Oh, how easily we trust…

I saw an interesting advertisement while browsing around today, and clicked through.  I’m not normally one who does such things, but I do love my movies and this site was offering 4 movie tickets per month for $19.99.  Not bad at all, considering the local theaters charge $10 per viewing.

The site is called Weekly Cinema, and after reading the terms and conditions and checking out reviews online (yes, I do that.  And so should you.) I decided to join up.

That’s when things started to seem a bit fishy.

update: Weekly Cinema seems to have gone on hiatus, but interestingly their new home page which tells you that is SSL encrypted with a GoDaddy certificate.  Huh.

After filling in the basic info and clicking the “Get Started” button, it asked me to fill in my credit card information.  But, guess what?  I noticed that the page didn’t reload when I clicked on “Get Started”.  Instead, only the form changed.

So I looked at the address bar.  Sure enough, it still said http://www.weeklycinema.com/index.php.  Huh.  But see if anything else stands out to you:

Weekly Cinema address bar

The page is being displayed in regular http.  In other words, any data you send will be sent in plain text.  Which means, it could be intercepted (and given how obviously misleading Weekly Cinema is being, almost assuredly will be).   For contrast, take a look at the Chrome address bar for USAA Federal Savings Bank (one of the finest organizations I’ve ever done business with):

A secured site

Note that the address begins with https.  That “s” is important.  It stands for “secured”.  Secured sites have certificates that help to identify the folks running them.  You can see name of the certificate holder in the far right of the address bar.  It should match up with the company name of the site you are visiting.

So, I clicked on the “support” button and asked the online chat person about their security.  Sadly, yours truly closed the chat tab without saving a copy of the chat.

I was told that the site was secure,  that there was a lock icon.  Well, sure enough on the form itself there is a lock icon.

See? SEE? It's all good. There's a picture of a LOCK!

There’s also a VeriSign logo.  Now, according to the VeriSign website, you should be able to click on their logo and confirm the certificate details.  This logo did nothing.  Guess what?  That image is hosted on Weekly Cinema’s website (http://www.weeklycinema.com/images/blue/btnVerisignUp.png).  It doesn’t come from VeriSign at all!

Mr. Support Chat told me that the site was secure, despite not using SSL (that’s the https stuff) and not having a bona fide VeriSign certificate.  No, really, I should just trust him, but he would bring this up to the tech guys.

The point here is just how easy it is to appear to be a secured website.  We get so caught up in looking for the visual cues on the page, and can easily overlook the meaningful tools that the browsers provide to ensure a safe browsing experience.

FYI, I submitted complaints to VeriSign (for an inappropriate use of their logo) and to the Internet Crime Complaint website.  Be careful out there.