VAULT AUCTIONS: Concern with CC payment? Security Certificate Expired??

[BronzeBruce13]

I placed this in the marketplace earlier, but I'm not sure if enough people saw it. Since no one answered that may be able to shed light, I figured I better put the thread here were it will receive more coverage.

 

Vault Invoices were sent out today (at least some) and people may be getting ready to pay with a CC today/tonight but "maybe" shouldn't yet.

 

I have not received a response from the Vault as of this posting

 

=====================

 

Original Thread In Marketplace:

 

I need some help/info!

I just received my invoice from the Vault and started to initiate payment by credit card when my browser (netscape) warned me about possible lack of encryption? Below is what I sent to the Vault just now. Can anyone confirm if this means the informaton is NOT being protected leaving the buyers info vulnerable?

 

I'd advise everyone intending to pay by CC to wait a little until we know what this means exactly. May be nothing, maybe something... just want to make sure.

 

 

 

Hi Vault,

 

URGENT: I was tying to pay by CC... BUT you encryption cert. has expired!?

 

this warning popped up on my web browser...

 

"www.vaultauctions.com" is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on 05/08/03 7:59pm.

 

 

Doesn't this mean if I enter my CC # or pay by existing CC #... that the info is not protected/encrypted?

 

Regards,

Bruce

[fantastic_four]

Yes, it's not encrypted. However, that only makes Vault just like paying with a credit card via Heritage or ComicLink, only the fact that it's not encrypted is staring you right in the face.

 

At least, I don't think Heritage uses encryption for online invoice payments...I can't remember really and don't have any open invoices to test it on.

[BronzeBruce13]

You're kidding?

None of those sites makes an attempt to protect the transmission of important data to their site... like Paypal?

 

It seems as if they did for a year and recently expired.

 

So.. long story short. If someone hacked the site or a solo transaction (not sure how it works) there's nothing between them and your CC info?

 

In a word... yikes.

 

Is this common?

 

 

[stynxno]

So.. long story short. If someone hacked the site or a solo transaction (not sure how it works) there's nothing between them and your CC info?

 

It depends on where the site is hacked, etc. Encryption merely means that during the transmission process, the information is protected. If the hacker hacks the site or its database, and your credit card information is stored on the server, well, the information won't be encrypted and your cc information will be accessible.

 

without encryption, anyone with a few hours or days to kill could figure out how to intercept these transmissions and see your credit card information.

 

Certificates are merely signs that a company is using another company to encrypt its data. These other companies are really expensive and most offer only yearly subscriptions to their service. There are other ways for a person to not use other companies and to install encryption software on their own server, but that takes a little computer know how and some time to test the system.

 

By the way, NEVER EVER send cc information by email. Email is not secure, very easy to hack into and emails are never really "gone" when you hit the delete key. Every email that's ever been sent is somewhere on the internet and if some hacker stumbles onto it, you're cc number will be stolen.

 

 

[comicwiz]

"www.vaultauctions.com" is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on 05/08/03 7:59pm.

 

It appears Vault is using a 3rd-party data encryption software to accept highly confidential data -- likely credit card information. If you recieved this message after supplying your credit card information, I would contact Vault and ask that some form of verification be provided to you that there was no breach of security. The data encryption vendor will likely need to work with Vault to provide you with this proof. If you recieved this message alerting you, prior to submitting your information, then I wouldn't worry about it. Looks like Vault needs to sort that out the problem on their end.

 

Although quite ambitious, it doesn't really make sense for any company to store records of customer accounts, including credit card information. Anyone who cannot provide 24/7 security on such records exposes themselves to a high degree of indemnity. It is in my experience that using a system like PayPal to handle all online payments, and to devise an accounting system that works in conjunction with, among PayPal's many features, their IPN, is the safest, most cost effective way of handling online payments.

 

A few things to look for when visiting a site that accepts online payments:

 

 

The "s" added to the hyper-text transfer protocol (http) infers that the page is being hosted on a secure area of the web server.

 

 

The "padlock" symbol or icon found only at the bottom right-hand corner of your browser window when the page uses an SSL Secured (128 bit or better) data security encryption system.

 

And one other thing that is often overlooked is the client-side browser. Make sure that you have a high encryption pack (128 bit) for either Internet Explorer or Netscape 7.1 . If you are planning to send a payment through ANY website, make sure they require 128 bit encryption on your web browser, otherwise, you probably really should avoid sending payment through their site, and look for an alternative payment method.

[BronzeBruce13]

James/Joseph...thanks for the info.

 

I did not continue once i received the warning so I could find out more.

 

I went further to the point where I need to enter the info and noticed it does indicate a secure environment with a "https"

 

I'm confused why the certificate warning indicating there in no longer encryption...BUT the "https" shows up? Now I'm really confused.

[comicwiz]

I'm confused why the certificate warning indicating there in no longer encryption...BUT the "https" shows up? Now I'm really confused.

 

The "https" is an actual location on the server where data can be stored/handled, which is understood as being a secure area for reasons that authentication protocols and other safeguards protect it from being hacked. If you place a web page which will trasmit data from one server to another, this is generally the safest place for that data transaction to occur.

 

The only issue is that if someone applies some time and effort into hacking into that secure area, its open game to accessing all customer records and information. Depending on how the firm aggregates the data, some of that information could include credit card info. People have actually written scripts which will continue to supply a username and password using a random alpha-numeric generator, and let it run for days, weeks, sometimes even months until it figures out the credentials. Once those credentials are exploited, they generally have the same rights and priveleges as the administrator of the website. SSL 128 bit encryption with the ability to randomly alter its encryption from 128-156 throws hacking scripts for a loop, because generally the software works by locking into a 128 bit encryption mode, and that is how the randomness for a specific range of possibilities is exploited. If that range changes from 128-156, that -script will crash. This is what most financial services companies use to protect their customer records. So again, its not only important to see the "s" at the end of the http, but also that you have a padlock at the bottom of the browser window; and if you hover over it, generally you should see SSL Secured (128). If you don't see this, don't provide any information.

 

The last part to your question is the data encryption. What this means is that every time you supply information to Vault auctions through their credit card processing page, the data is binded with an area of the site which will accept the information upon submission, but before doing so, the data encryption software will bundle all the data into an encrypted data packet. This encrypted data packet is then sent to the secure area of the site where a the same data encryption application that encrypted it, now decompresses the packet, and interprets the data accordingly. The reason why you recieved the alert is because the data encryption software that Vault uses expired. Not all data encryption software is created equally, and this is why I asked if you recieved this alert before or after submitting your CC info.

 

Data encryption software is ultra-propietary, meaning that just because you have an application that is able to interpret encrypted data, doesn't mean it will be able to open all encrypted data. The certificate warning you recieved is related, very likely, to an expired license. Meaning, vault may have been using this software on its servers, and didn't renew their certificate/license. Its very similar to the kind of thing that happens when you use trial software, and the software time-bombs after the 15-30 day trial period expires. You get a nag screen saying -- dude, pay up, or shut up, and can't get past it unless you buy-it.

[fantastic_four]

I went further to the point where I need to enter the info and noticed it does indicate a secure environment with a "https"

 

I'm confused why the certificate warning indicating there in no longer encryption...BUT the "https" shows up? Now I'm really confused.

 

I think it's so the pages continue to work for people. You might have a shortcut to the page in your favorites/bookmarks, or another site might have a link to it with the "https" in the address, and if the https didn't continue to be a valid address, then it would look like the site was totally inaccessible instead of just unencrypted.

[fazman]

Hmmm.. as my Mother used to say, " Be carefull out there ".

 

[BronzeBruce13]

Thanks Joseph/James.

 

I appeciate the detail and your time.

 

Last question: would either of you pay with a CC to this site or others that don't have encryption?

[comicwiz]

Last question: would either of you pay with a CC to this site or others that don't have encryption?

 

Based on the fact that this kind of thing shouldn't normally happen, my answer would be NO!

 

Since you have this situation to use as leverage, I would ask Vault if it maintains its own records, and what kind of security is used against a breach, especially in the case when data encryption is no longer a part of their online solution.

 

I'm not sure if any of you have heard about this, but a little under a year ago, a huge financial services firm in Canada sent out formal letters to all its clients. The reason was that their records, while being safeguarded by a records management firm, were breached when an employee of the records management firm ripped off a few servers/hard-disk drives from the data warehouse. Why am I telling you this; simple. If the data that resided on those servers is encrypted, then there generally should be no need for concern.

 

The fact that part of Vaults overall solution to accept online payments excludes a very important part of their security protocol should be reason enough to wait until the matter corrects itself. Alternatively, you should consider using another method of payment.

[BronzeBruce13]

Thanka again Joseph...

 

Problem is... they're overseas. I prefer to use a CC for protection in general. With overseas transactions... I don't believe I'd do it any other way. So this issue becomes more important to me and those that feel similarly.

 

I just emailed the Vault again directing them to this thread. I have not heard back yet... it may have something to do with a time difference or they may not be there on the weekeneds?

 

=================================

Hi Vault,

 

Since some invoices went out and I had not heard back from you guys, I decided to relay my concerns to my fellow collectors as well as ask some technical questions on the CGC forum to try and understand the issue.

 

Here is the thread if you would like to comment there and inform everyone. I would appreciate any information you could provide concerning the security issues raised and what steps the Vault is taking to protect it's customers vital information.

 

http://boards.collectors-society.com/showflat.php?Cat=&Number=252663&page=0&view=collapsed&sb=5&o=186&fpart=1#Post253063

 

Regards,

Bruce

=================================

 

[BronzeBruce13]

Just heard from Philip... here are his replies to 2 of my emails.

The key info is Blue bolded. Best to wait until Monday if using a CC... long story, short.

 

===============

 

Dear Bruce

 

Sorry for the late reply, but as you may have guessed we have been swamped here with calls/faxes and e-mails in regards to winning lots as well take up of lots not having met reserve in the auction.

 

In answer to your question,we only became aware that the SSL certificate had elapsed recently and although we have providing all the neccesary documentation for the renewal, unfortunately due to matters outside of our control it will not become active until Monday the 8th.

 

For your information any data sent after this time will be encrypted beyond the standard encryption included in most browsers, and therefore certified as secure. Whilst we do not advocate the use of submitting data over a non secure line, it is still far more secure than the sending/receiving of data via an e-mail.

 

I hope that i have answered your questions, but should you wish to inquire further into this or any other topics, please do not hesitate to contact me.

 

Regards

 

Philip

Vault Auctions

 

===============

 

Dear Bruce

 

As you can tell i am in the process of answering the last few days of e-mails, so let me quickly state that whilst i myself am not fully versed in all the technical lingo and jargon that was used on the forum, i have been in contact with the IT staff who have assured me that any credit card information that we receive are not handled by any 3rd party. Furthermore as we manually authorise all cards unlike Paypal who offer an online service, the risks associated with credit card fraud are far less.

 

As per most sites, Firewall technology are incorporated as one phase of the security procedure and we take the matter very seriously. That coupled with new 256 bit encryption that we are putting in place, should allay most fears that you have.

 

Regards

 

Philip

Vault Auctions

 

 

[greggy]

[BachelorOfComix]

Anyone pay? I never received an email from them yet & I tried paying online with my credit card but I get an error page.

[greggy]

Anyone pay? I never received an email from them yet & I tried paying online with my credit card but I get an error page.

Yeah....I paid!

[BachelorOfComix]

Did you get an email?

[greggy]

Did you get an email?

EMAIL about what?

[BachelorOfComix]

Don't they email you to tell you that the invoices are now online?

[greggy]

Don't they email you to tell you that the invoices are now online?

Yeah...got that a week ago! Didn't get one confirming my payment. You sure you actually won anything?