23 October 2008

Obama Donations Page - Security Hole, or Fraud Machine?

On Power Line this morning, Scott reports the outcome of an experiment that a reader performed on Obama's donation webpage. The reader used his own card to make a $15 donation to the Obama campaign, but in the name of 'John Galt' (Ayn Rand fans will appreciate) at a completely fictitious address. (Note in particular that ZIP code '99999', if it even existed, would be in Alaska, not Colorado!) Obama's site accepted the donation with nary a blip. A similar experiment tried on McCain's site failed; the donation didn't go through.

What does this mean? Of course, it's not out of the question that it's accidental... that there's a number field or a checkbox on a form someplace that was set incorrectly, and it's only just now coming to light. But... it seems highly unlikely to me that rigorous name and address matching would be disabled by default in any shopping cart system off the shelf, meaning that it had to either have been disabled, or specifically programmed into the application. Giving them the benefit of the doubt, though, and granting that it was unintentional... for something as important as this, with as much potential for (patently illegal!) misuse as this, why was this not found and fixed a long time ago?

Please read the whole post, and consider. And, either way you decide, please vote on November 4th! (That is, of course, if you are legally eligible to do so.)

No comments: