Websites Still Failing Basic Privacy Practices 205
DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"
Nobody considers that import (Score:5, Interesting)
That level of privacy is not considered important by anybody. Seriously.
Credit Card data - encrypted; you're first and last name? short of being in the witness protection program it is NOT considered a privacy issue. sorry.
(I know, I know, it would be nice if it was).
Taxcut http (Score:5, Interesting)
A few years ago I was buying a state tax program and realized that their form that asked for all my private data was an http page! I was shocked. Then I added "s" after http and it happily connected me over SSL. How many people who buy Taxcut will check the protocol and change it?
Ignorance at work (Score:3, Interesting)
Many, many people that I've tried to talk to about this very thing completely don't understand encryption at the most basic level - why it matters or if they have it. My guess from past experience is that if you tried to talk to P&G about it, the people responsible would try to tell you that it didn't need encryption, because the site is on *their* servers, so the data only goes on their network, and no amount of convincing would get them to think otherwise. The site you mentioned was probably farmed out anyways.
The state of affairs when it comes to the most basic data protection is really sad. One case was where I was applying for a job which required my SSN (a federal gov't position). The instructions were to download the form and email it. I called the number listed and explained why I wasn't going to include my SSN in an email, and they weren't mad, but they were annoyed. So you tell me a) did they wait for my app and trash it because I put "withheld for security reasons, will provide offline" (something like that) b) if the folks running the federal jobs website think it is okay to email around sensitive information (this was another one of those "your email is stored in our secure servers" things), then it must be okay, right?
Even in the physical realm, things aren't much better. A couple of months ago, I called a local business to complain that they'd charged my creditcard a fee for canceling an appointment. (The number shouldn't be on file, I know. At the time I didn't realize that it was.) I explained to the person that when I canceled the appointment I was aware of the fee, but to send me a bill for it and I'd pay it when I got the bill. They sent me an invoice in the mail, with the charges and showing the balance was paid. I asked the guy which credit card they'd charged - and he proceeded to read off the type, entire number, and expiration date - without any authentication from me except my name and one other non-secret item, derived from the start of the conversation. I've since canceled that card, but people really don't understand.
Re:Taxcut http (Score:5, Interesting)
Now if only you had some assurance that the http-based form hadn't been MitM'ed, such that the "Submit" button no longer submits where you want it to. E.g., if the form were sent over https.
Re:but realistically (Score:5, Interesting)
Re:but realistically (Score:5, Interesting)
Information is context-sensitive. The VERY first thing you learn when using encryption systems is that it's much easier to crack something where you know what the plaintext should look like. The second thing you learn is that the information around the encrypted data is often far more valuable intelligence-wise than the encrypted stuff. That's why those of you who have ever been instructed on the use of STU-III phones were told NOT to chat before inserting the encryption card. (You WERE paying attention to those talks, right? Right???)
Next, there's this thing called the European Union. They're getting, oh, just a little sensitive about personal information these days. You know, what with German banks freely selling personal data (such as bank account details) to anyone who calls up, despite some of the toughest data protection laws in the world. Americans may view them as unimportant nobodies, but they are at least grasping the idea that ANY unnecessary exposure of personally-identifying information is a very high risk to the individual (identity theft) and a fairly substantial risk to the economy as a whole (such theft costs - and it costs a whole lot more than any "terrorist" threat ever did).
Name and address "high risk information"? If it can be used in a social engineering attack on a bank, credit card company or Government department (and usually such people do not make much effort to validate who a person is), then it is high risk. It doesn't matter if such information has always been viewed as public, as long as human operators (and computer programs) are satisfied that such information proves identity, it is not safe to expose.
Oh, and as for the fact that this information is actually used as a substitute for secure passwords, The Cheshire Catalyst [spaceyideas.com] was responsible for publishing a rather pointed song [poppyfields.net] on the subject by breaking into the PRESTEL account of a BBC presenter whilst he was demonstrating the service live on BBC television. The lyrics should be required reading material for anyone who uses any kind of online service, and failure to heed its warnings should be considered no different from reckless driving or setting off fireworks inside a furniture store.
Name, Address and Dob are a joke (Score:5, Interesting)
If I wanted a list of names, birth dates and addresses to use for nefarious purposes I don't need to steal yours from some dinky website or sniff packets. I'd just take one of the plentiful lists of birth records on the internet like this one [rootsweb.com] then cross reference it with property tax records of the area which are more plentiful than the birth records and it'll give probable name, dob, and address combinations. A good portion of probable matches can be confirmed through freely available court records. All of that data is fairly trivial to collect in bulk (i used to collect databases, was a pretty fun hobby actually), is perfectly legal and will provide a much better profile of matches than just name/dob/addr combinations stolen from a website or data stream.
Being that anal about your name, birth date and address is actually quite silly. Theres so much low hanging fruit as far as collecting that type of data is concerned (and you're probably already included in it) that all you really did by not continuing with that form was taking yourself out of the running for a Wii.
The best thing you can really do is just keep close tabs on your credit report and get signed up for all the fraud alerts or freezes they offer. Thats the best place to prevent and quickly repair most identity theft. Stop being so anal about info thats almost guaranteed to be out there already, set up your defenses where they're most effective and go get your Wii.
Sallie Mae e-mailed me my SSN number regularly (Score:4, Interesting)
They stopped this practice recently, but for over a year, my student loan company required me to sign up for monthly paperless statements if I wanted to pay electronically. The statements were e-mailed in the form of a PDF attachment. The e-mail body assured me my privacy was intact because the file was password protected -- by my Social Security number!
Brilliant! If an interloper intercepted my e-mail, not only could he brute force my password with easy to find, easy to use tools (in a matter of minutes, since he knows the number of characters in it), but he'd know my SSN once he cracked it. I would have been better off with no password protection.
When I e-mailed Sallie Mae with the above information, the representative brushed it off. It was safe, he said, as long as I opened it on a non-public computer, because my SSN was not being sent over the Internet when I typed it in.
(The Consumerist didn't find it interesting, either.)
slashdot (Score:5, Interesting)
Re:Nobody considers that import (Score:3, Interesting)
... Given the number of people who have had their lives turned upside down through identity theft...
The thing is though, that if you have your identity stolen, there has to be someone else who ultimately gives something of value to the thief, for that stolen identity. In the case of stolen credit card numbers for example, it would be a bank or merchant that gives the thief of your identity something of value. It is at this point of use, of any identity, stolen or not, that additional security could and should be applied. This should be particularly the case, if the value to be exchanged is very high.
Your identity cannot really be stolen, only fraudulently misappropriated. Your identity is who you are and is one of the few things that cannot be stolen. It is at the point of such misappropriation, the transactional exchange of value, where added security and care would do the most good. You cannot keep your identity, who you really are, a secret, unless you never transact any business with any other person or institution.
And after the SSL form? (Score:2, Interesting)
Beween 1999 and 2001 I worked at a local Washington, DC ISP, and I was impressed with the number of sites we hosted that carefully encrypted their customers' credit card information as it traveled to our server racks, then delivered it to the site operators by plaintext email to an AOL account.
Sure, times have changed, but short of auditing the offices of your favorite e-commerce sites, how do you know what they do with your data after you carefully check that all their forms submit with "https://"?