Every day people sign up for access on the latest, coolest, random system / website that they find interesting or serves a purpose.
It's safe to say that most online systems require an email address in order to gain access. Most of these sites also require a lot of personal identifiable information to complete the registration process.
Is the password for your primary email account (@hotmail.com, @google.com, etc) different from the password you're using on this new site for which you just registered?
If not, here's some reasons you should rethink your approach!
Fact:
Most users reuse the same email account and password for the majority of systems and sites they frequent.
Example:
You create an account at 'www.JoesOnlineWidgetsAndFish.com' using your hotmail account as the login information: 'verysillyuser@hotmail.com'. As always, you use your super secret (but standard) password: 'Mysweetpasswordnobodycanguess1955'.
You are now (perhaps unwittingly) putting 100% faith in Joe (with the Online Widgets and Fish) that:
- Joe's Development staff secured your password appropriately (probably not)
- Joe and his employees have no malicious intent, now or in the future (toss up)
- The Site has not and will not ever be compromised in any way. (heh)
The hacker then navigates over to the email host you registered with (hotmail.com) and logs in using your email account and your common password. Hacker scans your inbox for every other sites you have ever accessed and propogating this scenario endlessly.
Now you may have a different password on those other (more important) sites, but since hacker now has access to your email account - they can easily request a password change from most sites. The sites will be more than happy to email your new password to your 'pre-validated' email address.. the one the hacker is now monitoring.
Some Research:
Having been on the fraud investigation task force for several ecommerce companies, I've had the pleasure of speaking with 'impacted' end users from time to time. These are users who were on the receiving end of bad news: "Our Website was compromised. Your data is at risk. We lost your password and credit card information to malicious hackers."
As you can assume, most of these customers were not too interested in anything but yelling and threatening lawsuits. However, there were occasions where I had a chance to really speak to some of them and get a few security related questions in.
What I discovered was scary but not all that suprisingg: 95% of the customers I spoke with indicated they did re-use their password on most sites, including their primary email account.
A better approach:
It is your responsibility as a secure user to ensure you are not re-using your passwords. If you decide you must re-use the same password, at minimum you need to ensure the password you're using for your email host is different from any other site you access.
- Never reuse your email passwords anywhere
- If you are already doing this, change your email account password(s) immediately
Conclusion:
Having worked with hundreds of ecommerce companies over the years, I can safely say that most small online companies have pretty weak security. Protecting YOUR password is probably not their main priority. Many sites only consider the impact of a password compromise as it relates to their own systems. They are not considering the fact that you may be re-using your password on hundreds of other sites. More often than not these companies have implemented strong encryption for your Credit Card information but they may overlook the importance of password security.
If you need assistance locking down your ecommerce company, please drop us a line!
Stay safe,
@TeQ
0 comments:
Post a Comment