Sunday, October 2, 2011

Booking tickets in IRCTC? Your Credit Card might be in risk


Blog moved. I have a new home now at www.rakeshmukundan.in Do update your bookmarks :)
    IRCTC is India's most popular travel site, having a monthly user turn over of over 8.4million! (as on April 2011, source)Many uses the site for their day-to-day travel needs. Despite the vast user base, IRCTC is still not upto the mark in protecting it's users privacy, recently only they have switched to SSL!!.
As a regular train travel, I too uses IRCTC extensively, mostly uses credit card for the transactions. Recently only I have noticied that IRCTC actually stored your entire credit card number on the local machine and there is no way to opt-out other than manually deleting the history.

 Thats some serious security hole(!!), imagine the situation of a user booking tickets on public computer like Net Cafe.Its like leaving one's credit card in the street.
Even in a private computer this practice could have serious implications(possible virus attack,trojans etc..). Its a common web programming practice not to cache sensitive entries like this, but guess IRCTC has their own practices[;)].

So what can you do to make sure that your Credit Card information is not stored?, simply delete all the private data in your browser after doing a transaction. The practice of deleting all the browser entries after finishing surfing in a Cafe is a good practice.But in case of your own personal computer this can be of big inconvenience.If you are a Firefox user there is an extension to help you out, Form History Control.It will allow you to create custom rules to delete the form entries automatically.
Install the addon and open the Form History control.Goto Clean Up and insert two entries as below one for credit card number and one for CVV number(Ya, IRCTC made sure to cache both ;)).




Make sure to check select the RegExp option to the right of Field-name else it won't work.


Select  Perform Clean up on Browser shutdown and perform clean up when a browser tab is closed options for automatic cleaning.




Use the Preview matching entries option to see if any entry is already stored.








Now Form History Control add-on should be cleaning up your credit card entires soon after the IRCTC web-page is closed, handy method till they fix the website.

I don't know any such tools exists for other browsers, will update this post once I found them.