Secure Really Does Mean Secure
I recently had occasion to book a hotel in San Francisco. I don't do a lot of traveling involving hotels, usually staying with family or friends I'm visiting wherever I'm going, so I don't do this a lot. This time, I found a nice-looking, affordable hotel, and planned to book a room online.
Their website had the usual thing hotels have, where they use an outside provider for the fulfillment of online reservations. A couple steps into the process, I got a little worried. The prices were good, but the form looked really homemade (not in a good way), and was requesting a credit card number over an unencrypted connection.
This is never a good idea. I called the hotel thinking I'd make the reservation by phone instead. I actually prefer to make reservations online if I have some assurance that the tech is good, because credit card numbers are usually stored in the target database encrypted, and have been requested over an encrypted connection, so it's very difficult to steal them. The person or company who created the web application can't even see them. That's the whole point.
It looked like this company was just taking the credit card numbers, storing them (maybe even receiving an email with the number in it saying "here, book this reservation" — yet another vector for security issues), allowing future lookup by the hotel. Or anyone else who's able to compromise the account and browse the database.
I asked about this on the phone, and the person working there told me that the web developer told them "if the site doesn't have the lock on it," meaning that the connection isn't secure and you don't see the lock icon in your browser, "that means people won't try to get in and steal numbers".
The mind boggles.
I didn't belabor the point since this person had only just heard my voice for the first time, I hadn't made a reservation yet (and wasn't going to — the phone price was more expensive!), so why should they trust me? Of course, if they believed what this web developer told them, maybe they would believe me, who knows?
I did book a room at the hotel, because it does look like a good one. But I did it through Priceline, where the connection is encrypted and I feel like there's a better chance the data will be stored correctly.
If I'm feeling pushy, I might try to talk to the management of the hotel while I'm there to encourage them to look elsewhere for their online reservation provider, or at least see if they'll consider the issues they're missing. And maybe ask their mysterious current developer (whose contact information is not available on its website, to which I'm not linking) to bolster the defenses.