Slashdot Mirror
Websites Still Failing Basic Privacy Practices
DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"
That Firefox saves the nasty warnings for Web sites that are encrypted!
HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it. Also, address and date of birth aren't usually considered confidential, even if you might not want to publish them.
This isn't a lot different than many of those post-card questionnaires many people fill out and mail in.
I think in this case, it's more important what they do with the information once they receive it.
That said, I think there should be default encryption wherever possible automatically.
That level of privacy is not considered important by anybody. Seriously.
Credit Card data - encrypted; you're first and last name? short of being in the witness protection program it is NOT considered a privacy issue. sorry.
(I know, I know, it would be nice if it was).
Whitehouse.com seems to have no regard for the security of web visitors.
"XXXXX is committed to maintaining your trust by protecting personal information we collect."
Means nothing when every website harvesting your info says that.
You can manually change the URL on the linked site to https:// and achieve an SSL-secured session. HTH, HAND.
A few years ago I was buying a state tax program and realized that their form that asked for all my private data was an http page! I was shocked. Then I added "s" after http and it happily connected me over SSL. How many people who buy Taxcut will check the protocol and change it?
"Flash Player of 7 or above is required" on a blank page.
What irks me the most is when they'll flat-out lie on the form with language like "this form is protected by ssl and secure" while asking for your credit card details for a purchase.
Then you look at the post action, it's HTTP, and posting to a circa 2001 perl form mailer.
VegNews.com, I'm looking at you.
so just stick an s after the http and you're golden.
unsure if that makes it better or worse for them though.
Sounds sensible to me.
I challenge any reader to name a single known incident, in the entire history of the Internet, where there was a commercially significant crime or wave of identity theft arising from intercepting IP traffic in the cloud. (*)
Yeah, "commerically significant" are weasal words here, but the point I'm making is to exclude things that actually happen: phishing, DNS hacks, viruses and other malware, and most importantly, accessing stored data (i.e. NOT in transit), or at a pinch local (within enterprise
or within home) snooping.
Phishing seems rather unlikely (for a game entry??) so IMO P&G seems to be making a totally justifiable choice to ignore purely theoretical
risks. There are SO MANY more, real dangers, if one cares to worry about such things.
(*) Ok, I concede, if you use a technology that (wireless) that it agressively broken out of the box wrt privacy, the equation is sligthly different. But if you do this and don't take precautions, you are beyond the help of any server-side technology.
It's hard to believe that they are "committed to maintaining your trust by protecting personal information" when they disavow any responsibility if it's stolen. But I think that's pretty standard boilerblate.
Many, many people that I've tried to talk to about this very thing completely don't understand encryption at the most basic level - why it matters or if they have it. My guess from past experience is that if you tried to talk to P&G about it, the people responsible would try to tell you that it didn't need encryption, because the site is on *their* servers, so the data only goes on their network, and no amount of convincing would get them to think otherwise. The site you mentioned was probably farmed out anyways.
The state of affairs when it comes to the most basic data protection is really sad. One case was where I was applying for a job which required my SSN (a federal gov't position). The instructions were to download the form and email it. I called the number listed and explained why I wasn't going to include my SSN in an email, and they weren't mad, but they were annoyed. So you tell me a) did they wait for my app and trash it because I put "withheld for security reasons, will provide offline" (something like that) b) if the folks running the federal jobs website think it is okay to email around sensitive information (this was another one of those "your email is stored in our secure servers" things), then it must be okay, right?
Even in the physical realm, things aren't much better. A couple of months ago, I called a local business to complain that they'd charged my creditcard a fee for canceling an appointment. (The number shouldn't be on file, I know. At the time I didn't realize that it was.) I explained to the person that when I canceled the appointment I was aware of the fee, but to send me a bill for it and I'd pay it when I got the bill. They sent me an invoice in the mail, with the charges and showing the balance was paid. I asked the guy which credit card they'd charged - and he proceeded to read off the type, entire number, and expiration date - without any authentication from me except my name and one other non-secret item, derived from the start of the conversation. I've since canceled that card, but people really don't understand.
There is very little future in being right when your boss is wrong.
Great example of poor coding and carelessness...VegNews.com
Trying to register for a launch party at VegNews I come across this (from google site cache)
google site cache of insecure page
Problems
1. No SSL, ssl not supported if you change the URL manually.
2. Lies about being secure, right there on the form. Nope.
3. The "action" points to an email *FormMailer* (http://vegnews.com/cgi-bin/SaveForm.pl).
So, not only does it lie about encrypting your credit card, it goes and emails it out afterward to who-knows-where to sit in personal archives for who-knows-how-long.
Suffice to say I didn't attend, but I'm still pissed I almost fell victim to that.
Honestly, your date of birth, age, address, full name is worth absolutely nothing to the average person. Secondly, how many people actually run packet sniffers for malicious purposes? Not that many, then take that number and see how many really care about your address and name? Few, very few. Now, if this contained our social security number, we might be worried, but for this? It is making a mountain out of a molehill.
Taxation is legalized theft, no more, no less.
Sadly, the https of the duracell site is there and functional. The developer never used it!!!
Sounds like my company.
https://www.softcoin.com/p/handler?target=general&action=getSignUp&sid=2490
All they have to do is force all http requests to go to https and presto, its done.
Expecting the user to manually add an 's' after http isn't very good or safe, IMO.
slashdot rocks
so i'm going to snail-mail my post in. I can only pray that it will be added online after this is oldnews by cmdrTaco. In other news, my mom caught me playing with my Wii, and I wasn't ashamed.
my UID is Prime. It makes me special.
I noticed the e-commerce gateway "Plimus" making the usual mess of security/privacy the other day by exposing order details to anyone who could pick the right querystring (16 hexadecimal characters) - i.e. addresses, names, phone numbers, license code for the software i purchased etc.
I contacted them about it and received no reply.
I am gay but will not give to national gay organizations. They look up your telephone number and sell your information to other organizations. Give once and soon your phone will be ringing off the hook by telephone solicitors. Plus they disclose none of this on their web sites. They do not seem to regard privacy as any concern.
It probably wasn't really their website you were entering your details into anyway...
Nullius in verba
Speakeasy's new privacy statement says that they can share information, including credit card data with "affiliates", without defining "affiliate", but presumably including Best Buy.
Enough for me to cancel service, but I don't think that anyone else even read it.
I put in some fake credentials to test it out, but unfortunately the email address asdf@asfd.com was already in use...
How can they maintain something they'll never have?
What?
For me the worst case is lycos' mail service at http://mail.lycos.de. Why?
Because they are deceiving, deluding bastards.
Check that page and note how the bullet point
o E-Mails and data encrypted with SSL
is one of the key points they market their service on.
On top of that they have a "SSL secured" checkbox directly below the login button.
What's wrong with it?
The checkbox is a NOP. Yeah, it does nothing.
After you have HTTP POST'd your credentials into the wifi ether in the plain, all your transactions are highly secure by using SSL.
I found out just out of curiosity maybe 3 years ago, and, not believing what I found, googled evidence of this being know.
I found a posting to the vuln-dev or bugtraq mailing list from another 3-4 years earlier. So this is known for almost a decade now.
ngrep output of post request:
http://www.gedankenverbrechen.org/~tk/lycos_ssl_noop.txt
One time I went to buy a night vision scope from a website. After filling out all of the shipping/billing information except for the credit card information itself, I noticed that it wasn't a secure submittal form. I immediately....
Accidentally hit the enter key, for which my incomplete order was submitted, no confirmation or anything.
a month later a strange box showed up C.O.D. It was the night vision.
"Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect."
Corporations, especially North American ones, tell great, honking lies all the time and get away with it. The business media are their whores, and what private individual has the time and/or money to challenge them?
A large corporation might actually tell the truth if a lawyer told them it was the most profitable course of action. Otherwise, believing one word uttered by a corporate spokesdrone, earns you the richly deserved reaming you're going to get. Mostly, these people would have to climb three steps up the evolutionary ladder just to qualify as douche bags.
Who was it that invented the phrase, "Your call is important to us"?
I've calculated my velocity with such exquisite precision that I have no idea where I am.
In "completely unsurprising news", the Washington Post just announced that "More data breaches have been reported so far this year than in all of 2007..." Hmm, I wonder if the subject of this page could have had something to do with those breaches... http://www.washingtonpost.com/wp-dyn/content/article/2008/08/25/AR2008082502496.html?nav=rss_email/components
Just over a year ago, Etos Worldline, formerly known as Banksys, together with the major Belgian Mobilephone Telcos started a service to do payments via SMS. The subscription form https://www.m-banxafe.be/pay2me/startRegistration.do was not protected by https for several weeks. The whole security infrastructure, with the security question to reset your password, is still compromised to this day for whoever subscribed before https was activated.
"It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST"
If I wanted a list of names, birth dates and addresses to use for nefarious purposes I don't need to steal yours from some dinky website or sniff packets. I'd just take one of the plentiful lists of birth records on the internet like this one then cross reference it with property tax records of the area which are more plentiful than the birth records and it'll give probable name, dob, and address combinations. A good portion of probable matches can be confirmed through freely available court records. All of that data is fairly trivial to collect in bulk (i used to collect databases, was a pretty fun hobby actually), is perfectly legal and will provide a much better profile of matches than just name/dob/addr combinations stolen from a website or data stream.
Being that anal about your name, birth date and address is actually quite silly. Theres so much low hanging fruit as far as collecting that type of data is concerned (and you're probably already included in it) that all you really did by not continuing with that form was taking yourself out of the running for a Wii.
The best thing you can really do is just keep close tabs on your credit report and get signed up for all the fraud alerts or freezes they offer. Thats the best place to prevent and quickly repair most identity theft. Stop being so anal about info thats almost guaranteed to be out there already, set up your defenses where they're most effective and go get your Wii.
I stopped providing security on my websites when browsers made it too difficult for the average user (that I deal with) to continue using the site with a self signed certificate.
Sure, it won't help against a man in the middle attack. But that is truly the only attack that using self signed certificates is vulnerable to. Unlike completely unencrypted content.
If godaddy, verisign etc. didn't charge insane prices like £107 per year for a wildcard certificate for one domain, I would do actually buy the certificates needed. I already find 10USD too much for a wildcard certificate for the numerous domains I operate, so it would have to be quite a significant drop. It's not like they do any verification with the £107 certificates, they just want a credit card number.
Change is certain; progress is not obligatory.
"You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?"
1. The form did not/does not require a password.
2. No password recovery systems I've seen in the last 10 years use either your address or DOB as the key. That information is too readily available in the public records...like the phone book. (If you disagree please point out a site/system that does use it).
3. You're worried about the privacy of your address and yet you're signing up for a contest that collects your name for marketing purposes...
4. P&G clearly states they use SSL for sensitive information and they clearly state what they believe sensitive information to be: "When we collect or transmit sensitive information such as a credit card number or health information, we use Secure Sockets Layer (SSL) encryption for added protection. Your browser indicates that SSL is in place by displaying either an unbroken key or a closed lock at the bottom of your browser window." http://www.pg.com/privacy/english/privacy_statement.html#tab2
I will perform a MitM attack and just intercept all HTTP requests and have it query the HTTPS URL while I read all their data unencrypted.
Change is certain; progress is not obligatory.
Your summary didn't say a thing about a password... I think that is really the only relevant item.
Phone book. Names, phone numbers addresses, all public. get over it!
I work at a college in IT and students don't think twice about raveling off stuff that's even considered private.
My dad sells cars, he brought me with because there's public data available at the county recorders office, I walked out of there with my dad after emailing some 34,000 names, addresses and phone numbers to my dad's email account for his silly mailers. All 100% legal.
So in short, nothing to see here, move along...
They stopped this practice recently, but for over a year, my student loan company required me to sign up for monthly paperless statements if I wanted to pay electronically. The statements were e-mailed in the form of a PDF attachment. The e-mail body assured me my privacy was intact because the file was password protected -- by my Social Security number!
Brilliant! If an interloper intercepted my e-mail, not only could he brute force my password with easy to find, easy to use tools (in a matter of minutes, since he knows the number of characters in it), but he'd know my SSN once he cracked it. I would have been better off with no password protection.
When I e-mailed Sallie Mae with the above information, the representative brushed it off. It was safe, he said, as long as I opened it on a non-public computer, because my SSN was not being sent over the Internet when I typed it in.
(The Consumerist didn't find it interesting, either.)
I got a parking ticket last week from an officer in my fair city and was referred to this site to pay it:
https://www.ticketwizard5000.com/
You have to see it to believe it. In its defense, it uses SSL.
But after seeing this, I think I'll pay the ticket in person.
Privacy != Security
What about slashdot? Strangely there is no https://slashdot.org/login.pl, even though here is a https://slashdot.org/my/logout. You can logout with SSL, you just can't log in with it.
There is no way I would enter that contest, the mom playing wii in TFA is showing zero cleavage.
so how many data breaches does this 'b4' have then?
and who or what exactly is 'b4'?
When the iPhone was scheduled for release in Australia, Optus (Arguably the second largest carrier in Australia) launched a dedicated website where potential customers could pay a $100 deposit to register their interest in the iPhone. You were prompted to complete a form, including providing Optus with your credit card to make pay the deposit. I shit you not, the form *wasn't* encrypted. To this day, I wonder how many clueless individuals actually completed the form? The offer finished a few days after I first noticed it.
...to mention is that the whole point of a lot of those online forms (such as competitions etc) is to provide an opt-in to any kind of marketing dreck the the site owner (or any of his mates) cares to send you.
The best way to keep your personal information private is to not hand it out. I know that should be obvious, but the fact seems to escape people when they appear to be being offered free ponies (or whatever).
I kid you not!
As a country that is hell bent on joining the EU, the government has started issuing biometric identity cards and passports in order to comply.
Ok, fine, but when I went to renew my passport I checked their computer system. *EVERYTHING* they take from me for my passport application: my details, address, age, passport number, fingerprints, etc... are put into a web form and sent via PLAIN HTTP over the internet. I even saw the web address so I can access the database. It's like an identity fraud's paradise, you just need to sniff the connection (or break the web app or web-server, it runs IIS) to get biometric and personal details for millions of people, with which you can do just about anything.
No encryption, nothing. Needless to say I walked out of there immediately, and opted to take the non-biometric passport, but those are only valid until 2011, meaning I will have to eventually give them my details, I can only hope they wisen up before then.
My & Countries details deliberately kept out (hence AC post) so that nobody gets any ideas about this information goldmine.
There's this thing called a "phone book", which displays the names, addresses, and phone numbers of everyone in the region. and it gets delivered to me via an unencrypted, minimum wage, paperboy! it's not even sealed when I get it! now, think of all the damage he could cause if he looked in one of these, and stole everyone's personal data! I really wish that they would start encrypting the phone book with an impossible-to-break cypher. Like rot13. that would get him.
01110000 01010111 01101110 00110011 01100100
It requires entering your full name, address, and date of birth,
All of which are available to any member of the public via public records.
ssl secure ?, how ?
If i self sign ssl firefox will claim that the site is really really evil and get the dreaded are you sure routine, ie users might get a warning too that this is not the best ssl that somebody sells and ie can use i read.
Why is ssl from verisign/others 'AUTOMATICALLY SAFE' im quite sure verisign and others would be happy to give up the secure information to the governments for interception if push came to shove and they where denied the right to sell in x country.
â¦every grandmother out there can do that. They all know exactly where it is and how to set the bit.
Don't take personally, robo_mojo. Since the article is about overall web security, it just struck me as funny that the suggestion (a kind often made by the /. readership) is one of those types that the vast majority of the population would find a worthless because it is a technical response.
Duracell? I just bought a wii last night, and it came with panasonic batteries for the wiimote.
is a great solution (Windows, OS X, Linux, *BSD, Solaris, etc). Once you've started the daemon, it's available everywhere you go, transparently. Just proxy your web surfing, mail access through the VPN server.
(Of course in the FA's example, it only encrypts half of the transmission - to your proxy - but it's these edge networks that are generally most vulnerable - home wireless, Starbucks, random offices, hotels, airports and local ISPs. That said, never forget the NSA is listening on core networks.)
you had me at #!
Beween 1999 and 2001 I worked at a local Washington, DC ISP, and I was impressed with the number of sites we hosted that carefully encrypted their customers' credit card information as it traveled to our server racks, then delivered it to the site operators by plaintext email to an AOL account.
Sure, times have changed, but short of auditing the offices of your favorite e-commerce sites, how do you know what they do with your data after you carefully check that all their forms submit with "https://"?
If you want more chance to lose your privacy please enter the following sweepstakes: :: American Greetings Sounds Funny to Me :: Duracell What Powers You :: La Victoria Sweepstakes :: Olive Garden Win a Trip to Italy :: Stoneyfield Farm® Barnstormers Sweepstakes :: Take Time Out with TUMS®
All easy links here:
http://corp.softcoin.com/programs/currentPrograms.php
Posting anonymously, because I worked for a P&G supplier.
P&G has one hosting company for their worldwide operations: Savvis. They have very tight guidelines for hosting security, and who can touch the production consumer data.
All these promotional sites collect consumer data that is then fed into a central database, which is then used for email pushes and snail mail, which is all meticulously tracked.
Problem is that the advertising agencies are not very good at web development, and consider these technical issues an afterthought.
Combine that with extreme deadline-pressure from P&G, and things like an SSL certificate are often put in place a day or two after launch, because the middle-management at P&G will never notice anyway.
In practice, the consumer data is usually transferred by email through many parties as a zip file attachment, if you're lucky with a password on it, but more likely not.
All in all, this type of situation is not surprising, and will occur over and over until a well publicized incident will happen, at which point P&G will remind its suppliers that they are breaking the P&G security rules. Etc.
Advertising agencies are run by marketing types that see web development as a necessary byproduct, and squeeze the development budget to the breaking point.
This is crying wolf. How are you going to get our attention when there is a real problem
ssl should be reserved for financial, medical, or personnel data. A simple address and DOB is not enough to warrant the expense of SSL.
If one of my hosting customers needs ssl, they have to get a static ip, which means a static ip on my backup server as well. They also have to get a cert and go through the hoops for that.
...Cliff Stoll recognised the thing we're struggling with here. They didn't have a name for it then, but now we call it data mining.
The problem is that your name, address, and birthday aren't that important to keep secret by themselves. Uniquely identifying you with that information isn't a big deal in isolation either, but using that identity to cross reference you as the person who entered this contest with something else you've done allows people to draw connections in your behaviour. It used to be that connecting the dots involved hours of research, footwork, and digging through stacks in the library. Now it's available online, and can be sorted and filtered.
It's a personal version of "sensitive but unclassified" information.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
nabble.com has this little treat: http://www.nabble.com/help/Answer.jtp?id=25 I wonder if they realize that the average user has a "standard" password they use everywhere. If so, then they are knowingly phishing. If not, they're morons. As you might imagine, I decided not to use my "standard" password when registering on their site. Am I going to remember it the next time I log in? Probably not. Oh well.
Monster.com - They even have those annoying requests for information that have asked for SSN before! Of course, nothing (not even login) is https. They've recently forced stricter passwords to increase security, but they didn't seem interested when I pointed out they should use ssl to improve login security. The rep I spoke with says, of course it's secure! When you type in your password it shows stars instead of the password.
I'll see your pity post, and I'll raise you:
Post detailing the find (in dutch)
Actual site (also in dutch)
So, this article is really not too interesting. You'll find I'm a huge advocate of making the public more aware of social engineering in general, but seriously, if a social engineer wanted that info from someone, he wouldn't bother with a sniffer. He'd just ask for it. Anyhow, the article may be dissapointing, but the topic is GREAT :). I did want to point out that cisco until recently had the student portal logon in plaintext. A few years back, in College, us students would sniff eachother's cisco logon passwords, and... well... brag about it, because there was nothing there to really steal. But it's still interesting that Cisco of all companies did not encrpyt this bit.
I was going to register to vote via the Rock the Vote website, until I discovered that the page wasn't encrypted, and asked for my name, address, driver's license OR last 4 of my social security #, etc. I'll be doing this registration in person. No sense in letting multiple hands have the opportunity of losing my data, just the State of Connecticut...
"I never did give anybody hell; I just told them the truth, and they thought it was hell." - Harry S. Truman
is the problem. Its because these jackasses that seem to f-up/move-up the corporate ladder demand to "getter done" instead of DO IT PROPERLY.
PERIOD.
First time a browser is used on a computer, a warning about submitting a form without HTTPS is enabled. Once this warning is shown, user is able to disable the warning.
How many people still have this warning enabled?
This misses an important point. T-Mobile, a major European mobile phone operator, are - like everyone - passionate about looking after your security and so your connection, password is all https secured. However the password you use to login as a customer is available in clear text to all their employees. When you go to one of their shops with an inquiry they ask you for your password which, on a busy shopping day, means sharing it alound with 20+ other punters. Luckily (and deliberately) my password for their service was "Mind your own fucking business" - sothere was a moment of semantic disambiguation required after I had replied to the shop assistant's polite, but loud, request. Online web services should be obliged to declare *how* they manage your personal data - a secure pipe isn't enough if all the personal data is floating around in a near-public barrel at the other end.