Forums

Forums -> Payment Issues -> Dynadot slackness on protecting CC info
sf_us posted:
0
In my recent purchase from DynaDot I was very shocked to see that the order processing & confirmation emails  all contained, unencrypted, the first & last four digits of my credit card, i.e. 8 out of the 16 digits, and complete billing address information.

This is far more information than I would ever want to be divulged over email. Anyone with a technical understanding of email knows that unencrypted email is effectively about as secure as a postcard, and, worse, often cached/stored on whatever mail servers it travels through. And this is sufficient information to give identity thieves and criminals a really good start.

As someone conscious of the (increasingly likely) possibility of identity theft and years of associated effort required to fix it, I'm very disappointed that DynaDot is careless enough to make this mistake. I certainly hope that they have taken more care in designing other parts of their infrastructure, from storing CC info to performing security audits of their implementation.

To add insult to injury, they also sent me a follow-up email requesting confirmation of my card details, suggesting that I fax or email(!) back a photocopy of my credit card.

I am now in the process of finding another registrar and may decide to have my bank issue me with a replacement card. Needless to say, I will not be doing business with DynaDot again without a sincere apology and assurance that they have fixed this hole and performed an audit of other places they store/use CC info.
ReplyQuote10/17/2006 17:59
tqla posted:
I have no opinion on the 8 out of 16 digit thing but 1&1 tried to get me to fax my DL too and I cancelled the transfer and came here. I used my Paypal account so I didn't experience this but I plan to use my CC soon.


[This post has been edited by tqla on Oct 17, 2006 21:35.]
ReplyQuote10/17/2006 19:35
teamdynadot posted:
Thank you for your posting. We do send the first and last four digits of a credit card number in your order confirmation emails. You make a good point that perhaps we should limit it to only the last 4 digits. I will ask the engineers to make that change as soon as possible.

We also send the account address in confirmation emails. (We don't send the billing address necesarily, but for some people it may be the same). But once again you make a good point that the less info the better. I will ask our engineers to only send the city and the country from now on.

From another thread on this topic:
http://www.dynadot.com/resource/forums/topic_view.html?p_id=67

"We do take considerable measures to prevent hacking of our website. We run a secure, frequently updated operating system. Our site is programmed in an interpreted language that minimizes the risk of buffer overflow exploits. We have a extremely restrictive firewall. We run SSL for the account and order area. And we never print out your full credit card number anywhere in our site, to prevent browser caching of sensitive information."

Thank you very much for your feedback. These forums are helping us to understand the needs of our customers, so we can better improve our services.
ReplyQuote10/18/2006 15:43
teamdynadot posted:
The changes have been made. Order confirmation emails will only show the last 4 digits of a credit card, and the account address just displays the city and country.
ReplyQuote10/18/2006 18:02
tqla posted:
How about asking for a faxed DL? Do you do that?
ReplyQuote10/19/2006 20:39
teamdynadot posted:
>How about asking for a faxed DL? Do you do that?
For some orders, yes.
ReplyQuote10/20/2006 11:39
patampulla posted:
I'd been hounding the folks here a bit about the same topic in another thread.

I too am alarmed at how many freak accidents and the like have let information escape from otherwise responsible banks, insurance companies, hospitals and government agencies.

The best security would be if the information is simply not kept, but I gather the CC people require the information be kept in case the charge is challenged some months later.

DynaDot has this odd little feature that looks like it will address my concern.  I can send them a small sum of money that they put in an account for me.  Then I can draw on this sum and replentish it as I see fit.  I gather from DynaDot no financial information, just the amount of your balance, is kept.

I agree with you that the best security is when the information is simply not kept and this seems to fill the bill.

Just a thought from a fellow pilgrim,

Pat Ampulla
ReplyQuote10/20/2006 12:02
tqla posted:
Pat, I've read your concerns in other strings and I don't share the same paranoia that you do. I'd rather have Dynadot keep my Credit Card info and renew my domains automatically like Godaddy and 1&1 do. If Dynadot opts to use a "fund" system like Namecheap does that I need to put money in for domain renewels then I'm leaving.
ReplyQuote10/20/2006 12:54
teamdynadot posted:
If you use our Account Prepay option, with a check, there is absolutely no financial data of yours on our servers. True, your check may have your bank account number, but we don't enter that into our system. We just send the check directly to the bank.

Same with Paypal. We only have your Paypal email address, your name, and your country of residence (data that Paypal sends us).

I suppose we could consider adding a new feature that does not save the credit card in your account, and instead deletes that card info as soon as the order is processed. However, the processing logs would still have the card information. We have received chargebacks as much as 6 months after a transaction, so we would need to keep the processing logs for a while.

I think the main problem is that credit cards are inherently un-secure. Every time someone places an order with a credit card, all the data needed to make future charges is given to the online merchant. We go to great lengths to keep the data secure, but as you mention, sometimes things go wrong.

Credit card fraud is a major problem. Every single day people try to put stolen credit cards through our system. Every single month we get chargebacks from stolen credit cards. The card holder who has their card stolen can get their money back at least. Usually it is the online merchant that has to eat the costs.
ReplyQuote10/20/2006 18:02
tqla posted:
Pat is worried about someone stealing his credit card info FROM Dynadot. Dynadot described people using stolen credit cards to buy their products. I think these are two different situations.

If I use my valid credit card to buy from you and I want you to auto renew every year and I don't mind you having my CC # on file there shouldn't be a problem. Right?

By the way, it's much easier to get your credit card info stolen by a waiter at a restaurant then from a database at a company like Dynadot. I say if you are so worried about that kind of theft then get out a pair of scissors and cut your card in half.


[This post has been edited by tqla on Oct 21, 2006 21:42.]
ReplyQuote10/21/2006 19:57
teamdynadot posted:
Sorry, our last post may have been confusing. The first 4 paragraphs were discussing the problem of people stealing Pat's credit card info from off our server.

The last paragraph was about people using stolen credit cards on our system.
ReplyQuote10/22/2006 11:37