I just read this article about how someone made a Firefox extension to steal sessions from popular websites. Are you kidding me? Security isn’t an easy thing, I’ll admit. And maybe we take security to the extreme. But seriously, it’s amazing how many other sites don’t even do the basics. When choosing any service that involves sensitive information, especially sensitive financial information, I’d suggest always looking for the following:
- Make sure the address starts with https://. (Sometimes this is replaced with an icon of a little padlock.) This means it’s using the “secure” version of HTTP, which is the protocol that powers the web. Make sure it’s there from they very first page you load, and stays there as you browse the site. Sure, it’s a bit more expensive for the company. But it’s the least we can do.**
- Look for PCI compliance. Or, if not that (because it’s pretty intense), at least *some* indication they’re using a third-party approved security framework.
- Look for strong partnerships, such as banks and financial institutions. These guys take security really seriously, so if they’re on board, it’s another vote in the site’s favor.
Real security often isn’t easy. But most important things aren’t.
-david
** Note: I should highlight that this blog doesn’t use HTTPS, but it’s also not asking you for anything. When you sign in to Expensify proper — at https://expensify.com — every connection is secure.
