Sensitive information about customers’ credit cards remains unencrypted and vulnerable on Radiográfica Costarricense’s Web site.
Credit card numbers relating to recent automatic payment operations are recorded and displayed. Also retained are the card’s issuing bank, expiration date, and three-digit security code. The redesigned page containing that information has the button for log-out partially under another graphic element in some browsers. This makes it easy to inadvertently leave the personal data screen open and accessible to even a relatively unsophisticated hacker.
Sometimes the log-out button does not work.
The page in question is the one customers use to pay their monthly Internet charge or recharge their pre-paid Internet access card.
RACSA is a subsidiary of the Instituto Costarricence de Electricidad, and for much of the history of the Internet in Costa Rica was the monopoly operator. It is still the supplier of last resort for those unable to get a broadband line and depending on dial-up service. It is also the present supplier of WiFi and Wimax in the country. Press reports suggest RACSA will eventually be subsumed into ICE.
RACSA also provides internet feeder services for CableTica and other smaller cable television providers. Amnet now has its own internet connection.
Messages seeking comment on RACSA’s security policies to its webmaster and press agent were not immediately answered.