DCS Claimjs website - Is it secure?

  • dunover
  • 10/10/08 31/05/09
  • unspecified
  • Offline
Posted: Wed, 10/06/2009 - 13:07

I can't see any security lock or https (note added s) on the DCS claims website when we are asked to input our account number, name and balance. Is this a secure site???

5
Your rating: None Average: 5 (12 votes)

Comment viewing options
Select your preferred way to display the comments and click "Save settings" to activate your changes.

Another IOM accountancy firm...

  • Anonymous
  • Offline
  • Thu, 11/06/2009 - 08:54

.....that doesn't know which day it is:

"13:30hrs Tue 10th June"


It certainly does not look secure

  • sabi Star
  • 10/10/08 n/a (free)
  • unspecified
  • Offline
  • Thu, 11/06/2009 - 08:03

I was shocked at the site we are supposed to put our account details on.
I am not at all internet savy - but it looks like a third world spam type e-mail ( not that I get many!).
I would not be happy to use it with my account details - but what are the alternatives??


www.dcs.im lack of security

  • ng
  • 11/10/08 31/12/20
  • a depositor
  • Offline
  • Thu, 11/06/2009 - 09:07

I don't think you should be concerned about the visual design element of the site - they would be wasting money if they were spending time making it look "whizzy" - it just needs to be functional.

Lack of an encrypted connection is a bad sign though. It's not expensive nor difficult to set up, if they know what they're doing. So it makes me think they don't know what they're doing, or perhaps just aren't too bothered about security - but it amounts to the same: unprofessional.

Actually setting up https is zero-cost (apart from some time in configuring), what costs is the verification process - an external company such as Verisign charges a fee to provide a certificate (electronic) which confirms that dcs.im is who it says it is, KPMG or whoever. That's a few hundred pounds (per year), still hardly significant. But an encrypted connection doesn't need a third party certificate for encryption, only for identification verification. I could set one up here inside an hour, maybe 15 minutes if it all went smoothly.


Now WE have a secure connection, why don't they!?

  • ng
  • 11/10/08 31/12/20
  • a depositor
  • Offline
  • Thu, 11/06/2009 - 09:51

To prove my point, I just did it, it took exactly 30 minutes (it didn't quite go smoothly) and that included re-jigging firewall rules to allow access at port 443 (standard https port). So, you can now use https://www.ksfiomdepositors.org and https://chat.ksfiomdepositors.org - however you will get a security warning from your browser because we do not have a third-party certificate. The exact message will depend on your browser.

For example, Firefox 3 says:

Secure Connection Failed
www.ksfiomdepositors.org uses an invalid security certificate.
The certificate is not trusted because it is self signed.
The certificate is not valid for any server names.

... you will then need to "add an exception" to allow access to the site. This message is to warn you that our certificate is self-signed (home-made!) as opposed to being from a recognised provider such as Verisign. The encryption works fine with this self-signed certificate, but what you don't get is verification of the site's identity.


Lack of security at www.dcs.im

  • ng
  • 11/10/08 31/12/20
  • a depositor
  • Offline
  • Wed, 10/06/2009 - 23:32

Yes, it's insecure. See my comment here: http://chat.ksfiomdepositors.org/blog-entry/dcsim-site-insecure#comment-...

Also, fixed the "access denied" error when commenting on this post.


www.dcs.im site insecurity

  • ng
  • 11/10/08 31/12/20
  • a depositor
  • Offline
  • Wed, 10/06/2009 - 23:49

Further investigation, the IP address, 83.218.10.214 appears to be owned by KPMG. Specifically the info shown by maxmind.com is ISP: "Advanced Systems", Organisation: "KPMG". That information may not be reliable, but is probably correct. So, it could be possible that employees at KPMG could have access to the data you input at www.dcs.im Even if they had an https connection this would still be true. The point is, the site appears to be physically located at a third party, not IOMT or similar.


Sorry, being dumb - it's

  • ng
  • 11/10/08 31/12/20
  • a depositor
  • Offline
  • Thu, 11/06/2009 - 00:23

Sorry, being dumb - it's obvious that the site is run by KPMG. Nonetheless, you'd think they would have the resources to set up an https connection!