serverpronto will publish your creditcard on the web

Serverpronto’s billing practices involve publishing sensitive credit card info on the web. To change your credit card number, you must use their help ticket system. They suggest providing all the necessary information to bill your credit card into one of these tickets. The tickets are unencrypted, and publicly available without a password for anyone to see.

When a technician replies to your ticket, the system sends you an email with a link like this: http://serverpronto.infolink.com/esupport/index.php
?_a=tickets&_m=viewmain&emailre=bewest@gmail.com
&ticketkeyre=c8603b47&_i=ZWF-39783
. This link will redirect you to a web page containing all of the contents of the ticket. I’ve reproduced the transcript below, in case they rightfully decide to delete this resource. (If you do make it there, take a gander at my other support tickets! They sent me incorrect credentials when they provisioned the machine.)

I just couldn’t believe that they would have such lousy business practices. Surely, they cared about protecting their customers? So I tried calling, since it seemed obvious the help ticket people couldn’t understand what I was trying to tell them. Finding someone to talk to at this company is a challenge. I tried calling about 5 or 6 times. Half the time, their phone system would simply hang up and drop my call. One time, I reached a “messaging” service, which was a service they outsource answering the phone to. The nice woman I talked to didn’t have any resources to help me, except to simply transcribe my request, and send an email. I talked to some nice people in Panama, where they evidently have an office for customer support. I tried asking them if they had any method for collecting customer feedback. They barely spoke English. They didn’t understand anything I said, so they simply apologized and promised they would find someone who could understand what I was asking.

All of this took place over the course of about a week. Finally, today, I called again, because I was really annoyed with the emails their billing system was sending me. The automated emails all had very negative tones, accusing me of not paying my bill, and even threatening to report me to various credit agencies. I called again, and as expected, the phone system hung up on me AGAIN.

I immediately called back, and this time pressed 0 at the first opportunity. After some ringing, Octavio picked up and brusquely shouted “HELLO!?” in my ear. I had to hold the phone several inches from my ear to maintain a comfortable conversation with him. I explained that I had been experiencing a lot of trouble with their service, that I was disapointed in their service, and was extremely uncomfortable with their billing practice. Instead of acknoweldging the mistakes, and committing to fixing them, he portrayed the company as the helpless victim, unable to please all customers all the time. Evidently, he explained, some customers are uncomfortable using web forms, which is why they have many options available, and can’t please everyone. That’s why they the option to call the credit info in over the phone. I was really really annoyed. I had really excercised a lot of discipline in maintaining a calm attitude with the people I had talked to up until now. (In fact an co-worker commented on how reasonable I had been on the previous calls.) I verified that he worked in a US office, and that he was a manager (or so he claimed). At this point, I let my frustration show, as I enumerated all the problems I had experienced, once more. I ended the call by telling them I would like to cancel my account.

I wonder which payment gateway they are using. I’m wonder if the payment gateway, and perhaps even the credit card companies would be interested to know about their insecure billing methods.

Save yourself time and annoyance: don’t use serverpronto. The reason I used them is because they were listed on the turbogears homepage, however, I don’t think they should continue to do so.

UPDATE:
Oh no…. What do I have to look forward to??
——————————————-

ME
Posted on 07 Feb 2007 03:47 PM
tried to update credit card by going to My Finance -> Update CC. It told me to contact customer support.

I’d like to update my credit card info so payment wil continue to work…

THEM
Posted on 07 Feb 2007 04:30 PM
Hi,
In order to update your CC please send us the CC number, Name, Exp. Date and cvv code.
Thanks
ME
Posted on 07 Feb 2007 05:15 PM
I’m not sure why you marked status as closed.

When I originally entered my credit card, I entered it into a form on a secure website. I won’t be submitting my credit card info over plain http. Can you suggest a more secure method, preferably one involving using a billing form?

THEM
Posted on 07 Feb 2007 06:29 PM
Hi,
1.In order to update your CC please send us the CC number, Name, Exp. Date and cvv code.
2. call us 1-305-324-1616 ext.1499-or provide us an number of phone where we can call you
Thanks
ME
Posted on 08 Feb 2007 06:28 PM
Hi,

I’m trying to pay, but I am uncomfortable using insecure methods. What is the lifecycle of the credit card information? What is the difference between calling and entering the information into an insecure support ticket?

Thanks,
Ben

THEM
Posted on 08 Feb 2007 06:55 PM
hi,
you can get the secure server if you click on (Secure Server) link on our account/support system
or in the next link.

https://serverpronto.infolink.com/modernbill/index.php

Thanks

ME
Posted on 08 Feb 2007 07:23 PM
Thanks, I tried going there to change my credit card and it says to contact customer support.

The way the support ticketing system works makes it very unsafe for sensitive data like credit card numbers. The first reason is that it is possible that the information may leak out over the web because it uses plain HTTP, with no SSL. Since it is possible for anyone clicking in the link in the email replies I recieve to see this ticket over normal HTTP (and email is /also/ sent as plain text and not encrypted) this creates many opportunities for my private credit card information to leak out in full view of malicious attackers.
The second reason is because it is unclear who would have access to this data. I want to know that my credit card information is only seen by those who absolutely need access to it. That set of people should be reduced to the absolute minimum, and having my credit card info stored in a support ticket makes that impossible. (For instance, what happens to the hard drives the ticket information was stored on when your company is done using them?)

Can someone representing ServerPronto please contact me at ***-***-****? I have tried calling several times, but the system actually hangs up on my call.

Thanks,
Ben

THEM
Posted on 09 Feb 2007 12:21 PM
Ben,

We apologize for the inconvenience. The credit card is seen only by the customer service representative that enters the card into the system. It is encrypted once it is entered and cannot be decrypted ever.

A rep will be calling you shortly for cc information.

Thank you.

THEM
Posted on 10 Feb 2007 09:19 AM
hello ben, my name is carlos. i tried calling you yesturday, but you did not answer. i´ve been trying this number: ***-***-****, is it correct?

if you do not feel safe sending the details over the ticket system you can always call here at the office. the number is: *** *** ****, my extention is ****.

thank you

Advertisements

7 Comments

  1. TK
    Posted August 24, 2010 at 8:15 am | Permalink

    Hey, why doesn’t anybody close this company. Is it legal all what they do?

  2. TK
    Posted August 24, 2010 at 8:19 am | Permalink

    I cancel my credit card and I ask for refund to my bank. I get double payments after I asked for the first time for cancelation.
    ServerPronto will refuse that I asked for cancelation.

    Does anybody have any more trables doing something similar?

  3. TK
    Posted August 24, 2010 at 8:22 am | Permalink

    I don’t realy care for the refund (2 months * 5$/month in double = 20$). I just don’t want to have any legal issues with them.

  4. Arwan Smith
    Posted April 13, 2011 at 1:55 pm | Permalink

    Every time i visit here, the’re always a good topic, thanks making excellent post.

    thanks from Transferring Credit Card Balances

  5. Posted October 15, 2012 at 7:35 pm | Permalink

    Your style is so unique in comparison to other people I have read stuff from.

    I appreciate you for posting when you’ve got the opportunity, Guess I will just book mark this page.

  6. Posted June 1, 2013 at 3:50 am | Permalink

    I believe everything posted was actually very reasonable.
    However, think on this, what if you added a little information?
    I mean, I don’t want to tell you how to run your blog, however what if you added a post title to maybe grab folk’s attention?
    I mean serverpronto will publish your creditcard on the web Imaginings
    is kinda boring. You ought to glance at Yahoo’s home page and watch how they create article headlines to grab people to open the links. You might try adding a video or a related pic or two to get people interested about what you’ve written.
    Just my opinion, it could make your website a little livelier.

  7. Posted August 12, 2013 at 8:06 am | Permalink

    Hi there fantastic website! Does running a blog such as this take a massive amount work?

    I’ve very little knowledge of coding however I was hoping to start my own blog soon. Anyway, if you have any recommendations or techniques for new blog owners please share. I understand this is off topic but I just had to ask. Thanks a lot!


Post a Comment

Required fields are marked *
*
*

%d bloggers like this: