I recently signed up for a financial service so I could pay my awesome editor and writing coach, Matthew Sweet. Matthew is in the UK, but I’m in the US, and while it should be easy to pay someone on a different continent, it actually isn’t. The simplest ways incur huge fees, major delays, or both. I’d love to just pay him via Square, but they don’t currently support global payments.So we’re trying out a different service. One we’d never heard of before. One whose sole purpose is to facilitate international payments while keeping fees down. Sounds great!
We both created accounts and the company collected our bank account information. There were no glaring security issues. Pages and links were encrypted. And since I didn’t feel like trying to break into a financial service’s website, there was no way to tell what was going on in the back end.
A few days later I received an email from the company. They told me that my bank account didn’t match the name I’d provided, and asked again for the name and address on the account.
As I read the email I noticed that the page collecting the information was served over HTTP, not HTTPS. It wasn’t encrypted. I then checked the link the form would be submitted to. That was also not encrypted. This meant that the form could be tampered with before I saw it, and that the information I supplied could be eavesdropped upon and tampered with.