Carnival live streaming: A great idea with poor execution

Despite the title this not an article about the technical aspects of delivering video over the internet by having a content distribution network, or the complications of cross border copyright issues, or even about the practicality of using an already established service to deliver their content effectively.

No. This is an article about not getting hacked.

Just this past week alone there have been several high profile hacks at Canva.com, Flipboard.com, HSBC.com, Checkers Fast Food, Rally’s Restaurants and The City of Baltimore’s entire public network have all been hit with high profile hacks, making off with millions of credit card numbers and in some cases encrypting all data and requesting a ransom.

Yet despite all of this we still don’t take security seriously in our part of the world.

Over the weekend the Miss SVG Pageant was advertised on VC3 (http://vc3.tv) for live download for the nominal fee of $10 USD, fair enough. It’s a great initiative and why not support local culture if you’re off island. What was troubling however, was the fact that VC3, a website taking sensitive financial and personally identifiable information (PII), had absolutely no security on their website whatsoever. It’s pretty basic practice that a company needs to secure user data, but it’s also a legal requirement when dealing with financial information, so it was a surprise that the entity responsible for the online distribution for all carnival shows couldn’t manage basic security compliance.

While it is excusable to not have an HTTPS on the main site, to not have encryption even on the purchase page, this despite the fact that their very own “Terms and Conditions” documentation under the heading of “security” specifically states:

“vc3tv.com employs SSL encryption to protect the transmission and collection of personal data & credit card information.”

Is nothing short of negligence and can expose users to identity theft and financial fraud.

Unfortunately as at June 3, 2019 this has still not been resolved.

This effectively means that all persons who purchased the online stream have effectively sent their data over the internet unencrypted through multiple networks for anyone with basic technical know-how to see. I have already contacted VC3 on the matter directly with no response and as someone in IT security audit & compliance, I thought it prudent to alert the public.

For any other entity doing transactions online I would take the time to remind you the PCI/DSS security standards which govern online transactions which you can read at https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security .

For users, before submitting any information to a website, please be sure to check their website security using a free tool such as the Securi Security Scanner (https://sitecheck.sucuri.net) to validate whether it’s safe to give them your information. At the very least, if a site does not have “https” in the address bar, never give them financial information. For more tips on staying safe online please see: https://www.pcmag.com/feature/364896/14-tips-for-safe-online-shopping

Concerned Cyber Security Citizen