PPSR stands by security decision

The Ministry of Economic Development is defending its new Personal Properties Security Register website and the decision not to encrypt user details when first signing up for an account.

The Ministry of Economic Development (MED) is defending its new Personal Properties Security Register (PPSR) website and the decision not to encrypt user details when first signing up for an account.

New users to the site must fill out an online form with details such as company name, address, password and bank account details, yet the form is not encrypted or secured in any way.

MED's manager of the e-business team, Andrew Wagg, says the site employs a staggered approach to security.

"The whole of the site isn't HTTPS because that would adversely effect the performance that some of our users would get. So we drop in and out of secure socket layer (SSL) as and when we need to."

Wagg says credit card payments are secured but the majority of the rest of the site relies on "multiple identifiers or numeric keys".

"We substantially use a strategy of sending out those keys on an independent email or independent communications, whatever that process is, to achieve our security."

Wagg says the "open account" page contains no information that was deemed in need of securing because anyone who had that information could not do anything on the site with it.

"That password and user details are not licensed to access the system. You can't do anything with that except to pick up a credit card and do a search or register a financing statement and that act produces some identifiers that are important."

Anyone using that information would also need either a credit card number, which isn't requested on an insecure page, or a direct debit agreement, which is physically mailed out to the customer.

However ASB Bank's manager for electronic banking Matthew Bartlett, while not willing to comment directly on this site, says in general the bank warns customers not to give out any bank account information over an unsecured website.

"We would not encourage any of our customers to use or divulge personal information or banking information without that site being encrypted or secure. If the customers do that they take it on themselves in terms of contravening their terms of use."

Bartlett says account information on its own often isn't enough to allow a thief access to accounts themselves, but the onus is on a website to inform users of the level of security they're experiencing.

Join the newsletter!

Error: Please check your email address.

Tags PPSR

More about Andrew Corporation (Australia)ASB Bank

Show Comments
[]