Stiles & Bates

[Chris Knight]

Shady,

You make a lot of sense - as Steve does. I haven't commented on this subject before because I know rather little about the technical aspects of internet/network security. However, I have been using the internet for commercial transactions since Day 1 - so to speak (I was on the internet in the days of Arpanet long before the web was conceived). and have never had a transaction hijacked or misused. I have been the victim of bank fraud through identity theft but this was thanks to good old Postman Pat and nothing to do with the internet.

Of course it does happen but I think the average bod has a lot more to fear from their wastepaper basket than they do from any genuine online commercial concern.

 

[Shady]

Chris - thankyou. I hope it may reassure some people. Bottom line: card details should always be secure, but all else is largely 'fluff', and its encryption may actually offer a 'key' for a serious bad boy. As you say, online fraud does indeed occur - but something like 90% of cases are specifically linked to 'wetware' rather than 'software'. That is to say, it's the disgruntled or plain corrupt employee who's taken your encrypted details and decoded them to confirm that you, John Smith of Acacia Avenue with Mastercard number 123456.... want a new plane. At that point, this whole discussion is irrelevant - and it's where the real problem lies.

 

[mudman]

How did I end up here? I didn't start this. :roll:

Oh, well, here we go...

That would explain IBM's fall from world domination then:

Actually, they still are the dominant suppliers of mainframes and the operating systems that run on them. But the story of IBM is not relevant, I just wanted to point out that I operate in a different area.

it is a given that no customer in the market for a large information system actually knows what they want.

Plus some other stuff..

Actually I don't like that point of view. The customer in general does know what he wants, but he is unsure of how to phrase his requirements, has a very high level view of them, cannot explain them in techy talk or needs to have the fine detail developed for him.
When IT people start assuming that the customer doesn't know what he wants or what is best for him, then the customer often gets just what he doesn't want.

Look, I understand completely that there are loads and loads of ways that nasty villainous bounders can get hold of my personal and credit/debit card details. I also agree that the Stiles and Bates site is very secure, but that is not the point.

The point is that Stiles and Bates have a website that seems to the average user to be unsecure because the first screen of the checkout function is not on a secure server. You cannot expect them to know that there is no point encrypting the personal details, you cannot include a long dissertation on web security that they have to read and certify that they understand, including a few links to direct them to information on the subject won't work. You have to give the customer the feeling that using this site will be nice and safe and secure. If this means encrypting the personal details as well, then so be it. It might cost more, but surely if it is on top of the additional measures of separate servers, housed in buildings that require a nuclear detonation to get into, then isn't that an enhancement?

Yes the customer is always right, but if the particular customer is displaying an inflexible reaction to perfectly sensible technology that helps a service organisation increase its profitability, then option 1 is to attempt to discuss the issue with them, as has been done by Steve here. Option 2 is to let them go elsewhere and concentrate on the customers who generate a reasonable return for the amount of effort that has to be invested in attracting their custom. (This is in no way trying to be rude or anything - just to point out that S&B's business is making money, not reassuring that proportion of their potential customers who does not wish to be reassured unless the answer is the one they want to hear.)

There are two customers here, the retailer and the retailer's customers. Steve has to keep the retailer happy and the retailer has to keep his customers happy. It doesn't matter how inflexible the retailer's customers are, you can't have a discussion with them when they place an order, letting them go elsewhere shouldn't be an option.

The retailer wants to maximise the number of people placing orders with his business, which will be why they commissioned the site in the first place. To do that, they do need to reassure the customers that it is safe to use. The retailer's customers are saying that they want all their details to be handled securely from the start. S&B want Steve to provide a solution that will provide the highest security for their customers and to keep them happy as well. Steve's job is to come up with a solution that fulfills this.

 

[Alf]

Folks,

I may well be mistaken here, but I think we're getting into the realms of repetition. An interesting, if confusing :roll: thread, but perhaps a good moment to move on. Talk of "flamefests" and such worry me...

Cheers, Alf

Hoping the mod hat doesn't have to get dusted off :wink:

 

[mudman]

Alf,

Completely agree.
Anyway, there's something much more important happening on Sunday 19th!

 

[Shady]

Alf: I fully understand: as I said, I was tentative about 'entering the lists' as a noob. This subject has obviously stirred up some deep seated concerns. (My money! my money!) I just wanted to add some info for people to base a rational decision on...

 

[Midnight]

forgive me if this is totally off topic... but am I wrong in thinking that all online purchaces made thru Visa etc are automatically insured through the insurence these cards have...??

similarly with card fraud... if it happens, you're covered...?? I can't see what the paranoia is about. I've been buying online for over 9 years, never once with a security related prob...

 

[Shady]

Nope, since you ask, most purchases from UK merchants are covered, I believe...

 

[Steve]

Hi Niel,

I would just love to be able to give it a clean bill of health.

That, by any definition, sets you up as an arbiter of standards. My beef is that you will not listen to advice or budge a millimetre even when it is painstakingly explained. People will look at the list and take your advice, and you should therefore provide good advice.

The resultant and undeniable fact is that in order to get a clean bill of health from you, the security of the site has to be weakened.
Perhaps you can understand why I'm a bit peeved.

Steve

 

[Newbie_Neil]

Hi Steve

Perhaps you can understand why I'm a bit peeved.

Yes, I believe that I understand how you feel.


However, I quote from the post that you kindly let me include in The List: -

"A fellow member of this group, Steve Grant aka Stove Grunt, has kindly let me include his views on web site security. Thank you Steve.

I'm a webmaster as well as a woodworker and I noticed that Neil referred to Chronos in his first posting, querying the secure encryption. I checked the Chronos site, and found the same thing I've seen on a few other sites.
It works like this.
There are three stages.
1/ Sending your details to the server
2/ Storage on the server
3/ Retrieval of your details from the server by the intended person.

All three of these processes must be secure in order to ensure that your details are similarly secure.
If a site is not using a secure server - DO NOT BUY THROUGH IT.
A secure server is one the address of which begins with 'https' (hyper text transfer protocol secure). This is known as 'SSL' (Secure Socket Layer).
Basically, everything to and from the server goes through a secure layer than encrypts the data.

The fact is that even then, you can only be sure that two of the three processes are secure. There is no way of knowing that the third process, the retrieval of your details, is also secure.
The investment in a secure server or the use of a secure service can be considerable. Those companies that have made that investment have therefore demonstrated that they are taking security seriously. For them to have ensured that stages 1 and 2 are secure, and then to not bother about 3 is very unlikely. Not impossible, but unlikely." (My bold)

Steve, it is your test that I have been applying in The List.


Steve I'll ask again, and this is purely for my personal interest, is there any technical reason why the system couldn't have been designed to handle the processing of the name and address details securely via an https server whilst leaving everything else exactly as it is?

Cheers
Neil

 

[ike]

The retailer's customers are saying that they want all their details to be handled securely from the start.

Are they really? It seemed to start with an argument betwetween two individuals with clear cut opinions. I've followed the thread with interest, but now it's getting tedious and silly. Steve's has said his piece in a measured and logical argument. If any one still doesn't want to buy from S & B's website, then simply don't. If you're unnerved by the lack of a padlock on your browser (as I would be) then it's your call. I accept Steve's reasoning and would not hesitate to trust a transaction with S & B now. So can everyone stop trying to get the last word in over what are quite frankly, quite boring computer technicalities - it's a woodworking forum isn't it.

Moderator's, please why don't you step in now!.

No apologies for my two pennyworth in this instance.

Ike

 

[Alf]

Okay kids, enough. This is going to get nasty, and the place for that is not on this board. I suggest you drop it, but if you must continue, take it to email or PMs please. We'd rather not have to lock the thread, but if necessary...

Cheers, Alf

 

[Steve]

Fair enough Alf,

Just to let everybody know that the Stiles and Bates system will shortly place all details on a single HTTPS server, and that name address, telephone information will therefore be encrypted. Not only will nobody be able to get your credit or debit card details, but they won't be able to get your name and address details either.
(I should add that the last clause of that sentence is completely false, but it is what many people require).

Neil - I really have tried my very best to answer your question - I just can't seem to make myself understood, for which I apologise. Also, the 'details' I referred to in my article written to assist you in your project were card details. Again, I aplogise for not having made that clear.

Many thanks for everyone's time and attention,

Steve