Police penalty-payment website makes amateurish coding errors

Filed Under: Featured, SophosLabs

Fixed penalty fines, the scourge of many a motorist. Parking on a double-yellow line, speeding, not wearing a seatbelt - whatever the cause, the result is the same. The recipient of the ticket has to pay the fine, normally by following the URL printed on the back.

In a case recently reported to the Naked Security team, following the URL leads to a web page claiming to be Central Accounting Office Electronic Information Service for Her Majesty's Court Service (HMCS).

Central Accounting Office Electronic Information Service web page

As you can see, the page is not secure (it does not need to be). It simply provides a link through to the secure site where payment can be made.

Unfortunately, following that link (in Firefox) results in a warning page being displayed to the user for most popular browsers.

The payment page is using SSL, so what is the problem? Well, unfortunately, the certificate being used on secure.informcommunications.plc.uk has actually been issued for *.latestinfo.co.uk.

This discrepancy is what causes the above browser warnings. (Google have posted an excellent description of the various website security indicators and what they actually mean.)

In this case the problem is not caused by any malicious activity. Instead human error appears to be the culprit. Both sites (latestinfo.co.uk and informcommunications.plc.uk) actually resolve to the same IP. The problem appears to be that the link to the payment page uses the incorrect domain name.

This is supported by one of the other pages I found on the site - a page used for Met Police payments. Looking at the source code for the page you can see that a link to a payments page on informcommunications.plc.uk has been commented, replaced by one referencing latestinfo.co.uk.

Given the sites resolve to the same IP, the links actually point to the same page. With the current certificate however, the secure.informcommunications.plc.uk link will unfortunately generate the warnings.

So, what should users do when confronted with these browser warnings? Personally, I think they should follow the advice given, and proceed no further. They should report the site appropriately, such that the problem can be fixed. Even though bypassing the warnings in this example would be perfectly safe, that is not what users should be encouraged to do.

Browser warnings like these are great - a really useful tool for users to be alerted to potentially malicious activity. Legitimate organisations really should test their systems more thoroughly to ensure good practice has been followed, and the user experience is seamless.

Shout out to Naked Security reader JM from London for the tip.

police image courtesy of Shutterstock

, , , , ,

You might like

3 Responses to Police penalty-payment website makes amateurish coding errors

  1. @neilrbradley · 752 days ago

    And they really, really, really promise to look after your card details.

  2. Internaut · 751 days ago

    The suggestions given in the article are good ones, but how many people even know how to contact anyone about a contradiction of certificates let alone even care to try and report it?

  3. Scott McCain · 751 days ago

    That's what happens when you have non-engineers doing an engineers job. They probably had some guy there who "knew computers" so he was relegated to the task. It's a completely rookie mistake to think that just because the IP is the same (and we are giving benifet to the doubt by assuming even that) that the certificate will work. I can't tell you how many times I've had contracts to go out to fix things from that exact scenario, and it seems to be very prevalent in the public sector. Here's some advise to any budding county or city administration: Don't try to save money on IT, it will cost you more in the end. Just pony the money up front for a real solution and make sure to check your contractor's history. An ounce of prevention is worth a pound of cure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.