Tuesday, November 30, 2010

Online Retailers, 7 of 10 Didn’t protect their Customer information in a secure way/ Password reset page

From the error page design rules 101 , we should only tell the audience general error information instead of the detailed information which will tell something to hacks about your system. 
  
Now it’s holiday season, I get a chance to visit several E-commerce sites which I didn’t visit very often. then for some site, I forgot the password, luckily, every site has the password reset options. unfortunately, 7 of 10 sites didn’t secure the user information correctly. I will give some examples. good and bad ones. 

my of my favorite  sites, HpShopping.com.  when you input an email address , It will tell you immediately whether that email is a HPshooping customer or not. this process is not protected by any sort of CAPTCHA authentication , AND could be scripted as part of the spam campaign or targeted fishing. idea is very simple, go through the email db which has a lot junk addresses, and filter out those valid HPshooping customers, then send targeted fishing email.

bad example, HP shooping.
image

same thing for buy.com
image
staples.com, no luck,
image

Some good example.
Apple.com. when you input an email address whether it’s valid customer or not, just tell you a general information. it it’s true, you will the password reset notification.

image

image

that’s sweet design.  from the perspective of security, it’s secure. for user convenience. secure too. no extra steps required.

Also some good examples, that might cause some  inconvenience which need extract step to identity and key in the CAPTCHA code.

Amazon.com, for regular good user, they know whether the account is good or not immediately, but have to pass the CAPTCHA test. However, it’s SECURE.

image

Newegg has the similar approach. it combined Amazon and Apple design, which is the most secure one. It requires CAPTCHA and tells only general information.

image
image

No comments:

 
Locations of visitors to this page