I was helping a company today with a problem with their Web site and found it necessary to reset the client’s password. I couldn’t find the button to do it myself, so I chatted with the support staff online. They were more than willing to reset my password once I provide the client’s name and their mailing address.
Of course, their mailing address is on the Web site and the client’s name was easy to figure out with a Google search. The irony was I was resetting their password because their old password had been compromised! Little did I know how easy it would be to compromise an account.
I really can’t believe it is 2012 and security is still this lax. It isn’t just this one company (who I am intentionally not naming), it is everywhere, even at large companies like Amazon and Apple.
Here are some best practices for authenticating clients:
- Have them verify their identity with information that is non-public. The last 4 digits of the credit card number last used to make a payment, last 4 of a social, the answer to a security question or questions all sound like good options.
- Offer to call back the phone number used during sign up. This won’t work in all situations but is an easy way to make sure people are who they say they are without asking any questions.
- Send an email to a known good email address and await a reply.
And here’s a quick tip to Web hosting purchasers: try calling or chatting with support and seeing how easy it is to reset your password. If it is too easy, switch companies!