Monthly Archives: January 2006

Keeping consumer confidence under lock and key.

Some companies just don’t get it. I am helping a friend purchase something on the Web, and the site is asking for personal, confidential information (name, password, email, credit card information, etc) on a non-secure page.

Are you kidding me? We read the privacy page, and they go on about how secure their system is, yet they are asking for personal credit card information over a non-secure connection.

I wonder how many people even notice these things.

As a consumer, never give away personal information from companies you do not know or trust, unless you are ready to take the risk of this information getting used or ‘misplaced’ without your knowing.

Also, never give this kind of information away unless you have a secure connection. How do you know you are running a secure connection? The first thing to look at is the address of the Web page. Normal (non-secure) Web pages start with http (HyperText Transfer Protocol). Secure connections start with https. The https means you are running over a Secure Socket Layer (SSL).

Also, your Web browser should display a ‘closed lock’ or a solid key (as opposed to no lock, an open lock, no key, a broken key, or whatever).

Now, technically, you could be on a secure page and not see these clues that you are reasonably safe. This is because some Web sites use ‘frames’ for their pages, which might prevent you from seeing these important security clues. This is their loss. As more and more people learn about safe online practices, Webmasters will have to become aware that just saying a site is safe is not going to convince everyone. They have to prove it.

Brand spoofing, phishing, keystroke loggers, and malware are taking their toll on consumer confidence. Real companies need to be aware of this, and take every effort to inform their users that they are legit.

I have little doubt that the major company I was trying to help my friend make a purchase from was legitimate, but I do think they doubt how savvy consumers are becoming. Otherwise, they would have taken the time to ensure their site looked, acted, and was secure.

This is not a complete list by any means, but here are a couple tips to keep consumer confidence off the top of my head:

  • Take the time to inform people on what your security policies are. What steps do you take to ensure that information that is transmitted to you is secure (SSL). How do you protect the information once it is on your servers? What are your policies about using/sharing/selling that information? Make that information be easy to find and understand.
  • Put up a FAQ on what SSL is, how it works, and other related content. The more information like that you have on your site, the more it shows customers you are open, honest, and informative. Discuss what cookies and other technologies are and how you use them.
  • Let users easily contact you via email, a form, a forum, phone, fax, or whatever. If they have questions about if you are legit or not, hiding contact information is not going to ease their concerns.
  • Give people control over their accounts. If you let people register for services, let them change their personal/account/contact information, and let them subscribe and unsubscribe at will. Let them delete their account, or at the very least, make it easy to request these changes (and of course, fulfill their requests in a timely fashion).
  • If someone makes a mistake when they fill out a form, use JavaScript to check it right away and give helpful error messages. Give examples of the format you want the information before it is entered, not after. Don’t waste their time and yours. In case they have JavaScript turned off, double-check the data on the server. Again, make sure that any error messages you give are clear and concise, and re-populate the correct data in the form before they proceed to fill in the mistakes. No one likes to fill in 15 fields of information twice. They will probably get frustrated and leave.

Research, Personal, and Guess Attacks: “8@d P@55\/\/0rDz” Part 1

I was a system administrator in a previous life, and one thing that a sys admin does is creating user accounts and passwords. My boss was joking that I was taking my duties a little too seriously, so I suggested we guess the CFO’s password.

Four guesses to get in. It was his wife’s first name.

Another job before that I found myself in a similar situation, showing the problem with their password guidelines. The password of a high-ranking officer was also guessed within minutes: golf. An avid golfer, it certainly gave us a starting point. It should have been my first guess, but I started with his kids. Priorities, I guess 😉

First of all, I’ll mention that I had permission to test the password strength in both cases. I would not recommend trying to hack any account unless you have proper authorization.

These are both examples of simply guessing a password based on some basic knowledge of the person. A research (a.k.a. personal) attack can be as simple as guessing passwords based on something you know about someone. If the person is a hockey fan, you try favourite teams, players, or sport brand names. There are entire dictionaries that can automate these kinds of attacks. A text file with several million hockey related passwords could take minutes/hours/days to crack a password. Of course, there are many counter measures to these types of dictionary attacks, but those are for another time.

Imagine someone makes an application that has a bunch of fields like this:

  • First name, last name, date of birth, place of birth
  • Mother’s first name, last name, date of birth, place of birth, maiden name
  • Father’s first name, last name, date of birth, place of birth
  • Child’s first name, last name, date of birth, place of birth
  • Pet’s first name, last name, date of birth, place of birth
  • Home phone, address, fax, email, pager, cell
  • Work phone, address, fax, email, pager, cell
  • Auto details like license, make, model, colour
  • Hobbies, social clubs, pastimes
  • And so on.

They could rummage through your garbage (dumpster diving), take pictures of your house and car, look up information about you on the Web (don’t get me started!) or public records like the phone book, and plug in as much as they find. (If they are up on their social engineering and/or phishing, they have even more ammunition.)

Once they have harvested some basic data they could let the software generate different combinations, word/letter substitutions, etc. to create a list of potential passwords to try. The software could do a lot of work with very little research required.

Or, you can simply make some educated guesses. You would be sadly surprised at how often this works.

It lookd gud 2 me

Matt Cutts, master Google guy, brings up a good point. Although he is talking about general spell checking of your Web page content, it really goes beyond that.

The example that he shows has two mistakes (although he only noticed one initially). The word guarantee has a typo, and also don’t is missing the apostrophe before the t.

The point is simple: content counts. The example given is trying to sell you something. You can do all the SEO (Search Engine Optimization) you like, and bring in hundreds of thousands of eyeballs to your site, but if your content is filled with spelling, grammar, and punctuation mistakes, you will not be able to convert them to sales (or whatever your goal of the site is).