it out of the garbage.

Regardless, between the greed and the complete lack of interest in security in this area leads customers extremely vulnerable as the only things that are required to open a credit card in another person's name are usually a name, address, date of birth, and social security number, all of which are essentially public to anyone who is even the least bit dedicated to committing fraud. This current situation benefits banks so much, the few costs they do actually have to pay for insurance and after the fact pale in comparison.

Unless he is a government, insurance, credit card, bank, real estate organization he should not be asking for a SSN online or storing it unless they are for his employees or the transactions being conducted requires notification to the IRS or the transaction is subject to the customer identification program rules. Either way PII like this should be securely stored offline.

For Credit Card information it has to all be transmitted and stored in an securely in accordance to the credit card merchant agreement he has agreed too.

The HTTP protocol is not secure, when your family member is hacked or audited they may be liable for many civil and criminal charges.

Have them read all the information for PCI DSS compliance - https://www.pcisecuritystandards.org/merchants/

You have done your part by advising him about the risks, privacy concerns and how bad it really is. Either way it is ultimately a risk he is accepting for himself and the business which he will have to deal with the consequences when something bad occurs in the future.

If he needs proof of how bad the decisions he has made can be, point him to many of the recent credit card and government organization breaches.

I should clarify that it is for Real Estate, thus the SSN. That link might be helpful.
There is also the case for a potential increase in his conversion rates as a result of adding SSL.

Online shoppers I've observed in usability sessions often scour sites looking for evidence of security measures (e.g., green EV certs in the browser, various icons in the footer). This is especially true when you're asking for something like SSN info...

If appealing to the desire for security of user info doesn't work (unfortunately), appeal to his desire for more customers...

Seriously? Do cc vendors allow any random home hacker to create collection forms for credit cards. If I were visa I would at minimum have a checklist that must be fulfilled otherwise the store get their license withdrawn.
>I am trying to explain to him why this is bad, but he doesn't really care.

"You are losing sales. People look for the lock icon on the address bar."

Also, he can get SSL on his site for FREE in < 5 minutes using Cloudflare.

Thats a good point. I don't want to open the can of words and add SSL myself, some interesting things to think about for sure.
Cloudflare may be a good option for him. But, the quick and free Cloudflare SSL would still be non-SSL from Cloudflare to his site – an improvement against many home/public-Wifi threats but not a total fix (nor true compliance with credit-card agreements).

Also, for a totally non-technical person, it will take – and be billed as – more than 5 minutes of someone else's time to get even that free half-measure into effect.

Good points.

That raises an interesting question: how could a person determine if the connection between an edge (say, Cloudflare) and the destination server is actually encrypted? I can't think of a way to do this unless you know the address of the true IP of the destination and poke it on the SSL port. That still doesn't guarantee SSL is being used, though.

In general there's no way to know: you have to trust the destination's internal choices, once you've reached their chosen perimeter.

In my opinion best practice would be to obscure what the "true IP" of the backend server is, and only accept connections from Cloudflare. (I don't know if Cloudflare offers any options for this stronger than trusting their IP ranges, such as a client certificate on their outbound-SSL.) So if you could "poke [the true origin] on the SSL port", that could itself be evidence of suboptimal security.

>obscure what the "true IP" of the backend server is, and only accept connections from Cloudflare

This is what I was planning to do when I launch the app I'm working on now. Thanks for the reply.

I would focus his attention on the possibility that his card processor will cut him off for violations of their agreement. This would result in large-scale loss of business and it may not be easy to arrange for a new processor on short notice. Keep his eyes on the money.

I would not bother with a technical explanation of any of this stuff. He doesn't care, and bluntly it's not particularly easy to point to major compromises in which the lack of SSL played a key role. Most of the time, data is siphoned out of "PCI-compliant" shops that do use SSL, and they get it through database compromises and/or compromised POS terminals. MITM doesn't seem to be worth the effort, if only because the other stuff is so easy and yields so much data.

Nor would I bother talking about PCI. Most of their requirements are silly and do little or nothing to prevent exposure of PII or fraud. What matters to him is the agreement with his processor, not some 4000-page document that wants to tell you how to take a piss.

Eyes on the money. No processor, no business, no money. Keep it simple. If that doesn't do it, you've done your part and should walk away. It's not your problem.

If a storefront on the web asked me for an SSN, HTTPS or HTTP, I'd probably file a police report for the attempted identity theft. There's literally no other plausible reason to collect that information, unless he/she is a registered financial institution extending credit to people.
The first thing I'd think of with a site asking for SSN is an active intent to commit fraud: ID theft, or fraud. That's before SSL (which is obsolete anyway, only TLS should be considered now).

The second thing, the fact it's http and not https suggests he's collecting and storing this information, which is almost certainly a violation of his credit card agreement with his bank. Credit card information is not supposed to be stored, he passes that off through a secure connection with his processing service, who will only do that through a secure connection, and he gets a transaction ID and authorization and that's all he references from that point on.

So this is less about SSL/TLS as it is, he's doing it all wrong. And it's depressing that he's in business, only made possible by the ignorance of his customers who actually agree to give him all of this information, and on an insecure connection no less.

I'd say an even bigger question is, why is he even doing it that way at all, and not using a service like Stripe, Braintree, Shopify or similar? They've invested in polished checkout experiences, it's what they do, and it moves the burden of PCI compliance, PII storage, SSL etc to the service. When Stripe exists, why would you even go down the merchant account route anymore?

Scaring them with the bad stuff might not be effective, people don't react well to being told they're doing everything wrong. Perhaps showing them an easier solution that reduces their admin hassles & could potentially increase their sales is a better way to approach this.

Both Stripe and Braintree require you to use SSL (really TLS) on your checkout pages. They also both require you maintain PCI compliance (although you likely qualify for a reduce set of requirements).
They 'require' it, but it is still possible to use the service without SSL. At least it was possible on stripe a few months ago. I'm not sure if they end up cutting you off after they notice the non ssl traffic, but I setup some test apps that worked fine without ssl.
(comment deleted)
So I dived in a bit more while I wait for him to call me back. It's a Magento build using Autorize.net I haven't worked with Magento in years, but should be really simple right. Set up some forwarding rules in Cloudflare to always to go the HTTPS and of course the cert.

At least it isn't some guys backyard CMS.

Set up some forwarding rules in Cloudflare to always to go the HTTPS and of course the cert.

Please do not do that. That doesn't solve the problem at all if the origin server is still serving the content over HTTP. You're just lying to visitors by making them think it's secure when it's really not.

Magento is like any other PHP app.. there's Apache (or some other webserver) in front of it.. so just setup Apache properly.

(comment deleted)
HTTP has always been seen as suspicious in case of any transmission of financial or confidential information. Particularly when you are selling product online, then there should be an SSL security to encrypt the details that customers enter on your website. If there is no SSL, hackers can sniff the ongoing data transfer and can steal confidential information on your website. Keeping your customer’s information on your website in a plain text is really dangerous in today’s world.

Once you are hacked, you will hardly able to get your business reliability and as a result, customers will not trust anymore of your site. You will lose prestige among your competitors as well decease profit too.

Besides, always take the necessary information from customers like email address, password, residing address, mobile number, etc. it is not necessary to take SSN number of any customer dealing with your website. If your site has no SSL and you are taking a SSN number, it could create such an awful situation at the time of hacking. As you are smart enough that once you get SSN number of any person, you can dig deep into a person’s profile.

So it is sensible to avert data sniffing, phishing attack or some nefarious action, by installing an SSL certificate on your website as it will enhance the trust of visitors and customers on your website. Learn why you need an SSL certificate and what kind of information it can protect from snooping eyes. - https://www.ssl2buy.com/wiki/do-i-need-an-ssl-certificate/