back to article TheTrainline.com fixes web security derailment

This story was updated on February 11 to add that Trainline fixed this insecure credit card submission flaw a day after our initial report. The firm has been in touch to say that it has revamped its handling of security reports from customers, following a review of the incident, as reported here. TheTrainline.com, a UK website …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    vbv and mcsc

    Verified by Visa and Mastercard secure code are not logos depicting an ssl connection.

    They are simply graphics. They represent a completely different system called 3d secure

  2. Karl Lattimer

    surely this should be....

    visa

    "along with logos for Verified by Vista and MasterCard SecureCode."

    Chalk that down to a Freudian slip.

  3. Kevin Pitkin
    Stop

    Verified by Vista?

    We are all, thoroughly, doomed.

  4. Anonymous Coward
    Anonymous Coward

    This is an old bug

    I emailed thetrainline.com almost TWO YEARS ago to tell them about this bug, and a page which showed SQL type error messages. I received no acknowledgement or reply. Typical arrogance or apathy from a large, disorganised outfit in my experience. I stopped using the site as a result.

  5. Jeremy North
    Unhappy

    It shouldn't be any surprise

    This is one of the worst websites out there. I recently tried to purchase a pair of tickets from Cardiff to Manchester. Every time I got to the payment stage, it told me that the card had failed authorisation. I checked with my card issuer and they hadn't even received a request, let alone rejected it. I spoke to the 0870 number people and got queued, then told that I would have to empty out my shopping basket and start the whole process again. Did this more than 6 times, tried three different credit cards all with the same results. The operators on the line were, shall we say, inexperienced and reading from scripts, anything outside their comfort zone was not something they wanted to be bothered with. After three hours and calls to their 0870 number and two of my card issuers (just in case!) I gave up. I tried once more the following day with the same result, then phoned them, spoke to a very helpful lady who took my order over the 'phone and used exactly the same payment card as I tried first which worked first time.

    Definitely not a candidate for Best on the Web!

  6. Anonymous Coward
    Anonymous Coward

    Shouldn't the Credit Companies be encouraged to pull the plug?

    "Although the https signifier in the URL is absent, a falsely reassuring padlock graphic remains in place, along with logos for Verified by Vista and MasterCard SecureCode."

    Either they should withdraw the cc processing accrediations facility temporarily for not having a secure system, or for bringing their logos, and the "padlock" on which the public rely into disrepute (is keeping it visible incorrectly not also misrepresentation)

  7. Mark Rigby-Jones
    Gates Horns

    "Verified by Vista", eh?

    I'm not sure that that would give me a warm glowing feeling of security in the first place...

  8. Anonymous Coward
    Anonymous Coward

    Not surprised

    I'm not surprised - when you register with the site they send your password back in an email - not exactly exceptionally secure.

  9. Dave
    Alert

    only affects 'the trainline'???

    or is this a problem with VbyV?? Hope not! Also, I am NOT volunteering to test ! ! !

  10. Cliff

    Payment Partners

    This is why offering the option of using a payment partner (eg WorldPay, PayPal, PPPay, google checkout, etc) is so valuable - do I trust WorldPay to be able to take a secure payment? Well a darn sight more than I trust homebrew billing software.

    So, as we know The TrainLine.com (who also skin as qjump, virgintrains, fgwtickets, etc) have poorly designed payment mechanisms, can we be confident that the whole credit-card db is safe? Or is the equivelent of select * from mycreditcarddatabase.dbo.mycreditcardtable.mycreditcardnumber (all wizard-written, you see) going to cough up goodies too? I've lost trust in their service.

    Insecure payment channels ought to be illegal

  11. Dale

    Verified by Vista

    I would have though the "Verified by Vista (sic)" logo would have been a dead giveaway that there was trouble.

  12. Nick Bolton
    Thumb Up

    We don't believe in bugs!

    Just over a year ago, I bought tickets from TheTrainLine, and specified two different addresses; card address and billing address. My friend who watched me go through the process could testify that I had done everything correctly, and nothing looked out of the ordinary.

    However, my ticket was sent to my card address in the Isle of Man, 1 week before my trip. Rather annoying, as I was in Wales at the time.

    Anyway, that was nothing compared to my annoyance after speaking to their customer services team. I had the pleasure of speaking to a rude Scottish woman (you know the type). I didn't like her much...

    So, for the punch line: She told me that I was deffinately wrong and that it is impossible for there to be any bugs because they have tested it several times. Now, I'm a software developer, and most of you will agree she was surely in no position at all to fob me off with such a conclusion. Right?

    After about an hour on the phone, I was not given a refund or even a formal apology. I had to reorder my tickets from the local ticket office.

    Boo!

  13. Simon Reed

    It's a buggy web site anyway

    I used it for the first time last week. Using Firefox, in one tab I did a search for a journey and in a second tab - for comparison purposes - worked out a better journey. I went through to the payment on the second tab, then got an email of the details of the ticket: the one on the first tab. So it sold me a ticket I didn't want.

    I phoned up but was told "there's nothing we can do and it costs £10 to cancel the ticket". I won't be using them again.

    So the scumbags are making a tenner a time on the bugs on their web site. Is it any wonder they won't fix it?

  14. stan marsh

    Title

    Haven't used the trainline since they started charging £1.50 for card transactions (and having simply appalling phone help).

    Use any of the other TOCs' ticketing system and avoid the charge (incidentally, it runs off the same engine as thetrainline - so does the problem affect them too? We need to know!)

    GNER, for instance, give 10% off some of their fares if you book direct.

This topic is closed for new posts.