Note: I’ve doctored the screen shots slightly to remove anything that might identify the offending party. In the text, I’ve also eliminated anything that might give away the organization in question. I’m more interested in highlighting a problem than casting aspersions on that organization. The issue is still valid with the sanitized images and text.

It all started with an e-mail….

The e-mail

The e-mail came at 9:00 on a Friday night from an address at a trusted domain. The messages I normally receive from this organization tend to be utilitarian and this one looked like so many others I’ve received from them in the past.

From: system_name@trusteddomain.com
To: Turpin, Glen
Subject: ID Update has been assigned to GLEN TURPIN

Please take a moment to update your ID in the Information Update Portal. This will only take a few minutes so please complete ASAP. Click on the link to access the document with instructions.

http://trusteddomain.otherfamiliardomain.com/big_nasty_url&with_params=lots

Update my ID? Why on earth would I need to update my ID? There’s an information update portal? This message screams identity theft. At best, it looked like a ham-fisted phishing attempt. Where’s the threat that my account my account with Big Bank or Credit Union might be closed? Where’s the offer of millions of dollars in Nigerian diamonds?

More seriously, why would this organization ask me to update my user ID?

I was curious. Better still, I was on a relatively secure system while curious. I copied the link and pasted it into my browser.

The first web site

The link brought me more or less where I thought it would, which was to a site branded by an outsourced service provider. I was surprised at the complete lack of branding from the trusted organization, as well as the cluttered interface. The relevant part of the page was buried in lots of other noise.

Note: This image has been altered slightly to obscure its origin.

That’s it? A Word document? Do I still have to worry about Word macro viruses, or is that passé? I was sure that my anti-virus and malware protection suite would take care of that. Should I be sure? Probably not. But I was living dangerously, so I opened the document.*

The Word document

The Word document was a three page, poorly written file with awful screen shots and inconsistent company branding that explained that I need to visit yet another site, log in with my ID and password, and confirm some of my identity information. Looking at the document properties, I found enough clues to confirm that the document did come from the trusted source. And yet again… everything about it made it seem like an inept phishing attempt.

Important note: At no point did this document explain why or how my ID needed updating. I still had no idea what it means to update a user ID.

The second web site

I wish I could have included a screen shot of the header of the second web site, but there was no way for me to do that without revealing its source. The top of the page provided more unhelpful instructions, displayed as an image, complete with red error squiggles under one word.

The lower section of the screen consisted of this login screen.

Why would I want to change my password on a mysterious, phishy site?

I stopped there. I’d love to know what happens next, but I could go no further on this journey without potentially compromising my password.

Observations

1. It took an e-mail, two web sites and a Word doc to send me to the final screen, and I still had no idea why I was being sent there. A single e-mail would have sufficed, with a paragraph or two to explain the required update, plus a link to the final login screen.
2. If your communications look like phishing attempts, you have a problem. You’ll either erode trust in your organization, or you’ll train your users to blindly succumb to phishing attempts. Neither outcome is positive.

My respect for this organization has diminished, and my trust in their ability to treat my personal information responsibly has been dramatically eroded. I have to wonder if they’ve already been compromised and that identities are being stolen by insiders.

Who lets something like this happen?

Photo credit: 50mm

1. * Try to guess where to click to open the document. The underlined ID Update? No! The downward-facing double chevron? No! The green arrow box that was ripped off from Windows XP? Bingo.

A year ago, InformationWeek wrote that 90% of Facebook applications have unnecessary access to private data. More recently, Computerworld’s Mike Elgan wrote that Facebook is increasingly popular with 419 scammers.

According to the Open Security Foundation’s Data Loss database, there were 360 data incidents in 2008. With 140 million users, I hypothesized that Facebook is a likely target for hackers and data thieves because it’s too attractive to ignore.

Well, here we are in the first week of January and Twitter was hacked. Oops. I was off target. And maybe I’m still an alarmist and a curmudgeon, because I still think we’ll see another Facebook privacy incident in 2009.

While some of the results are out of date (I doubt that retail banking is the most trusted industry in the U.S. anymore) the factors that build and erode trust probably haven’t changed much.

According to Unisys, the top five attributes for building and eroding trust in an organization are:

Most interesting factoid: More than one in three organizations (36% in U.S., 27% in U.K.) have no one managing trust within their organizations.

I’d love to see an update to this survey.

Research from Burton Group suggests that the average user can spend up to 15 minutes every day logging on to separate application – which adds up to 65 weekday hours spent entering user IDs and passwords each year.

The article goes on to point out that one of the greatest criticisms of single sign-on (like OpenID) is that it creates a single point of potential compromise. It counters that single sign-on technologies make password quality rules easier to enforce, with alpha-numeric combinations of any length, case or format becoming practical. I’m not sure I buy that argument, but I’m not familiar with all the technologies discussed in the post, so I’ll leave it at that.

Bottom line: We have too many passwords.

It didn’t feel like an excessive password day. Some days are much worse.

If you’re anything like me, you have hundreds of passwords and you store more and more information online every day. And unfortunately, passwords are not always secure.

• Passwords that are easy to remember are often weak. (Back in 2006, 1 percent of MySpace users had the word “password” as, or as part of, their password. I don’t have more recent data, but I imagine that’s still fairly representative of passwords in general.)
  
• Strong passwords tend to be harder to remember. Often, people write them down, tape them to the bottom of keyboards, put sticky notes next to their monitors, hide notes in drawers, and so on. Not secure.
• If you use many systems, chances are good that each one will have different password requirements, i.e., length, capitalization, punctuation, special characters. Sometimes remembering the password rules for a system can be as hard as remembering the password itself.  (And according to one information security consultant, restrictive password schemes actually reduce the number of possible passwords.)
• Often, organizations with “strong” information security policies make you change your password frequently and prevent password recycling, but that makes it even harder to remember your password. When you have to remember long, arcane, frequently-changing passwords, what do you do? You write them down. (See #2.)
• Finally, chances are you have different user names across various sites, too. It’s hard enough to remember your password, but if you can’t even remember your user name….

So it’s hard to create and maintain good passwords across multiple systems. Theoretically, that’s what OpenID was created to address: a single log on with a single password that you can use to access multiple systems. Great idea.

The problem is, it’s too complicated for mere mortals to use. Let’s hope that changes.

UPDATE: The day after I posted this, Ben Laurie, who has forgotten more about security than I’ve ever known, posted about a similar issue on his blog. It’s worth a read.