I'm a fan of the podcast/NPR show "Bullseye." The show is going on a live tour this month, and I was directed to a page on NPR's website to buy tickets. I filled out a form with my personal info, then was directed to the last page to enter my CC info...and saw no HTTPS. No lock, no security that I could see. Am I crazy to avoid entering my information into this thing? If they don't even have HTTPS, I can't have much faith that they're storing the data properly. When I see that, I just assume that all my personal info will be stored in plain text for any hacker to grab.

How have people not gotten the message?

Ask them?

If they do not do e-commerce regularly they may have missed the memo that the old ways are no longer good enough.

I agree that their web site tech is outdated in this case, and that not using HTTPS will open up the transaction to a possible chance of a man-in-the-middle attack.

I'd place the order anyway. Why?

Man-in-the-middle attacks aren't a certainty, and if this particular transaction turns out to get grabbed by one, what's the worst that could happen? You get some unwanted charges on your card. Call your card company to get them fixed and to send you a new card. This could happen anywhere, not just online. I once had a restaurant skim my card and had to get a new card issued. Whatever. More recently, my girlfriend and I got cleverly phished for card information at a hotel in DC by a phone call purporting to be room service needing to verify the card number (we fell for it, unfortunately, so she needed to reissue her card).

So think about how much you would enjoy attending that show, then, think about the level of hassle it would be to get issued a new credit card in a worst-case scenario. Think of the tradeoff between pleasure versus pain there. For me it would be a no-brainer: Get the tickets.

Then there is this to consider...

HTTPS is no guarantee that your data is safe after it reaches them. I agree that *lack* of HTTPS is sort of a "character witness" situation, where you might be less trusting of the company that handles the back end. But in contrast, the *presence* of HTTPS doesn't mean they handle the back-end well, either.

Once upon a time, I made a purchase from a web site with HTTPS. Moments after the purchase, I got an email bounce in my mailbox: The email server was down and it would retry for 48 hours.

Why did I get this email bounce? Their system was set up to work like this:

1. Accept the order on the web site, which was just a third-party e-commerce web site hosting company.

2. The e-commerce web site *emailed* the order to the actual company to fulfill the order and process the credit card. With all my data, including my credit card number, in *clear text*.

3. The emails were configured so that the customer's email address (my email address) was the return address on said email.

4. So when the real company's email was down, I was the one who got the bounce, and thus found out their dirty little secret.

The moral of the story:

You CAN'T WIN, ever, with any kind of credit card transaction, online or otherwise. Just live with the fact that you're going to need to reissue your credit card a few times in your life, and get on with enjoying yourself.

One precaution I would take, though, is, if ordering from this web site requires the creation of some kind of an account with a password, you should use a password that is different from every other password that you've ever used anywhere else. To me, the level of hassle required to reset shared-across-multiple-sites passwords is larger than the level of hassle to reset a credit card.

You make good points, Tony. You're right, it's probably an inconvenience at most. I may still go and buy the tickets, but I also sent them a message about my concerns. It can't hurt to add HTTPS to the transaction, and hopefully they're storing their data correctly.

And don't worry, I use unique passwords on every site. I love Lastpass.

Not to me!

I keep a spreadsheet with a list of about 20 websites that have my credit card info on file. To change credit cards, I have to go to each and every one of those sites to update the data, and trust me when I say that at some of those sites that is not an intuitive process!

Like Dignan, I use LastPass and do NOT have any passwords that are used in more than one place. My passwords are all in the format of 1Xq&M8g4q#E^ and are passably secure, although I remember reading an XKCD comic once that pointed out that if, hypothetically speaking, I had an account at, oh, say, the Daisy Hill Puppy Farm, a password like "My Beagle likes to grow flowers" would be both mnemonic and more difficult to crack by brute force than something like 1Xq&M8g4q#E^.

My LastPass master password is 24 characters long, contains upper and lower case, numbers, and special characters, yet is mnemonic enough that I can type it without reference to anything else.

tanstaafl.

Only when you want to make a purchase; until then, there's no harm in them having a cancelled card on file.



Then, perhaps, they don't deserve your business?

No harm, but a bit of annoyance when some of the better-run sites keep track of the expiration dates of the cards on file and send timely reminders to update the card info before they become invalid. Also, I don't want to deal with having to double-check my card info every time I make a purchase in order to be certain that the particular site in question has indeed been updated. I prefer to do it all at once. Or better yet, not have to do it at all!

tanstaafl.

I usually update my most-frequently-bought-from web sites (either when I get a new card or when my current card gets renewed with a new expiration date), which is like, four or five sites I can remember off the top of my head. For the rest, I just don't worry about it, and update them on my next purchase, if I ever do a next purchase. Most of my mail order business is with Amazon, so if I update that one, then I hardly ever notice the changed card.

But yeah, I would understand how that might be a bigger deal to other people though, who use their cards differently than I do, like you described.

In particular, if one uses companies which generate a recurring charge on the credit card, such as billings or subscriptions. If someone has a lot of those, it could be a real hassle to have to update all of them. I personally try to avoid those kind of charges when I can, specifically because I don't want the hassle of having to update them when my card's expiration date changes. Lots of subscription-type products/companies can do EFT Debits from the bank directly now, instead of needing a card, so I go that route for subscriptions which allow it. Of course, *THAT* is a set of numbers I don't give out lightly. If I saw an insecure connection asking me for my EFT bank number and routing number, I would draw the line there and not give it to them. Having to re-do my bank account would be a much bigger deal than changing my credit card.

I know what you mean, though, about how some sites are really obtuse about the credit card updating process. Recently I did a take-out food order with Bite Squad. I had done it through their iPhone app. My credit card's expiration date was renewed recently so it told me that. But oddly, their iPhone user interface did not allow me to update the card's expiration date and save it. It forced me to enter the card, all of its digits, all over again from scratch, and when it was done, though I had ticked the "save" box, it didn't actually save it. I emailed their tech support and they said. "Oh just go to account, credit cards, update credit card." But that option didn't exist. After a few back and forth emails, they finally re-read my prominent first line of the bug report saying that I was on an iPhone. I made it clear to them that my complaint was specifically about the iPhone user experience. They said "oh I think we deliberately don't offer the CC update on the iPhone app for security reasons". Sigh.

The iPad's data plan is billed to my work credit card (which, thanks for reminding me, I'll be getting with the correct name on it later today) and is critical to have auto-billing work correctly -- grandfathered $30 unlimited data.

Everything else? Well, let's just say I have gotten VERY GOOD at typing my credit card number.