Sun or Thurs Run Security issues @ Invicta

Another royal IWG cluster fuck
02-06-2011, 07:41 AM

TeamInvicta
WatchGeeks VIP
Senior Geek Join Date: Mar 2008
Posts: 321

Sunday Run - message from Eyal

--------------------------------------------------------------------------------

Hi everyone, I wanted to drop a quick note after getting updates all night on the Sundayrun status. Our team has been all over this technical issue, they acknowledge there was a problem with the NEW Sundayrun credit card approval portion of the site. This is related to a “fraud prevention” parameter which we set in place for security purposes. For some technical reason it is not allowing all credit cards (including mine) from being approved instantly, thus not updating the sale availability of products. The problem is now with our bank processor and will only be resolved during “normal business hours”…… All orders attempted unil now will be canceled, no credit cards will be charged and we will start fresh. I am planning to approve a special THURSDAY run with ridiculous offers to make up for this one. More to come – Have a great Super bowl Sunday everyone. Eyal
_________________________________________________________________
Arktander
WatchGeeks Moderator
True WatchGeek Join Date: Mar 2008
Location: Central Illinois
Posts: 9,074
Real Name: David


[Official Thread] BIG THURSDAY RUN -- February 10, 2011

--------------------------------------------------------------------------------
Remaining Security Concern (Invicta Admins Please Read)

--------------------------------------------------------------------------------

I just completed a Run purchase while using Fiddler2 to monitor traffic between my browser and the server. The problem from last night, in which the checkout page where you enter your credit card info was not secured, is fixed as noted elsewhere. That page is now secure and uses HTTPS (SSL) both for page delivery and credit card info submission.

Unfortunately, a problem evidently remains.

The "Check Your Order" page on which you confirm your purchase is NOT secure. This page contains a summary of your order, INCLUDING YOUR CREDIT CARD NUMBER, along with a "CLICK HERE TO PURCHASE" button. The server delivers this page to your browser in the clear, presumably via HTTP 302 redirect at the end of the HTTPS portion of the checkout process, using this URL:

http://www.invictasundayrun.com/checkout/check_order

Note that the URL begins with "http" and not "https". This is NOT a secured page, and the browser accordingly displays no secured page indications. Anyone can verify this easily in their browser.

I've copied below the entire HTML of an example "Check Your Order" page, as captured by Fiddler2. The only changes I made are to my personal information, including replacing my actual credit card number with "X" characters. The fact that Fiddler2 can display this HTML in plain text means by definition the page is not secure, since Fiddler2 is simulating a man-in-the-middle attack and would not be able to display the data were it encrypted.

In summary, the Sunday Run checkout process is only HALF secure. Which of course means it ISN'T secure. The phase in which your browser sends your credit card info TO the server is secure as of this morning. The phase in which your browser receives the "Check Your Order" confirmation page FROM the server is NOT secure.

I hope the Invicta Sunday Run admins will resolve this remaining hole. Every communication between browser and server containing sensitive customer information, regardless of direction, must be secured using HTTPS (SSL). I highly recommend network traffic sniffing techniques such as the one I employed as a primary tool in VERIFYING web commerce site security.

Thanks for reading,
David

ohhh he is my hero.. Arktander that is.

Why would anyone think IWG can do anything right?
Another example of their highly touted "attention to detail".

LMAO - Invicta wants prompt customer service from its bank!
The computer code to fix things is coming from overseas... in six months!

A little sketchy giving Invicta your credit card info.....

Inflicta strikes again...

2011 is a great year for WL's

Chinese year of the Rabbit! As the stars align all things Chinese with fuzzy bunnies, hilarity ensues. A banner year, no doubt.

Some are complaining that when they ordered and the site crashed, they kept hitting I want it until they were allowed into the payment page. It looks like, if their order crashed 10 times until they finally got in, then they were charged 10 times. It sucks to be in love with Invicta. I wonder how many of them were over their credit card limit because of this and will get charged for that.
There is all this information on Watch Geeks about the security of the site and over charges and still they line up for the next Sunday Run.
I wonder how many of them have to wear a helmet to keep from licking the TV screen when Jim and Michael are on Shop?

I wonder how many of them have to wear a helmet to keep from licking the TV screen when Jim and Michael are on Shop?


svoglic

Posts: 63
Join date: 2010-12-01

View user profile Send private message

Back to top

Uh oh, this isn't good at all!
Sundays SR new issue.

Today, 05:46 AM
*coolness*
Senior Member
Senior Geek Join Date: Mar 2010
Location: Ohio
Posts: 138
Real Name: Christopher



--------------------------------------------------------------------------------

Not a good sign - I entered my CC info and hit Submit. The next page did not have an S (http://www.invictasundayrun.com/checkout/check_order) and worse yet - it said that my transaction would be charged to a Mastercard ending in 4 digits that are NOT mine.

It then said if everything was correct, to click on the Click Here To Purchase. I did not. But the worry now is, was the CC info submitted openly over the internet? And whose card number was that they listed the last 4 digits of? With all the delays and crashes and concerns tonight, I guess I should've known better than to try this.
__________________
When we first met, me and you, you thought I was common. How right you was, baby. I was common as dirt.

Invicta has shit for personel. Cheap fuckers.

You pay peanuts, you get monkeys.

The whole Invicta problem is Eyal being CHEAP. Use the cheapest of the cheap and this is what you get. I would be he is using some Honduran web programmer for 50 bucks a day.

The web programmer does not know what https is but who gives a shit cause giving your CC info to that company is a "YOUR FUCKED" move anyway.