Website security fails

I’m amazed that in the year 2012 we still have obvious and glaring bad practises relating to security of information, particularly personal information when it comes to websites and other online systems. No wonder identity theft is such a growing area of concern.

A large Telco I signed up with just sent me my first bill via email. All the details of my account and all the phone calls I had made were included in a PDF attachment to the email. This company has a secure website that allows you to log in and view your bill if you want to; but they undo all of this effort by sending all the details over email anyway.

Email is not a secure medium.

Anyone with access to the email server (or communication equipment between their email server and my email server) could have had access to all of this content.

I do remember providing my email address, and I probably ticked a box to say “Yep, send me an email” but I had mistakenly thought that the email would just be a notification that I had a bill ready and needed to goto the secure website to view the details.

I also once signed up for a web site and provided a strong password and answered a bunch of questions to allow for password reset if I needed to in the future. At the end of the registration process the website emailed me a copy of the password I had provided!

Are we just getting too familiar with these technologies and forgetting that there are security concerns we should be aware of?

If you’re building a website remember:

  • Minimise what personal information you send over email
  • If you ever send a password over email (i.e. new registration or password reset) you must force the user to reset this password and provide their own when they log in
  • Just because the email includes a binary attachment doesn’t make it secure
  • Even if you think that communications between the two email servers is secure, consider your poor n00b user who is using an open Wi-Fi hotspot to download their emails and the potential for someone to listen in.