Can Campaign Websites Be Trusted With Your Money?
Many political campaigns in this current election have a nifty "donate now!" button on their websites. While they're convenient for the candidates, it's not clear if these buttons are secure for the donors.
Websites and retailers who collect credit-card numbers, both online and offline, are subject to rules regarding how the financial data is stored.
Those rules are laid down and enforced by the Payment Card Industry Security Standards Council, commonly referred to as PCI, a global body that won't hesitate to yank the credentials of any organization not in compliance.
However, campaign websites are generally not considered retailers, and are usually transitory in nature, not lasting beyond an election cycle. That removes them from strict PCI oversight, said Tim Erlin, director of product management and IT risk and security strategy at nCircle in San Francisco.
Erlin has examined campaign websites for politicians running for state and federal offices in the past few election cycles.
In most cases, Erlin said, he has no idea after looking at a particular site whether or not the campaign outsources credit-card payment-processing to a third party, who that third-party processor might be or who stores the collected information.
The risks of mishandled donor data are all too real. In early 2009, the campaign website for Norm Coleman, a Republican senator from Minnesota who was bitterly battling an election recount against Democratic challenger Al Franken, suffered a data breach when its donor database was posted to WikiLeaks. (Coleman conceded in June 2009.)
WikiLeaks said that sensitive financial data about more than 50,000 Coleman donors, including donor names, addresses, email addresses, telephone numbers, full credit-card numbers and card-verification values (CVVs, also known as card security codes), were stored in plain text on an Excel spreadsheet.
All those donors immediately became prime targets for identity thieves and card fraudsters. (WikiLeaks stripped out all but the last four digits of the card numbers in the sample selection of the material it posted.)
Storing CVVs directly violates PCI's Data Security Standard (PCI DSS), Erlin said. He added that because PCI compliance is assessed annually, the rules don't "apply to organizations that don't exist most of the year."
Coleman's breach notwithstanding, there hasn't yet been a concerted attack by malicious perpetrators against campaign websites anywhere in the U.S., Erlin said. But that doesn't mean it won't happen.
With the increasing popularity of hacktivism, where attackers go after websites or specific individuals in order to prove a political point, it's not inconceivable that a campaign site would be targeted.
"Sometimes it takes an incident to get the problem highlighted," Erlin said.
Offline donations remain the most popular way for people to donate, but the Internet is fast closing the gap, according to statistics recently collected by the Pew Internet & American Life Project.
In two surveys published in September 2012, 13 percent of adults said they had contributed to one of the two major-party presidential candidates' campaigns in this year's election.
Of that group, 67 percent did so in person, on the phone, or through the mail, while 50 percent did so via online methods or by sending an email (many respondents had used both old and new methods.)
A little over half of Democrats who contributed to political campaigns this year did so online, while only a third of the Republicans had used the Internet, according to the surveys.
Online-funding figures for this current election aren't yet ready, but President Barack Obama raised more than $500 million online in 2008.
It's "almost a guarantee" that most campaigns are not processing the actual donations themselves, Erlin said. Like many small online retailers, the campaigns are probably using a third-party service to handle credit-card transactions.
However, just from looking at a campaign website, it's difficult to know who that third party might be and whether that service is PCI compliant.
If the campaign is storing the data within its systems before transmitting the card data to the payment processor, the campaign website itself is subject to PCI requirements, Erlin said.
Erlin waded through pages of terms and conditions and privacy policies on campaign sites, searching for information on how campaigns are handling financial data.
He found nothing on most sites. There was no indication whether the campaigns kept a copy of the credit-card information, or if the information was transmitted to the payment processor without being locally archived.
The campaigns could be recording just the donor names, or just as possibly storing all the information, Erlin said.
That lack of information means donors "don't have a way to assess the risks," he said.
Naming and shaming
The official Obama re-election campaign website lets donors create their own fund-raising pages to encourage their friends to give money. But doing so only creates additional obscuring layers on top of the Obama campaign site, Erlin said, making it even harder for donors to understand who's on the other end of the transaction.
In September, the conservative watchdog group Government Accountability Institute released a report criticizing political campaigns of both major parties for failing to use "a host of effective anti-fraud tools to detect and minimize Internet credit-card fraud."
The GAI analyzed the official campaign websites for all 535 members of Congress, as well as for Obama and Republican presidential nominee Gov. Mitt Romney.
Nearly half of the congressional websites, as well as the Obama campaign site, did not use anti-fraud tools, according to the report.
Most significantly, the websites in question did not require donors to enter the three-digit or four-digit card-verification value, or CVV, when making donations.
Use of CVVs is an industry standard that helps verify the legitimacy of a card holder, but there is no PCI or legal requirement to ask for a CVV, and many online retailers don't ask.
The GAI noted that a CVV is required to make a donation on Romney's official website, as well as to buy campaign merchandise on both the Obama and Romney sites. (It may be that donations and merchandise sales on both sites are handled separately.)
"The absence of these security protocols is incongruous with the acknowledged technological sophistication of the [Obama] campaign," GAI said in its report.
What you don't know can hurt you
Regardless of whether a campaign site is complying with PCI rules, it's important to remember that in many cases, donors may not find out immediately if their data has been compromised.
Breach-notification rules — how quickly an organization needs to notify affected victims and what it has to disclose — vary by state, Erlin pointed out.
In some states, a certain number of victims need to be affected before an organization is required to disclose a data breach. With online campaign-giving still maturing, there may not always be enough victims to meet such thresholds.
"It might be safer to send a check," Erlin said.