In my recent purchase from DynaDot I was very shocked to see that the order processing & confirmation emails all contained, unencrypted, the first & last four digits of my credit card, i.e. 8 out of the 16 digits, and complete billing address information.
This is far more information than I would ever want to be divulged over email. Anyone with a technical understanding of email knows that unencrypted email is effectively about as secure as a postcard, and, worse, often cached/stored on whatever mail servers it travels through. And this is sufficient information to give identity thieves and criminals a really good start.
As someone conscious of the (increasingly likely) possibility of identity theft and years of associated effort required to fix it, I'm very disappointed that DynaDot is careless enough to make this mistake. I certainly hope that they have taken more care in designing other parts of their infrastructure, from storing CC info to performing security audits of their implementation.
To add insult to injury, they also sent me a follow-up email requesting confirmation of my card details, suggesting that I fax or email(!) back a photocopy of my credit card.
I am now in the process of finding another registrar and may decide to have my bank issue me with a replacement card. Needless to say, I will not be doing business with DynaDot again without a sincere apology and assurance that they have fixed this hole and performed an audit of other places they store/use CC info.
I have no opinion on the 8 out of 16 digit thing but 1&1 tried to get me to fax my DL too and I cancelled the transfer and came here. I used my Paypal account so I didn't experience this but I plan to use my CC soon.
[This post has been edited by tqla on Oct 17, 2006 21:35.]
Thank you for your posting. We do send the first and last four digits of a credit card number in your order confirmation emails. You make a good point that perhaps we should limit it to only the last 4 digits. I will ask the engineers to make that change as soon as possible.
We also send the account address in confirmation emails. (We don't send the billing address necesarily, but for some people it may be the same). But once again you make a good point that the less info the better. I will ask our engineers to only send the city and the country from now on.
From another thread on this topic:
http://www.dynadot.com/resource/forums/topic_view.html?p_id=67
"We do take considerable measures to prevent hacking of our website. We run a secure, frequently updated operating system. Our site is programmed in an interpreted language that minimizes the risk of buffer overflow exploits. We have a extremely restrictive firewall. We run SSL for the account and order area. And we never print out your full credit card number anywhere in our site, to prevent browser caching of sensitive information."
Thank you very much for your feedback. These forums are helping us to understand the needs of our customers, so we can better improve our services.
The changes have been made. Order confirmation emails will only show the last 4 digits of a credit card, and the account address just displays the city and country.
I'd been hounding the folks here a bit about the same topic in another thread.
I too am alarmed at how many freak accidents and the like have let information escape from otherwise responsible banks, insurance companies, hospitals and government agencies.
The best security would be if the information is simply not kept, but I gather the CC people require the information be kept in case the charge is challenged some months later.
DynaDot has this odd little feature that looks like it will address my concern. I can send them a small sum of money that they put in an account for me. Then I can draw on this sum and replentish it as I see fit. I gather from DynaDot no financial information, just the amount of your balance, is kept.
I agree with you that the best security is when the information is simply not kept and this seems to fill the bill.
Just a thought from a fellow pilgrim,
Pat Ampulla
Pat, I've read your concerns in other strings and I don't share the same paranoia that you do. I'd rather have Dynadot keep my Credit Card info and renew my domains automatically like Godaddy and 1&1 do. If Dynadot opts to use a "fund" system like Namecheap does that I need to put money in for domain renewels then I'm leaving.
If you use our Account Prepay option, with a check, there is absolutely no financial data of yours on our servers. True, your check may have your bank account number, but we don't enter that into our system. We just send the check directly to the bank.
Same with Paypal. We only have your Paypal email address, your name, and your country of residence (data that Paypal sends us).
I suppose we could consider adding a new feature that does not save the credit card in your account, and instead deletes that card info as soon as the order is processed. However, the processing logs would still have the card information. We have received chargebacks as much as 6 months after a transaction, so we would need to keep the processing logs for a while.
I think the main problem is that credit cards are inherently un-secure. Every time someone places an order with a credit card, all the data needed to make future charges is given to the online merchant. We go to great lengths to keep the data secure, but as you mention, sometimes things go wrong.
Credit card fraud is a major problem. Every single day people try to put stolen credit cards through our system. Every single month we get chargebacks from stolen credit cards. The card holder who has their card stolen can get their money back at least. Usually it is the online merchant that has to eat the costs.
Pat is worried about someone stealing his credit card info FROM Dynadot. Dynadot described people using stolen credit cards to buy their products. I think these are two different situations.
If I use my valid credit card to buy from you and I want you to auto renew every year and I don't mind you having my CC # on file there shouldn't be a problem. Right?
By the way, it's much easier to get your credit card info stolen by a waiter at a restaurant then from a database at a company like Dynadot. I say if you are so worried about that kind of theft then get out a pair of scissors and cut your card in half.
[This post has been edited by tqla on Oct 21, 2006 21:42.]
Sorry, our last post may have been confusing. The first 4 paragraphs were discussing the problem of people stealing Pat's credit card info from off our server.
The last paragraph was about people using stolen credit cards on our system.
First, thanks to the Dynadot team for taking the issue seriously and working quickly to resolve it (although the 4 digits + billing still doesn't make me feel completely safe). Good to know about the prepay option -- I'd probably use that in the future rather than have any CC details at all being sent over email.
BTW, I hope that your card verification email has also been updated to clarify that sending a fax copy is far superior to an email attachment, for the same security reasons.
Will you be supporting Google Checkout any time soon? It addresses several of the privacy & data security issues in this thread (and, I believe, may even save DynaDot a bit on processing fees).
We did update the credit card verification email to indicate that fax is more secure than email.
We just created a thread about payment methods. We would be interested in your thoughts on the matter:
http://www.dynadot.com/resource/forums/topic_view.html?p_id=85
A number of merchants (such as GoDaddy, Dotster & NetSol) request the last 4 digits of a credit card number, in order to authenticate you when you call them up. And when you provide it to them, they discuss ANYTHING regarding your account with them. This dubious authentication method is their their problem, of course. But DynaDot isn't making matters any better by providing the last 4 digits of a credit card number in each order confirmation EMail -- in free and open text, where it can be stored on any server it passes through, or viewed by anyone with access to your PC.
I just looked at the last 5 or 6 EMails confirmations that I received from merchants. None of them included the last 4 digits of a credit card number in their EMail, except for the DynaDot order I just placed.
Really now! Shouldn't the 4 digits just be removed from order confirmation EMails? Can't we all get along? <g>
You make some good points.
We could remove the last 4 digits of the card number from the order emails. I will ask around on Monday, and see what people think.
Dynadot slackness on protecting CC info