Our email
From: Mark Mascari <m.mascariNOSPAM@edenleisure.com>
Date: Apr 18, 2007 7:06 PM
Subject: Re: credit card security for Eden Cinemas website
To: Sandro Gauci <XXXXX@gmail.com>
Hello Sandro,
I would like to give you an estimate when the issue will be resolved but the problem is that we have foreign web designers and the payment process has to be rewritten anew. I am hoping that by next week the issue will be resolved.
You are right about the password change. The process must have been changed before we brought the site online. I will have to check it and see if it can be redone the original way. Still, both username and email should be private to the user only.
Regards
Mark Mascari
—– Original Message —–
From: Sandro Gauci
To: Mark Mascari
Sent: Wednesday, April 18, 2007 6:49 PM
Subject: Re: credit card security for Eden Cinemas website
Dear Mark,
Thanks for your reply. My answers/reply inline.
On 4/18/07, Mark Mascari <m.mascariNOSPAM@edenleisure.com > wrote:
Dear Sir,
Apologies for not replying to your previous mail. It is our policy to answer all mail within 24 hours. Regrettably we failed to answer your mail.
We are aware of our certification situation and as a matter of fact we are working on the issue. Our client’s security is also our concern and as such we shall shortly be moving our payment page to a fully certified server. This requires some changes to the pages scripting and new programming and that why we are not yet operating under https.
Ok - do you have any estimates as to when this issue will be fixed please?
The password reset can be carried out by anybody but the new password will be sent to the registered e-mail and therefore, as long as one doesn’t give access to one’s mail box, then the password to the site is secure.
This is not the behavior that I’m seeing here. This is the procedure that I went through to reset the password:
- go to http://www.edencinemas.com.mt
/user/password/ - Enter the username and email address. None of these are secret information and should be assumed public.
- Press the “i need a new password!” button
- Enter the new password twice and confirm the password change by passing a password.
That’s all. No password confirmation email .. nothing. The new password that I chose works. The procedure that you describe sounds correct, but it’s not the procedure that I’m following on your website.
Furthermore, one’s registered profile does not hold any information regarding credit card or others which might jeopardize one’s finances.
That’s cool.
Moreover, we do not file, save or keep a copy of credit card details. All credit card transactions are carried out by our gateway provider APCO. We only keep record of the transaction details relevant to user’s choice of cinema seating, date and time.
I hope that you found the above information useful and invite you to contact me again if you have any further queries.
Regards
Thanks for your reply and invitation.
Mark Mascari
General Manager
Eden Cinemas
Best Regards,
Sandro Gauci
—– Original Message —–
From: Sandro Gauci
To: elg@edenleisure.com ; m.mascariNOSPAM@edenleisure.com
Sent: Wednesday, April 18, 2007 6:36 AM
Subject: Fwd: credit card security for Eden Cinemas website
I’m trying to reach you again. If this is not the correct email address that I should be contacting, then kindly refer me to the correct person.
Kindly note that I intend to make our correspondence (or lack of) public.
Also note that the password reset system allows anyone to reset anyone’s password.
Regards
Sandro Gauci
———- Forwarded message ———-
From: Sandro Gauci < XXXXX@gmail.com>
Date: Apr 9, 2007 2:21 PM
Subject: credit card security for Eden Cinemas website
To: elg@edenleisure.com
Cc: m.mascariNOSPAM@edenleisure.comDear Sir/Madam,
I’ve been on your new cinemas website and noticed that you can now book your tickets from the website itself. This is one feature that I’d really like to make use of. However when I tried to book my tickets for the selected movie, I noticed that the credit cards page is not being encrypted. What this means is that anyone between the client ( i.e. me) and the server (www.edencinemas.com.mt) can steal credit card information. This is normally not the case when it comes websites such as Amazon - which make use of HTTPS instead of HTTP when passing sensitive information such as credit card details.
For this reason, unfortunately I could not to make use of your new service.
I recommend that you look at these issues with your merchant trader (I believe that’s BoV). Should you require any further details don’t hesitate to contact me.
Regards
Sandro Gauci
http://www.maltainfosec.org/
–
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.5.1/764 - Release Date: 4/17/2007 4:43 AM——————————
—————————— —————————— —————————— —————————— —————————— —–
EDEN LEISURE GROUP
Eden Place, St.George’s Bay STJ 02 - Malta
Tel: +356 237 10 100 - Fax: +356 237 10 125
www.edenleisure.comLegal Disclaimer
This e-mail and any attachments it may contain are confidential and intended solely for the use of the individual/s to whom it is addressed.
If you are not an intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, printing, forwarding or copying of this mail is strictly prohibited.
Please contact sender if you received this e-mail in error.–
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.5.1/765 - Release Date: 4/17/2007 5:20 PM
——————————
EDEN LEISURE GROUP
Eden Place, St.George’s Bay STJ 02 - Malta
Tel: +356 237 10 100 - Fax: +356 237 10 125
www.edenleisure.com
Legal Disclaimer
This e-mail and any attachments it may contain are confidential and intended solely for the use of the individual/s to whom it is addressed.
If you are not an intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, printing, forwarding or copying of this mail is strictly prohibited.
Please contact sender if you received this e-mail in error.