Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Companies With Poor SSL Practices?

Posted by timothy on from the stochastic-protection dept.

An anonymous reader writes Despite recent highly-publicized hacking incidents making the news, companies continue to practice poor cyber-security. I signed-up to buy something from [an online vendor] and upon completing signup through HTTPS, was sent my username and password in plain-text through e-mail. This company has done everything in its power to avoid being contacted for its poor technical practices, including using GoDaddy's Domains By Proxy to avoid having even WHOIS information for their webmaster's technical contact from being found. Given such egregious behavior, what do you do when you're left vulnerable by companies flagrantly violating good security practice?

5 of 141 comments (clear)

  1. Re:Shop elsewhere... by Anonymous Coward · · Score: 3, Informative

    This, and ALWAYS generate a random password for each account so that the risk of exposure is limited to the one service.

  2. Plain text e-mail... by nuckfuts · · Score: 4, Informative

    has nothing to do with "poor SSL practices".

  3. Re:Hacking by gnasher719 · · Score: 2, Informative

    If their security is so bad, you should be able to hack into their network.

    Worst possible advice. There is the risk of jail time, There is severe risk of being taken to court for damages, which is expensive if you win, and really, really expensive if you lose. Which is likely if you hack into their network.

    And anyway, what the OP described is blatant disrespect for the security of their customers. That doesn't mean their own stuff isn't protected.

  4. Re:This is not a SSL matter by lucm · · Score: 5, Informative

    Sometimes it comes from the kind of users the company deals with. It can be quite a struggle to deal with the public.

    I experienced that again lately. I was working on a new system for a client, and we quickly found out that people not only forget their passwords, they also forget what email address they used to create their account (Gmail? Outlook? Isp? job email?). So they create an account, forget the password, come back a few days later, try to use a different email address, it's not found so they recreate an account, and then they change their settings or place orders, and then the next week they come back and login with the first email address they used, which is linked to the first account, so they get mad because their new settings or orders created in the 2nd account are "gone". You have no idea how often this happens. Some people have created 4 different accounts in a single month, and they keep randomly login using one or the other (resetting the password each time), and of course they complain about losing their settings.

    So we added a tool for helpdesk to let them "merge" accounts when someone calls to complain about losing their settings. It helped a bit. We also tried to create a "duplicate matcher" in the login page (name/address/DOB/etc) but we did not have a lot of success with it. Believe it or not, our stats indicate that almost 15% of people make a typo when they enter their full name or DOB.

    So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.

    So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.

    But still there was a lot of complaints about password reset links not working (users looking in the wrong inbox, or using Outlook aliases, or going back to a different email address and then seeing a password reset link and being pissed that it was obsolete). So we added a one-time password feature, which is sent by email or text message (and is matched to the specific browser session). This helped a lot too. But whenever we add a feature, people find more ways to do mistakes.

    So next time you see a system that looks stupid, remember that the vast majority of users are probably people with little computer skills and no patience whatsoever for passwords and security. It does not excuse bad designs, but it puts things in perspective.

    --
    lucm, indeed.
  5. Re:100 times this!!! by JWSmythe · · Score: 4, Informative

        It looks like this is more of a competitor trying to sabotage them, rather than a legitimate complaint. Yes, Slashdot could have gotten in trouble for running it. Honestly, they should have seen it, did the difficult step of "Look at the site first" and realized it was a non-story.

        He's bitching about not being able to contact the company, yet http://kahntools.com/contact-us

    Address
    6320 Canoga Ave. Suite 640
    Woodland Hills, CA 91367

    Phone
    Office: (818) 884-7000
    Toll Free: (855) 585-7500
    Fax: (818) 530-4249

    Hours of Operation
    9:00 a.m. - 9:00 p.m. Eastern Time
    Monday â Friday

    Email
    Customer Service: sales@kahntools.com
    General Inquiries: support@kahntools.com

    and I found separately through the magic of g00gle...

    https://www.facebook.com/kahntools

    --
    Serious? Seriousness is well above my pay grade.