A WORD ON SECURITY
I looked too deeply into the pit of many services
A quiet Saturday morning. An email by Zalando but in Estonian: You have requested to change your email address. Well, I surely had not — and thus started my journey into password and account recovery.
The Zalando story is a thing of its own and as I am typing this, my account recovery is still ongoing. This prompted me, however, to check if any of my passwords had been compromised. I had not used this account in a long time, so it was possible I re-used it somewhere or forgot to active 2FA.
Google Password Checkup to the rescue. 24 passwords compromised, many more in danger. With some of these accounts I do not ever remember that I ever had an account — so I grab a cup of hot chocolate and get to work, naively assuming that I will be able to reset my password with at least those that I have still been using. Buckle up, this is going to be a surprise.
Is this still on?
Turns out, a few online-shops or services I have been using have in the meantime be bought by other companies — the website I registered with years ago is redirecting to the new one. Obviously, you cannot log in with your account because you never had an account with that new service. Can you be sure the old company has deleted all the info they had about you? Can you be sure your password is not saved anywhere still, without encryption? You can not.
I guess the only thing that remains to do is adding these services to your list and eventually contact every single provider, asking them nicely to find your information and delete it. Which, I am sure, will most likely still not happen, GDPR or not.
Blinkist
Google’s Password Checkup will tell you to change it in the app — the app however only lets you change your email, not your password.
Nowhere does it say that you can do this via their website — but you can.
Happy Cheeze
If you’re not living in Germany, you might not know them. They produce extremely good vegan cheese based on fermented nuts. Like, really damn good. Turns out they wanted to find investors and renamed their company. New website, everything. You guess it: Did I ever receive any information via email? Nope. Can I change my account details now? lol. They do make really fucking good cheese though, check it out.
Dropbox
Turns out I had an old Dropbox account for an email address I almost forgot about. When logging in with my old details, Dropbox asked me for an audio challenge to prove I am human. The human I am, I failed to hear the numbers correctly for the first time — but if you try audio challenge for another time, they lock you out saying “Use of the audio challenge for this user has been too high. Please try again.”. Quite the infinite loop they send you in now, isn’t it.
While it is great they try to add another layer of security via audio captchas, when that is the only possibility offered and not even working correctly, they are failing accessibility. Which makes password changes, 2FA activation, or account deletion tedious to impossible. Yay!
Digital Doughnut
Let me honest with you, I have no clue what digitaldoughnut.com even is or what lead me to have an account there. Maybe age got the best of me, I do not remember I ever registered at all yet Google claims I did save account details for that one. Which leads my paranoid self to try and change it. Which doesn’t work.
Since Facebook can be used as a login for many other services, it is crucial you change your details there, too — and add Two-Factor-Authentication (2FA). Luckily they offer multiple methods, yet could do with a usability overhaul. When I changed my password, they immediately prompted me to check my previous logins from other devices and services, as well as enabling 2FA if it had not yet. Does any of that contain I link I could click on? Not at all. You’ll have to find your way.
Not a fan of the service but kept it in case old friends would like to get in touch. Now here we are, my password might be compromised as I have not changed it in many years, and I locked myself out successfully. They offer to send you a code to get back in so that you can finally delete or update your account info but alas! that code is never coming, no matter how often I request it to be sent.
Remember Ello.co?
I clearly did not and I was very fond of the idea back in… 2013? Well, I cannot get in there either. Guess who doesn’t get an email to get back into their account? Yup, your favourite Tentacle Quing. Guess they could somehow smell that I considered deleting it.
Apparently I still get new followers there though?
The cherry on top: My bank account
Amazon also decided they wanted to piss me off today and weirdly did not allow an order of a whopping 5 EUR if these are paid by my credit card. Mae me suspicious but the card is fine, my account doesn’t show any weird movements, I got 2FA in Amazon and so on, so what. I figured I could just use my debit card instead which requires 2FA for each transaction via an app. A relatively new development from my bank.
Sounds like a good idea — until you need to reinstall the app. You need a QR code sent VIA POST by the bank in order to being able to use the app again. Yes, you can request the code via the app but then it miraculously says there was an error, please try again.
No problem, I’ll just log into my bank account and send them a message. That’ll surely work?
Nope, you fool! In order to send messages, you also need to verify it is you via the SecureGo Plus app which is the very reason why I’d have to send them a message. Are they available via phone over a weekend? Ha… ha.
Now I am reaching the end of my capacities. Only 4 compromised passwords to go, and a couple of resused ones (probably from before 2010 tbh and before you tell me off now think again and think really hard if you might not have (had) any skeletons in the cupboard). The compromised ones are those that I was not able to delete or change due to any of the mess on the service providers’ side, so I’ll call it a day for now (and call my bank on Monday, bloody hell).
What do we learn from this?
Oh, folks, I don’t know. Use 2FA, change your passwords frequently, use a password manager, yadda yadda. But you know what: It’s not always the users. For us, the most important take-away is: Do not trust anyone handling your data. Systems will fail and humans will forget to look into that.
Service providers: This is on you.
Allow users to use 2FA. You’d be surprised how many do not.
- Allow users to always, and everywhere, change their password.
- Work on usability and accessibility. MAKE IT EASY FOR EVERYONE. Depending on what private information they had saved in their account with you, they might want to hurry to make it unavailable to anyone who is not authorised to have it.
- Monitor your systems and make sure they work — eg. if you send people a code to allow them to get back into their account so they can prevent identity theft, SEND THE BLOODY CODE. And send it immediately.
- Inform your users if your services is discontinued and what happens with their data, esp. if it might be continued by another company. Delete ALL of their information if they have not reacted to your info after a specific period of time.
Now I could find you some resources on how to create save systems for your users, encrypt their data correctly, make them accessible, and monitor if your services to keep them save are working at all times — but that would be working for you for free after I already spent hours of my time trying to find a way in your systems to make my old accounts disappear or inaccessible for others. You’re welcome.
