Is the TIPI App Secure ? Far From It
As I sit here I am listening to what I am assuming a representation of TIPI and hearing him talking about this app called TIPI which now has been installed in hostels around Australia. After doing much research it is apparent that any hostel that has this app customers are forced to use this app in order to check-in. Customers are then forced to scan a copy of their drivers licence or passport. Where are these images stored and how are they stored ? Are they encrypted ? From my research it is hard to know as there website does not provide any information on security of customers data.
It is comical listening to this TIPI employee as he is boasting about his travels interstate and each person he meets he thinks it important to let them know that he has just arrived back and about the drinking he has done. Not a very good look.
Anyway back to this insecure app.
Here is a question for the TIPI people. How can your customers be assured that their data is stored securely when their own website does not use any form of encryption such as SSL ( https ) ? This is the most basic form of protection and they cannot even get that right so how can customers rely on them to know anything about security ?
Here is the insecure website URL http://tipi.me/
After reading their privacy document it is written that even though you can delete your information from their servers they are not responsible for any of their ‘partners’ as they do shared your information with these partners to know doubt provide spam emails and to provide marketing benchmarks. It seems that TIPI does not have any idea on security and I would be VERY wary of giving them a colour scanned copy of my passport of drivers licence as who knows who could have a copy of your documents in the future as it is clear that TIPI have zero ability when it come to CyberSecurity or OpSec.
It is comical that TIPI states that they are 100% Percent Secure yet they cannot even install SSL on their own website…..amateur hour from a company that bases its platform around storing valuable identity documents such as passports and drivers licences.
The Services include several features that may allow you to share your information with others. Please remember that if you choose to provide personal information using certain features of the Services, that information may be available to the wider Services community, or may be published on our Sites, which is subject to indexing by third party search engines
In light of this I thought I would write to TIPI to inform them of a few home truths. I shall post their response soon should they provide one.
To Whom it may concern,
I am a little concerned with your statement about security when your own site does not even use SSL.
In addition to this you site does not inform customers about where customers data is stored and what protections including security of servers, network infrastructure are in place to guarantee that the identity documents you collect remain secure in encrypted form and accessing these are closely monitored to prevent abuse.
You as a business are obliged to protect customers data especially since you are collecting each customers identity documents and as stated above your cannot even get the basics right so how can we ever expect you to provide the level of security required for storing customers data ?
OneHost Cloud & Security
UK Ph: +44 20 3519 2171
AU Ph: +61 (03) 85920571
Leaders In Cyber Security & Hosting
Ben, I have been extremely patient with your slanderous and factually incorrect article on Tipi. You don’t answer your phone, you don’t reply to your emails & you have left me no choice but to take legal action against you.If you read the email chain below, you will see that this could have been resolved amicably. We have now received negative feedback from users siting your article, which we can prove is categorically incorrect.I would suggest you remove the article immediately or at least have the courage to answer your calls.
Jack Bowcott | Tipi CEO 101/24 Bayswater Rd, Kings Cross, Sydney m: +61 (0) 401 399 962 e: [email protected]
Hostels – www.tipi.travel Travellers – www.tipi.me
I would have thought my lack of response to the emails from yourself and your colleague would have been an indication that I have not interest in removing the publication from the website.
The article and the opsec I conducted on your site some time ago would have allowed me to take your site offline very easily and it are sites such as yours that falsely indicate to your customers that their information is protected and safe from attackers. You should be focusing your energies on resolving the security of your webserver and backend application as the article states this insecurity yet to this day you have not resolved any of these security vulnerabilities.
Just because you do not like something negative written about your company does not give you the right to start threatening others with legal action as it would be unfortunate that if your entire custom data was exposed and posted online – that would severely impact your business and it would be most embarrassing for your customers to discover that you had been warned on such security issues previously.
You can consider that my first and final response so do what you must as your threats do not mean much as someone who is so ignorant to listen to others when told about something that could affect their business is not someone I would want to continue to waste my time conversing with.
Head of Cyber Operations
UK Ph: +44 203519 2171
AU Ph: +61 (03) 85920571
February 13, 2018
February 13, 2018
February 8, 2018