Security on the web: how far do we go?

7 Mar 2008 - 5:02pm
6 years ago
6 replies
379 reads
stauciuc
2006

My girlfriend is on a business trip in another country, and she was trying
to book herself a plane ticket back (her stay was longer than expected). She
tried to login to the travel company's web site, but she wasn't sure about
the username (picked by her company) and password (she has several), so she
failed the login 3 times. Without any notice, her account was blocked and
she was told to contact the admin/support tu unblock it. I don't know if
they have customer support available in weekends, but anyway now there is a
good chance she may have to book a later flight and spend another night or
two in the hotel. And it all happened in a few seconds.
Maybe this isn't a very common case, but still I was wondering: couldn't
such situations be avoided? Is security a good enough justification to block
a customer's account? How far should we go?

Sebi
--
Sergiu Sebastian Tauciuc
http://www.sergiutauciuc.ro/en/

Comments

7 Mar 2008 - 5:38pm
Katie Albers
2005

Well, ignoring the account blockage question for the moment: There
are exactly zero situations in which it's acceptable for a company to
dictate usernames and/or passwords for their employees on external
web sites. If you put your employees in a situation where the only
way they can reliably recall their necessary usernames and passwords
is by writing them down, they will write them down...and so much for
the security angle.

As far as the account blockage question, that may be acceptable in
certain situations, but only if there is immediately available 24/7
human backup at a toll-free number...and by that, I mean toll-free
where the employee is standing. Far too many companies still hold the
bizarre belief that "We have an 800 number,..." is an adequate
response to the need for a worldwide toll-free assistance...which
means that the assistance isn't available outside the US and Canada.

Waving your hands and applying the maximum number of mysterious, hard
to remember, magic words is not the same thing as providing security,
and that's what is happening in a situation like your girlfriend's.

So, my solution to these cases in general is to combine a
user-selected username, a user-selected password, and 24 hour free
access to help. It isn't perfect, but it has a much higher chance of
working to everyone's benefit than this system has.

Katie

At 12:02 AM +0200 3/8/08, Sebi Tauciuc wrote:
>My girlfriend is on a business trip in another country, and she was trying
>to book herself a plane ticket back (her stay was longer than expected). She
>tried to login to the travel company's web site, but she wasn't sure about
>the username (picked by her company) and password (she has several), so she
>failed the login 3 times. Without any notice, her account was blocked and
>she was told to contact the admin/support tu unblock it. I don't know if
>they have customer support available in weekends, but anyway now there is a
>good chance she may have to book a later flight and spend another night or
>two in the hotel. And it all happened in a few seconds.
>Maybe this isn't a very common case, but still I was wondering: couldn't
>such situations be avoided? Is security a good enough justification to block
>a customer's account? How far should we go?
>
>Sebi
>--
>Sergiu Sebastian Tauciuc
>http://www.sergiutauciuc.ro/en/
>________________________________________________________________
>Welcome to the Interaction Design Association (IxDA)!
>To post to this list ....... discuss at ixda.org
>Unsubscribe ................ http://www.ixda.org/unsubscribe
>List Guidelines ............ http://www.ixda.org/guidelines
>List Help .................. http://www.ixda.org/help

--

----------------
Katie Albers
katie at firstthought.com

7 Mar 2008 - 5:41pm
Jack L. Moffett
2005

On Mar 7, 2008, at 5:02 PM, Sebi Tauciuc wrote:

> Without any notice, her account was blocked and
> she was told to contact the admin/support tu unblock it.

I've had issues with this as well. The other night, I was trying to
get onto Discover's site to redeem my cashback bonus. I rely on the
Keychain in OS X to remember all of my logins, but due to some change
on their login page (I assume) the information wasn't filling in. I
tried one of several standard combinations I use, tried a different
one, tried a third, and was then confronted with that same message. I
was going to, deal with it later and just pay my bill through Quicken
(it was late), and soon discovered that it wouldn't allow Quicken
access to my account either.

Greatly perturbed, I had to call them, relay all of my back-up
personal information, and then sit through their spiel about some
service they wanted me to subscribe to (fraud prevention, I think).

That was a very poor customer experience!

Jack

Jack L. Moffett
Interaction Designer
inmedius
412.459.0310 x219
http://www.inmedius.com

There is no good design that is not
based on the understanding of people.

- Stefano Marzano
CEO of Philips Design

7 Mar 2008 - 7:34pm
gretchen anderson
2005

And, in my experience the sites that use account locking are exactly
those that don't really need it. Corporate travel? My bank doesn't lock
me out after 3 tries! Sheesh. My PG&E account does however, and every
month I lock myself out for 24 hours. Are hackers trying to pay my
energy bill! Let them!

On a related rant, my voicemail at work requires a 6 number PIN that
changes every 6 weeks. Again, my bank account isn't that secure. So,
don't leave a message on my work vmail, because I probably won't check
it. ;)

7 Mar 2008 - 8:56pm
Stephanie Heacox
2007

Reminds me of a former client (large multinational with huge legal concerns)
who grudgingly gave me access to the litigation support section of their
intranet so that I could re-architect it. After giving me a stern lecture
on the importance of absolute security, he pulled out his drawer to view his
ID and password on the large yellow sticky note where he kept all his
logins.

As for the day-to-day reality of password recall, I keep my unnecessarily
vast collection of IDs and passwords in eWallet (Windows Mobile, Smartphone
or Palm OS).

Stephanie Heacox
Sr. User Experience Consultant
Molecular, Inc.
stephanie.heacox at molecular.com

__________ Information from ESET Smart Security, version of virus signature
database 2931 (20080307) __________

The message was checked by ESET Smart Security.

http://www.eset.com

8 Mar 2008 - 1:08pm
Gloria Petron
2007

David Platt devotes Chapters 3 & 4 of his book, *Why Software Sucks...And
What You Can Do About
It*<http://www.amazon.com/Why-Software-Sucks-What-About/dp/0321466756/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1204999335&sr=1-1> ,
to this very issue. His quote: "The No.1 threat of security isn't the packet
sniffer...it's the Post-it Note."
His proposed solution: single sign-on, managed through a reputable and
trusted third party, such as a credit card company or bank (similar to
Stephanie's solution).
Microsoft tried the same thing with Passport awhile back, but it flopped
because no one wanted their personal info being managed by Microsoft.

He also recommends this book, which he claims will scare you so bad you
won't be able to sleep for weeks afterwards. Sicko that I am, I can't wait
to check it out.
Kevin Mitnick, *The Art of Deception: Controlling the Human Element of
Security*<http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454280X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1204999227&sr=8-1> (Wiley,
2002).

8 Mar 2008 - 7:43pm
Michael Micheletti
2006

On Sat, Mar 8, 2008 at 10:08 AM, Gloria Petron <gpetron at gmail.com> wrote:

> David Platt devotes Chapters 3 & 4 of his book, *Why Software Sucks...And
> What You Can Do About
> It*<
> http://www.amazon.com/Why-Software-Sucks-What-About/dp/0321466756/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1204999335&sr=1-1
> >,
> to this very issue. His quote: "The No.1 threat of security isn't the
> packet
> sniffer...it's the Post-it Note."
>
...

> Kevin Mitnick, *The Art of Deception: Controlling the Human Element of
> Security*<
> http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454280X/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1204999227&sr=8-1
> >(Wiley,
> 2002).
>

Another for your book list: Corporate Espionage by Ira Winkler
http://www.amazon.com/Corporate-Espionage-Happening-Company-About/dp/0761508406/
Former NSA computer security spook (hi guys, hope you get this message, tell
Verizon I'll pay my bill soon, OK? :-) delivers case studies that read like
spy stories. My favorite was the Japanese Documentary Film Crew caper.

His recommendation for the most effective thing a company can do to promote
security: a company-wide security awareness program. The weak point of most
of the cases discussed in the book are the humans in the system; a security
education awareness program helps them make better decisions.

Michael Micheletti

Syndicate content Get the feed