So I was in Maine recently in a vehicle that was allegedly due for an inspection, and was subsequently pulled over by a very cordial police officer in Biddeford. He wrote up a ticket, and I waited the requisite number of days to go online and settle up and/or contest the charges.
I went to the PayTixx website
and punch in the requisite (public) information about my ticket
. I then go to pay said fine, and just happen to notice that there is NO encryption/SSL on the site where I need to enter my PRIVATE information like credit card number, etc. etc. as evidenced by no padlock on the browser I was using. I used another browser (older) to rule out an obvious technical glitch. Nada. Zip. No Padlock. No Security.
There is however a nice little graphic with the Maine.gov logo and a little padlock, allegedly ensuring that the site is secure. Hmmmm, I must be on the insecure page. This logo links me to a page
with details about the Transaction Security Policy
(Full text at the end of the posting).
So the State has a policy, a nice custom branded security looking logo with a link to the site, yet absolutely no validation from the technology they allegedly use to validate to me, the private information holder, that the site is in fact secure and using at least the 128-bit encryption they claim.
I'm no White Hat, Grey Hat, or Black Hat, but I do know a few and I have to say that there is a potential GOLDMINE here that is being funded by the taxpayers of Maine, for personal information of alleged drivers of different infraction types - speeders, uninspected motorists, suspended licensees, etc. etc. being poached and sold. Perhaps that is why CSC got thrown out of the State IT projects they were working on.
Don't tell me the State of Maine, or any other State can't afford better (ANY) security these days. Please DO tell me that the States will not contribute to identity theft anymore than they do. This is ridiculous.
By the way - it is also NOT PCI compliant. Big Ding from Visa and Matercard, folks. They could fine you TODAY, and suspend your right to take these cards as payments - in fact if they did, they would insure the security and privacy of me today.
I will again urge that Mark Kemmerle, Donna Grant, or Matt Dunlap
please return the calls I have made into your office. I am more than willing and able to help improve the *real* security - and now, it's personal on why you need firstname.lastname@example.org
Maine's Transaction Security Policy
Maine state government and InforME take Internet security very seriously. Our technology and policies are designed to make your online transactions safe, private and secure. Documented steps are taken to safeguard information according to established security standards and procedures and we continually evaluate the newest technology for protecting information.
for details about the collection of information from visitors to state websites.
Whenever you see this icon on a Maine state government online service, you can rest assured that the following safeguards and security criteria are in place:
Transactions involving sensitive information occur on a secure server. You can look for the "lock" symbol at the bottom of your browser window to verify that you are on a secure server.
Our secure socket layer (SSL) software uses state-of-the-art 128-bit encryption to ensure that your personal and financial information cannot be intercepted during transmission to our server.
All information requests pass through hardware and software security firewalls.
Communication between InforME servers/systems and State databases is passed via a secure private network.
Encrypted personal information includes credit card numbers as well as social security numbers and banking information.