Online Security - Why the low standard, New Zealand?

Posted by Phil on November 05, 2014

I like websites. I like online transactions. I also like good security practices when conducting online transactions. I think it's a pretty neat idea. Not a particularly new and radical one, mind you; it's been around for quite a while. So when I see prominent, established brands making really basic, rudimentary mistakes I get understandably frustrated. Not necessarily because I feel threatened or vulnerable when I see poor implementations, but because I know that, for example, my parents or friends who aren't as fluent with technology assume a certain standard that these businesses are failing to meet. Online businesses - particularly those with the resources to offer online shopping and have the brand reputation to boot, have a duty of care to their customers; a duty of care that too often is being neglected or ignored.

Here are two recent examples that I have had the pleasure of working with recently.

Countdown Supermarkets

Countdown is a grocery retail chain based in New Zealand and Australia. It's part of the Woolworths group and last year turned over $310m in profit (pre-tax). So it's fair to say they're not poorly-resourced.

Countdown manages a rewards scheme called Onecard, which is simply a loyalty / rewards programme.for customer purchases. Users can apply for and maintain these loyalty cards online, check their rewards balances, update their personal details and so on. Credit card information, residential address details and past purchasing history is kept on file on their online shopping site.

With that sort of information combined with the customer base, that's a fair chunk of important personal information that's being stored, so you'd expect the security practices to be reasonably robust. Unfortunately that's not quite the case.

As is the case with so many of the examples I found, passwords are not being encrypted and can easily be retrieved via email. Why is that a problem? Because hacks happen all the time and - like vaccination - the herd is only as strong as its weakest member. If one person's account gets hacked, the entire database is vulnerable.

You would be forgiven for thinking this issue was just confined to the Onecard loyalty site, but a quick check of the online shopping page reveals the full extent of the problem:

Ticketek New Zealand

Ticketek is one of New Zealand's major event ticketing companies.

With the Cricket World Cup being played in New Zealand and Australia, tickets will likely be in higher demand than usual so Ticketek in association with New Zealand Cricket have launched a "priority ticketing" campaign to drive early sales and build the marketing engine.

Cricket fans can go to the Ticketek site and put their name and email address down for preferential offers for games they're keen to attend. Once their details are sent, the user is given a "Priority Member Password" they can use to purchase tickets. This password doesn't appear to be anything more than a promotion code. You can't log in with it but it is unique to your own details.

This isn't necessarily a problem in and of itself except that the site is entirely served over HTTP. There is no attempt made to direct the user to a secure channel. Why is this a concern though? We've already established that we're just talking about a promo code and no actual purchases are being sought yet. Except that we're calling this code a "password" and expecting our users to submit that password over an unsecured medium. While trying to drum it in to users that we should NEVER supply password or account information over "plain" HTTP, we're asking them to forget all that so they can submit this password for Ticketek.

It's a damaging message and a poorly-considered marketing campaign.

Even more troubling however is how their site handles log-ons when you actually do want to sign in to the site:

 

That's right. They're serving mixed content over HTTPS which effectively means their entire log-in function is unreliable. So even when they are trying to do it right, they're screwing it up. At least the user passwords are encrypted, right? RIGHT?

Oh dear. This can't end well.

 

The fact that you are able to have your password emailed back to you is only half the concern. The other issue here is that we're now able to enumerate the user accounts through the "Forgot Password" function.

And can we actually confirm that they're sending the password instead of a reset link?

You betcha.

The Warehouse

The Warehouse is New Zealand's largest retail group and is another large organisation whose online retail site takes a casual approach to its customers' information through weak password standards.

Right from the registration process, the password strength sets a ridiculously low bar, providing no guidance whatsoever to the user.

When filling out a registration (as shown at left), I tried starting with the trusty old "Password" for the password, expecting it to reject such a weak option and require me to try again. No such luck. It was fine with that choice and let me sign up. This is a worry considering they store my full address and contact information, my order history and my personal interests (?!).

So how low is that bar set? I tried again with the password, "123456":

No problem. What about trying a password of "test"?

Oh, so that password is not acceptable but "Password" and "123456" are ok? What sort of criteria does The Warehouse actually have in place to decide what's ok and what's not? Let's check their Security Page, which immediately looks like a bad idea since the very first thing you're told is,

We want you to have a safe and secure shopping experience online.

No you don't! If you did you wouldn't have such terrible password criteria and you wouldn't be storing your customers' passwords in plain text and offering to email them back.

In fact, checking back over any of these sites' privacy policy pages yields depressingly similar unsubstantiated claims around how seriously the company takes security. The Privacy Policy for Countdown, for example states:

In all cases, we have rigorous information security requirements aimed at eliminating risks of unauthorised access to, and loss, misuse or wrongful alteration of, personal information.

These claims look reasonable to the average person, but scratch below the surface and it quickly becomes apparent that these companies don't put their money where their mouth is, as it were.

What we need to start seeing from companies is not only a Privacy Policy that meets the legal requirements of the relevant privacy legislation (e.g. New Zealand's Privacy Act 1993), but a Security Policy that outlines specifically what steps are being taken to guarantee (insofar as a guarantee is possible) users' data security. Troy Hunt raised this idea back in March 2013 and it has a ton of merit. Only problem is in most cases there's no legal obligation for companies to adhere to a minimum standard so the default position appears to be "whatever the minimum required effort is".

 Summary

These three examples are hardly isolated cases. There are plenty of other sites - some very prominent brands too - that are all failing to keep their customers safe. More importantly, it begs the question what developers are still doing building sites like this. We should, as a profession, know better than this by now. So why are these sorts of issues still so common? If it's cost, then the businesses involved have failed to grasp the false economy in the "saved" dollars by not fixing this sort of thing up. The reputational cost alone in a data breach would be several orders of magnitude more than whatever the cost to patch the problem would be.

What can we do as users of these sites and services? Raise the bar. Demand more from these companies and insist that you won't be using their services while the issues remain unaddressed. And if you're a software developer yourself, make sure you're equipped to recognise bad practices. Check out Pluralsight for a range of really good courses, for example. It never hurt anyone to polish up their skills and get a refresher on what should be second nature by now.