Warning: firstin.co.nz / DPS payment system is insecure!

Forums › Off topic › Warning: firstin.co.nz / DPS payment system is insecure!

d3Xt3r

639 posts

Ultimate Geek
+1 received by user: 95

Trusted

Subscriber

Topic # 100208 5-Apr-2012 09:04

I wanted to buy something off firstin today, and it was shocking to see that the site wasn't using https, even though they say they do, and the page is even "certified secure". Goes to show that all those badges and logos mean nothing and you should always make it a point to manually check if a payment page is secure or not...

freitasm

BDFL - Memuneh
62282 posts

Uber Geek
+1 received by user: 12824

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 605511 5-Apr-2012 09:13

That page maybe not encrypted, but what about the submit form? Is it like Geekzone, login form in all pages (encrypted or not) submit is done to an encrypted version though?

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

d3Xt3r

639 posts

Ultimate Geek
+1 received by user: 95

Trusted

Subscriber

Reply # 605519 5-Apr-2012 09:23

Nope, the submit form wasn't encrypted either. The whole site remained insecure from step 1. of the process..

Edit: Wait, looks like you're right, the form itself is encrypted.. didn't realise it was in an iframe. Looking at the code:

<iframe id="iPayment" src="https://sec.paymentexpress.com/pxpay/pxpay.aspx?userid=FirstIn&request=....."></iframe>

gzt

10526 posts

Uber Geek
+1 received by user: 1683

Reply # 605523 5-Apr-2012 09:28

The payment.aspx element has an https source supplied by DPS.

d3Xt3r

639 posts

Ultimate Geek
+1 received by user: 95

Trusted

Subscriber

Reply # 605530 5-Apr-2012 09:39

gzt: The payment.aspx element has an https source supplied by DPS.

Thanks, yeah I just realized that myself. But the site still appears a bit dodgy. For instance, they make you agree to the ToC of the sale, but when you open the ToC page, it's empty!

http://secure.firstin.co.nz/terms.aspx

gzt

10526 posts

Uber Geek
+1 received by user: 1683

Reply # 605534 5-Apr-2012 09:49

Maybe they fill it in later lol. The Comodo, Visa, and '100% NZ' verification icons do not operate correctly either.

Kyanar

3064 posts

Uber Geek
+1 received by user: 485

Trusted

Subscriber

Reply # 605640 5-Apr-2012 12:00

Rest assured, DPS is definitely not insecure. In fact, you can't even get to the payment page over an insecure HTTP session.

nate

6332 posts

Uber Geek
+1 received by user: 393

Moderator

Trusted

Lifetime subscriber

Reply # 605670 5-Apr-2012 12:34

Kyanar: Rest assured, DPS is definitely not insecure. In fact, you can't even get to the payment page over an insecure HTTP session.

Its safe to assume that if DPS ever thought about this, they'd get a bollocking from not only the banks, but also the credit card companies.

simplestuff

84 posts

Master Geek
+1 received by user: 1

Reply # 611188 18-Apr-2012 15:01

Order an Item through these guys 01/04/2012 Charged against my account the next day, delivery date was supposed to be 15th April. Not received the item yet Tried to contact them by email and phone no Joy. May be jumping to conclusion. Anyone else having problems

gzt

10526 posts

Uber Geek
+1 received by user: 1683

Reply # 611191 18-Apr-2012 15:06

simplestuff: Order an Item through these guys 01/04/2012 Charged against my account the next day, delivery date was supposed to be 15th April. Not received the item yet Tried to contact them by email and phone no Joy. May be jumping to conclusion. Anyone else having problems

You are having problems with FirstIn right?

DPS is just a payment processor.

simplestuff

84 posts

Master Geek
+1 received by user: 1

Reply # 611194 18-Apr-2012 15:08

Yes
Have I posted in the wrong Forum?

xpd

Chief Trash Bandit
9277 posts

Uber Geek
+1 received by user: 1497

Mod Emeritus

Trusted

Lifetime subscriber

Reply # 611196 18-Apr-2012 15:10

Please start a fresh topic, this topic is in regards to the payment system for FirstIn, not the company itself.
Thanks

XPD / Gavin / DemiseNZ

Server : i3-3240 @ 3.40GHz 16GB RAM Win 10 Pro Workstation : i5-3570K @ 3.40GHz 16GB RAM Win 10 Pro Console : Xbox One

https://www.xpd.co.nz - Games, geeks, and more.

myopinion

842 posts

Ultimate Geek
+1 received by user: 55

Reply # 611225 18-Apr-2012 15:51

gzt: The payment.aspx element has an https source supplied by DPS.

The above says it all. Firstin does not need to have an https page as the secure payment part is hosted by DPS.

richms

21832 posts

Uber Geek
+1 received by user: 4570

Trusted

Subscriber

Reply # 611286 18-Apr-2012 17:11

Actually they do since that form could be replaced by one going anywhere by an intermediary. without https and the option to inspect the page credentials then you have to go digging on the page source to find the iframe or whatever

Richard rich.ms