While reading an article on Ars Technica about the fact that 20 hotel chains were hacked and credit card data was exposed I remembered about a local case I came across a while back with a small rural hotel where the reservation system was using an old PHP form to submit the reservation data via email to the owner.
The form contained all fields including the full credit card details and there was no SSL so besides the fact that the data was entered on an insecure website the transfer to the mailbox of the hotel manager was insecure too.
Needless to say that the hotel owner used to print all the emails that contained these payment details in full and kept them at the receptionist’s desk where all employees or contractors would have access to if they wanted or knew what to do with that info.
And all of this was happening simply because neither the hotel owner nor his customers actually cared about the privacy and security of personal and financial details. On top of that, offering to secure the way he processes payments would have been in vain because when he didn’t care about shit he obviously wouldn’t have paid for it.
But to be honest it all breaks down to this, paying for security and being safe about it or not paying for security and being sorry when you’re hacked and you have to pay to save your ass.
To be honest I’m not quite sure what’s actually worse. Sending credit card data over an insecure form and storing it in an insecure database or disclosing the data via phone…