US Airways Dividend Website - Caveat Emptor!

If you're looking to top off your Dividend miles at US Air, be advised the
site that you will purchase these miles from doesn't implement secure
sockets. For the unitiated, your credit card information flys (no pun
intended) over the Internet unencrypted. Here is the address:

http://www.usairways.com/awa/content.../buymiles.aspx

I use my credit card quite a bit on the Internet and never had a problem as
long as I landed on a https (SSL enabled site). Maybe US Air can't afford a
certificate from Verisign :-)

rg

Sharkbait wrote:

If you're looking to top off your Dividend miles at US Air, be advised the
site that you will purchase these miles from doesn't implement secure
sockets. For the unitiated, your credit card information flys (no pun
intended) over the Internet unencrypted. Here is the address:

http://www.usairways.com/awa/content.../buymiles.aspx

I use my credit card quite a bit on the Internet and never had a problem as
long as I landed on a https (SSL enabled site). Maybe US Air can't afford a
certificate from Verisign :-)

WRONG.

If you aren't convinced, download HTTPWatch or capture a packet trace.

The POST request with the credit card info I gave (throwaway card) went
to https://buy.points.com/dividendMiles/review.do

I have no reason to believe your credit card details didn't go to this
HTTPS link. While you might have a bad opinion of US Airways, I can
assure you that Points.com knows how to securely handle mileage
transactions such as these. They do it for multiple airlines.

Trust me. Packet tracing is what I do for a living. Trust me on this.

Mr. Travel wrote;

WRONG.

I currently sitting the page where I enter my credit card information needs
to be entered right now. Here is the link;

http://www.usairways.com/awa/content.../buymiles.aspx

What is it about this link that tells me the data will be directed through
port 443 and not 80? What is it about this link that tells me the
application is using SSL? Shall I go ahead and complete the transaction and
pray?

rg

Mr. Travel wrote;

WRONG.

Go to any number of other secure shopping sites. Take PC Connection for
example; by the time you land on the checkout page where you enter your
credit card info, and before entering your info, you will note the URL is
already https:

https://www.pcconnection.com/IPA/Shop/Checkout/

rg

Shawn Hirn wrote;

Did you bother to view the source for that page? If you do, that's where
you'll find the https reference.

Yes I did review the source page. Apparently, you are not a US Airways
Dividend member. The source page, which is not https takes you to the one
referenced. The source page requires that you enter your Dividends Miles
membership number. Follow this:

http://www.usairways.com/awa/default...en&q=usairways



Near the top of the page mouse over Dividend Miles and scroll down to Buy,
Share and gift miles. It will take you to this page:



http://www.usairways.com/awa/content...s/default.aspx



Under buy miles, click either "Buy Now" or "Buy Miles" your choice. It will
take you he



http://www.usairways.com/awa/content.../buymiles.aspx



Here is where you will enter your membership number, last name, first name,
email address and number of miles you want to buy. At this point, I suspect
you should be at https. After entering the correct information, which I
believe is validated at the back end, you are taken he



http://www.usairways.com/awa/content.../buymiles.aspx



You are then requested to click on "Continue Purchase", which takes you
he



http://www.usairways.com/awa/content.../buymiles.aspx



This is where you enter all the appropriate information regarding sensitive
personal data. I saw no reference to https anywhere along the way. Where
is the https reference?


rg

Sharkbait wrote:

Mr. Travel wrote;


WRONG.


I currently sitting the page where I enter my credit card information needs
to be entered right now. Here is the link;

http://www.usairways.com/awa/content.../buymiles.aspx

What is it about this link that tells me the data will be directed through
port 443 and not 80? What is it about this link that tells me the
application is using SSL? Shall I go ahead and complete the transaction and
pray?


That link doesn't tell you anything. That isn't the link you are sending
the data too. I already gave you a way to find out if the data is going
to be sent secured. You can freely download httpwatch or some other
program to figure out where you are actually going to send the data.

This isn't the same as claiming they are too cheap to buy a verisign
certficate. You had ZERO evidence of that.

Sharkbait wrote:

Mr. Travel wrote;


WRONG.


Go to any number of other secure shopping sites. Take PC Connection for
example; by the time you land on the checkout page where you enter your
credit card info, and before entering your info, you will note the URL is
already https:

https://www.pcconnection.com/IPA/Shop/Checkout/

When you look at the URL, you are looking at the URL for the page you
just RECEIVED. This isn't address of where the data goes when you enter
it. You misunderstanding of how things work is not a reason to accuse
them of being unsecure.

Shawn Hirn wrote:

In article 7uTAj.4916$FG2.2214@trndny08,
"Sharkbait" wrote:


Mr. Travel wrote;


WRONG.

I currently sitting the page where I enter my credit card information needs
to be entered right now. Here is the link;

http://www.usairways.com/awa/content...s/purchasemile
s/buymiles.aspx

What is it about this link that tells me the data will be directed through
port 443 and not 80? What is it about this link that tells me the
application is using SSL? Shall I go ahead and complete the transaction and
pray?


Did you bother to view the source for that page? If you do, that's where
you'll find the https reference.

It has NOTHING to do with the source of the page. It has to do with
where the page is that he is sending the data to. That page has an HTTPS
link at points.com

Sharkbait wrote:


http://www.usairways.com/awa/content.../buymiles.aspx



This is where you enter all the appropriate information regarding sensitive
personal data. I saw no reference to https anywhere along the way. Where
is the https reference?


Yes, to get the form, you sent an HTTP GET request for
http://www.usairways.com/awa/content.../buymiles.aspx

As I have explained to you. When you enter the data and send it, it is
sent, via an HTTP POST to https://buy.points.com/dividendMiles/review.do

Your statement about the data being insecure was totally wrong.
Their is no need for US Airways to have a Verisign cert, because the
purchased is handled (via HTTPS) by POINTS.COM.

Mr. Travel wrote;

When you look at the URL, you are looking at the URL for the page you just
RECEIVED. This isn't address of where the data goes when you enter it. You
misunderstanding of how things work is not a reason to accuse them of
being unsecure.


The non-techno-geeks among us use something like the following taken off the
Indiana University, Univ. Information Technology Services website:

http://webmaster.iu.edu/tool_guide_info/ssl.shtml

and I quote:

" How do I know if my browser is communicating with a secure server?
a.. Your browser may notify you before displaying the page
b.. A 'lock' symbol may appear in 'locked' position on your browser
c.. The URL will have 'https:' at the beginning. "
I am sure there are plenty of other similar citations out there. The
majority of us lay people don't have all of your assumed knowledge of
Internet security. Fewer of us run Network General's Sniffer application on
our laptops to determine and detect that we are transmitting data through a
redirected, secure link using SSL.

I can assure you that US Air's website provides none of the above standards
to notify you that you are communicating with a secure server. The fact
that I am communicating with Points.com makes me feel even more insecure.
It allows US Air to pass the buck if something goes wrong and Points.com to
push me back to US Air for financial loss. That is the bottom line.

Before anyone tells me to call US Air and buy the miles over the phone, the
discount through the end of March only applies to the purchase of miles
through the website.

rg