Is the TIPI App Secure ? Far From It

As I sit here I am listening to what I am assuming a representation of TIPI and hearing him talking about this app called TIPI which now has been installed in hostels around Australia. After doing much research it is apparent that any hostel that has this app customers are forced to use this app in order to check-in. Customers are then forced to scan a copy of their drivers licence or passport. Where are these images stored and how are they stored ? Are they encrypted ? From my research it is hard to know as there website does not provide any information on security of customers data.

It is comical listening to this TIPI employee as he is boasting about his travels interstate and each person he meets he thinks it important to let them know that he has just arrived back and about the drinking he has done. Not a very good look.

Anyway back to this insecure app.

Here is a question for the TIPI people.  How can your customers be assured that their data is stored securely when their own website does not use any form of encryption such as SSL ( https ) ? This is the most basic form of protection and they cannot even get that right so how can customers rely on them to know anything about security ?

Here is the insecure website URL  http://tipi.me/

After reading their privacy document it is written that even though you can delete your information from their servers they are not responsible for any of their ‘partners’ as they do shared your information with these partners to know doubt provide spam emails and to provide marketing benchmarks. It seems that TIPI does not have any idea on security and I would be VERY wary of giving them a colour scanned copy of my passport of drivers licence as who knows who could have a copy of your documents in the future as it is clear that TIPI have zero ability when it come to CyberSecurity or OpSec.

It is comical that TIPI states that they are 100% Percent Secure yet they cannot even install SSL on their own website…..amateur hours me thinks.

A copy of the Privacy Policy can be found here

Here is a screenshot direct from their website where they state that your information will only be shared with your hostel but this is a direct lie as if you read their privacy policy it states:-

The Services include several features that may allow you to share your information with others. Please remember that if you choose to provide personal information using certain features of the Services, that information may be available to the wider Services community, or may be published on our Sites, which is subject to indexing by third party search engines
What really boils my blood is the blatant falsehood that they claim they are not sharing your data whereas they know ( and now I know ) that this is completely false and an outright lie!!!

In light of this I thought I would write to TIPI to inform them of a few home truths. I shall post their response soon should they provide one.


 

To Whom it may concern,

I am a little concerned with your statement about security when your own site does not even use SSL.

In addition to this you site does not inform customers about where customers data is stored and what protections including security of servers, network infrastructure are in place to guarantee that the identity documents you collect remain secure in encrypted form and accessing these are closely monitored to prevent abuse.

It is common practice with apps such are yours that your business model is all about sharing data with third parties and although you may not sell it you certainly provide customers information through your so called ‘partner’ providers. This sharing in effect provides not guarantees that customers valuable identity documents remain secure as once you share this information your obligation expires and your privacy policy indirectly states this. For such a business that has the world “Security” on its home page it is apparent that you cannot even get the basics correct by implementing SSL as I have spent 15 minutes this morning testing the security of your site and I can assure you that if I were a criminal or out to destroy your site you would not have one for very long.

You as a business are obliged to protect customers data especially since you are collecting each customers identity documents and as stated above your cannot even get the basics right so how can we ever expect you to provide the level of security required for storing customers data ?


Regards,Ben McGuireHead Of Cyber Operations
OneHost Cloud & Security
UK Ph: +44 20 3519 2171
AU Ph: +61 (03) 85920571
https://onehostcloud.hosting
OneHost Cloud & Security
Leaders In Cyber Security & Hosting