Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Companies With Poor SSL Practices?

Posted by timothy on from the stochastic-protection dept.

An anonymous reader writes Despite recent highly-publicized hacking incidents making the news, companies continue to practice poor cyber-security. I signed-up to buy something from [an online vendor] and upon completing signup through HTTPS, was sent my username and password in plain-text through e-mail. This company has done everything in its power to avoid being contacted for its poor technical practices, including using GoDaddy's Domains By Proxy to avoid having even WHOIS information for their webmaster's technical contact from being found. Given such egregious behavior, what do you do when you're left vulnerable by companies flagrantly violating good security practice?

21 of 141 comments (clear)

  1. not your problem... by Anonymous Coward · · Score: 3, Insightful

    Use an online review tool. Like say google. Then put your grievance there. They do not want to know, well just put your sticker up then move on and do not deal with them anymore. It is not your problem to fix.

    Yes there are *many* things on the internet that are broken. Yes you will find people who go 'oppps my bad' and fix it. You will also find many who *do not care*. They never will. You cant fix stupid.

    1. Re:not your problem... by twitnutttt · · Score: 2

      I am reminded of many years ago, Sprint (my cell carrier) emailed me my new password when I changed it online.
      I called them to ask them to review this practice and not email me my new password. The helpful rep explained to me, "Don't worry. We only send it to your email, and your email is secure."
      I responded, "Um, no. It's my email, and I'm telling you it's not secure. There is no reason for you to email me my password."
      They just kept repeating, "Don't worry. Your email is secure."
      I called again and got similar results. I was horrified that this company which maintains my social security number had such idiotic security awareness.
      I suppose by now someone has probably fixed this practice; it was many years ago.

  2. Don't Do Business With Them by TechyImmigrant · · Score: 5, Insightful

    EOM

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Shop elsewhere... by Frosty+Piss · · Score: 5, Insightful

    There really isn't much you can do about companies like this, except shop elsewhere. Sooner or later, they will have a breach, and the "security researchers" will have your credit card data.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Shop elsewhere... by Anonymous Coward · · Score: 3, Informative

      This, and ALWAYS generate a random password for each account so that the risk of exposure is limited to the one service.

    2. Re:Shop elsewhere... by TheRaven64 · · Score: 2

      Depending on your locale, the purchase might be covered by distance selling regulations. In the UK, you have a few days in which you can cancel the order for any reason. Cancel the order citing their poor security practices as the reason, keep a copy of any correspondence, and forward it to your credit card company if they try to charge you anything.

      --
      I am TheRaven on Soylent News
  4. Please shame whomever it is by stonefoz · · Score: 3, Insightful

    Please don't hide whom it is that I might accidentally do business with. Nothing is going to change just sending them an email, they may even go after you for doing so. However you may stop others from being suckered when their poor security becomes everyone else's problem. It's not their problem, it's going to be everyone else's.

    First assumption is that there isn't somewhere that'll get broken. Everywhere probably will get successfully attacked at some point. Use a password manager. At least this way, when somewhere is broken, I'm sure that it's the only place where that password is used.

    --
    I think I just cashed out all my cool points.
  5. Plain text e-mail... by nuckfuts · · Score: 4, Informative

    has nothing to do with "poor SSL practices".

    1. Re:Plain text e-mail... by cheesybagel · · Score: 3, Insightful

      IM networks are not safe either. Most of them use communications that are funneled in some way through some server or store client side message logs by default. A lot of them are not even encrypted at all.

  6. This is not a SSL matter by lucm · · Score: 4, Insightful

    Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.

    Can you reset it? If so, is it done on an HTTPS form? That's not ideal, but it's not immensely worse than those millions of websites that will send a "reset password link" by email.

    I'm not saying their approach is fantastic, but I don't see reasons to get your panties in a bunch. If you are concerned with their email approach (which is not the same as "poor SSL practices") reply to that email (redacting your password), and if you're not happy with their answer or lack thereof, don't buy from them anymore. You don't need to Ask Slashdot for that.

    --
    lucm, indeed.
    1. Re:This is not a SSL matter by F.Ultra · · Score: 2

      Yes a reset link via mail is also bad, but sendinging the passowrord via mail indicates that the site does not use hashing and is storing all customers password in clear text in their databases.

    2. Re:This is not a SSL matter by lucm · · Score: 5, Informative

      Sometimes it comes from the kind of users the company deals with. It can be quite a struggle to deal with the public.

      I experienced that again lately. I was working on a new system for a client, and we quickly found out that people not only forget their passwords, they also forget what email address they used to create their account (Gmail? Outlook? Isp? job email?). So they create an account, forget the password, come back a few days later, try to use a different email address, it's not found so they recreate an account, and then they change their settings or place orders, and then the next week they come back and login with the first email address they used, which is linked to the first account, so they get mad because their new settings or orders created in the 2nd account are "gone". You have no idea how often this happens. Some people have created 4 different accounts in a single month, and they keep randomly login using one or the other (resetting the password each time), and of course they complain about losing their settings.

      So we added a tool for helpdesk to let them "merge" accounts when someone calls to complain about losing their settings. It helped a bit. We also tried to create a "duplicate matcher" in the login page (name/address/DOB/etc) but we did not have a lot of success with it. Believe it or not, our stats indicate that almost 15% of people make a typo when they enter their full name or DOB.

      So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.

      So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.

      But still there was a lot of complaints about password reset links not working (users looking in the wrong inbox, or using Outlook aliases, or going back to a different email address and then seeing a password reset link and being pissed that it was obsolete). So we added a one-time password feature, which is sent by email or text message (and is matched to the specific browser session). This helped a lot too. But whenever we add a feature, people find more ways to do mistakes.

      So next time you see a system that looks stupid, remember that the vast majority of users are probably people with little computer skills and no patience whatsoever for passwords and security. It does not excuse bad designs, but it puts things in perspective.

      --
      lucm, indeed.
  7. Don't shop there by jtara · · Score: 3, Insightful

    Pretty simple: don't shop there.

    You ignored multiple red flags, yet you are surprised when they email you your password? (Which, of course, as others have pointed-out, has nothing to do with SSL.)

    Any one of these looses any company my business:

    - Expired, non-matching, self-signed, localhost, example.com, etc. etc. SSL certificate
    - Domain proxy registration (companies should not have "privacy")
    - Hide contact information
    - mailed me my password
    - doesn't offer payment choices, only one payment type

  8. Hacking by axlash · · Score: 2, Funny

    If their security is so bad, you should be able to hack into their network.

    Once you've done so, post the story of the hacking on the internet.

    Nothing like public embarassment to make them clean up their security practices.

    --
    Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
    1. Re:Hacking by gnasher719 · · Score: 2, Informative

      If their security is so bad, you should be able to hack into their network.

      Worst possible advice. There is the risk of jail time, There is severe risk of being taken to court for damages, which is expensive if you win, and really, really expensive if you lose. Which is likely if you hack into their network.

      And anyway, what the OP described is blatant disrespect for the security of their customers. That doesn't mean their own stuff isn't protected.

  9. 3 Quick Fixes by BarbaraHudson · · Score: 4, Insightful

    1. Name and shame them. Don't pussyfoot around. Worst-case scenario, you'll get their contact info when they act all butt-hurt and make empty threats to sue (for what, exactly? Negative online reviews are protected speech). Not just on "review sites", which often are "we will remove the negative review if you buy our services" scams (cf: Yelp), but sites that YOU use. People only go to these sites after the fact. They're worthless.

    2. Change your password and see if they send you back the updated info in plaintext. If they do, it's not just ONE bug.

    3. Shop elsewhere. Use sites recommended by people you know who have actually used them and had good experiences, not some $RANDOM_SITE_WITH_LOWEST_PRICE that may be some kid in a basement and his mom who don't have a clue. If they're the lowest price, it may be because they're skimping on things like security and not because they have bulk buying power.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  10. Re:Had a couple of companies email me passwords by Scryer · · Score: 2

    And the author of that one *also* does not name the offending company.

    Raising the issue in a vacuum is fruitless, because there's no general panacea for corporate security stupidity. Other users won't know until they receive their passwords in the mail that they've opened an account with a company that should be marked "Fail".

    So mark them. Here's a good place to start, and the above blogger should have done it also. Otherwise you're just blowing off steam.

  11. Don't get a new card---get a new acc't no. by Max+Hyre · · Score: 2

    FWIW, I've read (too lazy to look up citation) that closing one CC account and opening another can hurt your credit score. Ask your issuer to assign your account a new number.

    --
    I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
  12. Name and shame... by Bert64 · · Score: 2

    There really isn't much else you can do, publicise the bad companies so that those who do care can avoid them. Only if they start losing business will any company even consider doing anything about it.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  13. 100 times this!!! by brunes69 · · Score: 2

    It drives me bananas when people write posts like this and I see it online alll the time. Unless you care more about some corporation than your fellow consumer, NAME NAMES! There is essentially ZERO reason for a company to change practices other than bad PR, and you can't create that without naming them.

    1. Re:100 times this!!! by JWSmythe · · Score: 4, Informative

          It looks like this is more of a competitor trying to sabotage them, rather than a legitimate complaint. Yes, Slashdot could have gotten in trouble for running it. Honestly, they should have seen it, did the difficult step of "Look at the site first" and realized it was a non-story.

          He's bitching about not being able to contact the company, yet http://kahntools.com/contact-us

      Address
      6320 Canoga Ave. Suite 640
      Woodland Hills, CA 91367

      Phone
      Office: (818) 884-7000
      Toll Free: (855) 585-7500
      Fax: (818) 530-4249

      Hours of Operation
      9:00 a.m. - 9:00 p.m. Eastern Time
      Monday â Friday

      Email
      Customer Service: sales@kahntools.com
      General Inquiries: support@kahntools.com

      and I found separately through the magic of g00gle...

      https://www.facebook.com/kahntools

      --
      Serious? Seriousness is well above my pay grade.