_GOTOBOTTOM
World War II
Discuss WWII and the era directly before and after the war from 1935-1949.
Hosted by Rowan Baylis
Beware MisterKit website (Security Issue)
uproar
_VISITCOMMUNITY
Nebraska, United States
Joined: April 09, 2005
KitMaker: 99 posts
AeroScale: 25 posts
Posted: Sunday, December 02, 2007 - 06:36 AM UTC
Greetings,
I encountered a serious security issue while trying to order things from the www.misterkit.com website in Italy--I realized that as I was ordering, there were already about $2,500 USD worth of items already in my cart, apparently from someone else's order, that did not want to go away no matter how many times I tried to delete them--then I realized that I was actually, through no effort of my own, logged into someone else's account! Someone with an Italian address. I had to log out and register under my own name, but then I did not feel safe completing the order, entering my financial information, which could end up on the computer of god-knows-who. I've emailed the website about this problem, and meanwhile placed my order elsewhere, but I wonder how many other people out there have encountered this glitch--so I would advise avoiding the MisterKit website for the time being, until the problem is fixed.
fantacmet
_VISITCOMMUNITY
Oregon, United States
Joined: March 09, 2007
KitMaker: 104 posts
AeroScale: 37 posts
Posted: Sunday, December 02, 2007 - 08:22 PM UTC
Well despite the verisign, and hackersafe, and whatever safe logo's out there 90% of ecommerce websites are EXTREMELY vulnerable to attack. Even the New York Times has issues that make them WIDE open with very little effort. They've been broken into many times through the same exploits but instead of fixing them, rely on keeping peoples mouths shut. Security by Obscurity is the name of the game. I will NOT go into any details as I don't want any passersby getting idea's(not saying anyone here would do such a thing), but on over 50% of e-commerce sites around the globe, you can pretty much purchase what you want, for the amount you want. Paypal based is REALLY easy.

I used to be webmaster for a local bicycle shop, and they wanted to use paypal. I suggested it might not be safe to do so. They asked if I could prove it, so I set about doing so, and in under 5 minutes, I bought one of their items listed for 1200 bucks for a grand total of 15 dollars. They still wanted to use paypal, for it's low price in the beginning, so I managed to get sections encrypted, and other things obsfucated, to minimize the risk, but the insecurity was still there. Needless to say, the item was never shipped since it was done right there in their shop, with their credit card and account. The test aside from my fees (I worked per project and this was included as part of the site design), only cost them like a dollar and a half.
mgtaylor
_VISITCOMMUNITY
Florida, United States
Joined: July 20, 2006
KitMaker: 59 posts
AeroScale: 56 posts
Posted: Monday, December 03, 2007 - 07:06 AM UTC
Dear Ray

Iam sorry to hear of your troubles I agree with Stephen it sounds as if your Account Info has been hacked and being used without your authorization. The same really could happen with ANY USN/PWD Protected site.

However to be clear you are ORDERING From MisterKit's ITALIAN Home Page and NOT their US Distributor's Page : www.misterkitusa.com which I run myself here out of Orlando FL.

I import all thier WWI colors and offer as many High Quality WWI Products and recently have added some KITS.

Yours Mike

uproar
_VISITCOMMUNITY
Nebraska, United States
Joined: April 09, 2005
KitMaker: 99 posts
AeroScale: 25 posts
Posted: Monday, December 03, 2007 - 12:24 PM UTC
Well the strange part is that when I noticed the problem, I had not yet even registered with the website--I noticed the problem, fortunately, before I tried to "check out". The information that I found when I clicked on "my account" was somebody in Italy with a decidedly Italian name (unfortunately, I did not make note of it). So I saw that person's personal information (which wasn't much other than an email address, phone number, and birthdate) displayed. So I deleted everything in the cart and logged out, and then registered myself (probably not wise at that point), but did not submit any account or financial information. Subsequently I decided not to order anything, so I logged out....but things still keep showing up in the basket, all by themselves, even though I am not logged in. So I'm not so sure my account has been hacked into, since I didn't have an account before the problem arose. So...what do you think is happening?

Actually, I did subsequently order a bunch of paint and such from your misterkitusa website--I sent you an email.

Thanks,
Rory
 _GOTOTOP