I've given Cari.net a hard time about giving almost good customer service and TracFone for looking like they just don't care about their image. So here is an example of an excellent proactive response to a potentially serious problem. We use Redbox (automated DVD vending jukebox) a lot for kid and probably-do-not-want-to-own (ex: I am Legend) films. It's not perfect, and their online rental interface could certainly use a tuneup, but it's a buck a night and that saves me three bucks a movie for new releases, so I will put up with a lot.

However, apparently someone put a credit card skimmer on a machine somewhere so below is their response:

To Our Valued Customers:

A few days ago redbox detected and removed an illegal credit card skimming device at one of our 7,400 locations. At the same time, redbox also discovered evidence of skimming attempts in two other locations. Skimming involves the placement of an illegal device above the credit/debit card reader on a vending machine, ATM, or in this case a redbox. These devices are used to illegally read or store personal credit card information.

Even if your redbox was not targeted, it never hurts to pay a little extra attention and check for any unusual activities or changes at your local redbox. If you suspect your redbox has been tampered with (click this link to see pictures of skimmer devices: http://www.redbox.com/creditcardsecurity/ ) please call 866-REDBOX3, e-mail alerts@redbox.com , or notify the store/restaurant manager of your concerns immediately.

Although there is no evidence currently that these skimming attempts were successful, consumer security is a top priority for redbox. Reviewing transaction records, there is a possibility that up to 150 customers may have been affected. Although only a small percentage of the millions of customers who use redbox each month, redbox has notified the major credit card companies so that they can monitor the situation. The redbox team is also working with local authorities to investigate the incidents and ensure your security.

Skimming is not new (click this link for more details: http://www.uboc.com/ ). It has been attempted numerous times on ATMs, gas station pumps, and now redbox has been targeted. Redbox has been aware of these industry threats and has spent significant time and resources to prepare for them. The 7,400 redbox locations are visited frequently by redbox associates to maintain smooth operations and an optimum customer experience. In this case, a redbox associate found evidence of skimming attempts and initiated the actions in the team's response plan (including this e-mail message).

Redbox greatly values our customer relationships. As a result, redbox is open and direct in our communications about this type of situation. The redbox team also utilizes industry-leading technology to ensure you have a safe shopping experience and aggressively combats attempts by criminals to defraud customers. Please see the questions and answers below for some additional details on skimming and how redbox ensures the safety of your account information.

Sincerely,

Trina Graham-Hodo
Director, Customer Service

Bill Caputo
Director, Security

Ok, so far so good - clear explanation, promise to stay vigilent. And well written too!

And then they go the extra mile and provide you with more information using outside "expert" sources to help you understand the issue.

Additional Questions / Answers:

Q. What is credit card skimming?

A. Skimming is the theft of credit card information used in an otherwise legitimate transaction. It often involves the placement of an illegal device above the credit/debit card reader on a vending machine, ATM, or in this case a redbox. For more info click these links:
http://en.wikipedia.org/wiki/Credit_card_fraud#Skimming
http://www.uboc.com/about/main/0,,2485_703976951,00.html

Q. What does redbox do to protect consumer credit card information?

A. Redbox employs state-of-the-art security technology to ensure the privacy and security of our customers' data before, during, and after their visit to our kiosks. Customer credit card information is encrypted the moment it's swiped through our readers. Redbox uses further layers of encryption to protect all data transfers, too. Kiosks are also actively monitored and regularly inspected both on-site and remotely. Redbox never moves or stores unencrypted customer information. Credit card information can not be accessed by outsiders or even by redbox employees once the card is swiped at a kiosk.

Q. Where can I get more information on credit card skimmers?

A. Please use these links to get more information on credit card skimmers:
http://en.wikipedia.org/wiki/Credit_card_fraud#Skimming
http://www.usatoday.com/tech/news/computersecurity/infotheft/2007-07-31-gift-cards_N.htm
http://www.uboc.com/about/main/0,,2485_703976951,00.html

Q. How do I know if a skimmer is on my redbox?

A. Redbox credit/debit card readers are standardized for all locations. Click this link for pictures of the two approved readers and some examples of skimmer devices: http://www.redbox.com/creditcardsecurity/

Q. Who should I call if I have questions?

If you suspect your credit card information was improperly used, contact your financial institution immediately. If you have specific concerns related to this incident and redbox, please visit http://www.redbox.com/creditcardsecurity/ or call 866-REDBOX3. Please do not reply to this email.

Perfect job, IMHO. Responsive, attentive, explanatory, links to authority sites to inform you, etc. Good job guys.

I was reading this really cool article on Chlorine Trifluoride, which apparently can basically burn through just about anything, including sand, asbestos tile, glass, and probably even leftover high school cafeteria pizza.  I completely love this description:

It is, of course, extremely toxic, but that's the least of the problem. It is hypergolic [ignites on contacts - ed with AP chemistry] with every known fuel, and so rapidly hypergolic that no ignition delay has ever been measured. It is also hypergolic with such things as cloth, wood, and test engineers, not to mention asbestos, sand, and water-with which it reacts explosively.

Speaking of Explosive

We have been spending a lot of time looking at SEO tools while deploying some of our own (Yahoo Store SEO Analyzier, Digg Friend Finder, Backlink Pinger) and while we've talked a lot about SEO Application Architecture we never did much writing about security.  I guess we thought that with all the, er, black hat stuff that can go on around this industry that people would be careful about how their SEO applications were architected.

Uh, No

Without naming names, though you'd recognize them as very big players, we found dozens of security holes in their applications, including but not limited to:

• Wide Open Ajax Services - Ajax is a wonderful thing. And FireFox protects the browser against cross site scripting. But if the service on the back end is willing to accept a call from anything and doesn't verify that it's the client that's actually calling, then someone else can write an application that does the same thing you do, but uses your server to do the work. For example, another server running PHP could use curl to load one of your pages and then make web service calls to your "public" service and you'd be hard pressed to tell. You'd think you were getting lots of traffic, but you'd just be providing the back end for someone else.
• Javascript Based Security - It's hard to believe, but we've seen plenty of applications that take a login in javascript, make an Ajax call to authenticate, and then enable a button or show content using javascript. If some hacker couldn't figure out how to rape and pillage those systems I think they'd get kicked out of their club.

About That Picture

That is a picture of a couple of pounds of Chlorine Trifluoride going off inside an asbestos berm test container. Or it is your website as some hacker takes control of your PR checker (for example) and hoses down google with it until they block your IP or penalize your site?

Ouch.

Perils of Outsourcing

Of the dozen or so tools we found with major security flaws the most common theme was not age of deployment, or country, or sophistication of the tool.  It was that the development was outsourced by a very non technical person.  Not non-technical as in "doesn't understand SEO" or "can't figure out how to tickle google" but as in: not much exposure to complex software engineering.

One thing you should know: we have some extremely technical people on staff.  (Not me, I just fetch the coffee.)  I think we could probably safely outsource applications built to a safe and sophisticated  architectural specification, but it'd be tricky.

We described our SEO architectural technical stack earlier, but here it is again:

Here is my rule of thumb: if you can't understand that picture, you can't export the work.  You need someone working for you who "gets" it.  I'm not bragging - we're not perfect and there are a lot of things (*cough* graphic design *cough*) that we don't do very well and have to get help with.

Conclusion

If you are going to outsource some development and you'd like to avoid a meltdown, well, you should probably get someone on staff or at least locally consulting with you to ensure that you have proper security. If you can't look at the code that your overseas outsourcing partner is giving you and make sense of it, then you probably shouldn't be trying to play that game.