Booking tickets in IRCTC? Your Credit Card might be in risk

    IRCTC is India's most popular travel site, having a monthly user turn over of over 8.4million! (as on April 2011, source)Many uses the site for their day-to-day travel needs. Despite the vast user base, IRCTC is still not upto the mark in protecting it's users privacy, recently only they have switched to SSL!!.
As a regular train travel, I too uses IRCTC extensively, mostly uses credit card for the transactions. Recently only I have noticied that IRCTC actually stored your entire credit card number on the local machine and there is no way to opt-out other than manually deleting the history.

 Thats some serious security hole(!!), imagine the situation of a user booking tickets on public computer like Net Cafe.Its like leaving one's credit card in the street.
Even in a private computer this practice could have serious implications(possible virus attack,trojans etc..). Its a common web programming practice not to cache sensitive entries like this, but guess IRCTC has their own practices[;)].

So what can you do to make sure that your Credit Card information is not stored?, simply delete all the private data in your browser after doing a transaction. The practice of deleting all the browser entries after finishing surfing in a Cafe is a good practice.But in case of your own personal computer this can be of big inconvenience.If you are a Firefox user there is an extension to help you out, Form History Control.It will allow you to create custom rules to delete the form entries automatically.
Install the addon and open the Form History control.Goto Clean Up and insert two entries as below one for credit card number and one for CVV number(Ya, IRCTC made sure to cache both ;)).

Make sure to check select the RegExp option to the right of Field-name else it won't work.


Select  Perform Clean up on Browser shutdown and perform clean up when a browser tab is closed options for automatic cleaning.

Use the Preview matching entries option to see if any entry is already stored.








Now Form History Control add-on should be cleaning up your credit card entires soon after the IRCTC web-page is closed, handy method till they fix the website.

I don't know any such tools exists for other browsers, will update this post once I found them.

Stay Safe on Facebook Part 2: Enhanced Security Features

      
Facebook has been constantly improving its security features to protect its users, they have added SSL,login notifications, recent activity logs etc..Recently they have added  "Two Factor authentication mechanism " to improve the security further.Its an opt-in feature which when enabled asks for a password send to the registered mobile number while trying to login from new computer. To enable this feature, go to Facebook Account Settings-> Account Security and enable Login Approvals.

You can read the official blog post about Login Approvals here.For Login approvals to work, you need to provide your mobile number, and have to ensure that you don't lost your mobile.Whenever a Login attempts happens from an unknown computer( from a system where your have never used Facebook before) an SMS will be send to your mobile number with an authorization code which is needed to login.

In case if you ever lost your mobile phone, you can change your number and/or disable Login approvals from a system already recognized by Facebook.

If somebody get holds of your password somehow and tries to Login to your account, you will get an SMS with authorization code as well a FB notification.

In cases where its not a Login by you, you can reject that Login and change your account password.Facebook also seems to provide login attempt location ( probably based on the IP address).

You can read few more posts related to Facebook security here,here and here.

Check Your Browser's Security Level

Wide spread use of social networks and web based services has made web browsers one among the of the most used software, which also made them the weapon of choice for spammers,phishers and hackers. Even people who insists to keep their system up to date, forget to update some of the  browser components( browser add-ons/ plug-ins etc.) as these may not have an auto update feature.

Qualsys has released a free service that will allow you to check you web browser security. It supports all the main stream browsers ( Firefox,Chrome,Opera,IE and Safari) on a variety of platforms like Windows ( XP,Vista etc..), Mac and Linux. Though the service is in beta stage in some platforms and browsers, its still worth to check them out. Detailed list of supported platforms and plugins are available here.

Browsercheck will ask you to install a plugin to continue scanning (I was not asked to install plugin in Ubuntu with Chrome as well as FF4, guess the beta versions is not full fledged yet ), the plugin is signed by Qualsys. Install it to continue (read the FAQ to know the need for installing plugin and to know their privacy policy).
Once installed you are good to go to check your browser's patch level.Click the scan now button.

Browser check will scan your browser, plugins and addons against known vulnerabilities and give you a report with installed plugin/addon details along with its patch status. Detailed status report descriptions are available in FAQ, but as a rule of thumb "Green" means fully patched and "Red" means vulnerable. 
Clicking the button will give you more details regarding the problem and possible remedy. Mostly it will be a link to download the latest version.
After fixing all the security holes in your browser, I strongly recomment to scan it once again to ensure the security, as some times plugins/addons comes with additional software( for eg google toolbar) that may ruin the security of your browser.
On a final note  as with any security solution, browsercheck is not a single self sufficient solution for online security, the ultimate security comes with awareness.
Happy browsing with a secure browser :)