Security Beacon
How secure is your web account?
It’s tax season and like many of you I’ve been working with an accountant to prepare my tax return. I moved to a remote desert community a couple of years ago but I still use the same accountant I had in the city. We can easily handle all the issues over the phone and e-mail and an occasional package in USPS.
Recently however my accountant had his IT consultant setup a web portal so his clients could upload tax documents. He told me they were using 256-bit SSL and that it was all secured. I thought that was a great idea and proceeded to register on his site. As is the usual practice these days I had to select a username, a password and enter and confirm my e-mail address. I was very careful to use a strong random password created by my Keepass password manager. At the end of the process the website indicated that my account was pending and that I’d receive a confirmation e-mail shortly. Sure enough about 10 minutes later I got an e-mail confirming my selections for username and password and thanking me for creating an account.
If I was an average user I probably would have merrily uploaded my files and moved on to the next task in my busy work day. Of course, I’m considerably more paranoid about security so I called my accountant and let him know that he should fire his IT consultant on the spot!
While divulging the username of an account in a confirmation e-mail is not a great idea it presents relatively little risk provided that the password is strong and kept secret. Divulging the password and the username in an open e-mail however is a major security blunder!
My accountant is a great guy and apologized profusely after I told him of the situation. He clearly didn’t know what was going on in the account setup process or of its potential ramifications. I honestly felt bad for him since IT and security are not his strong suit. We quickly closed my account and agreed to find a better way for he and his clients to share files after the tax rush was over.
In light of this situation, I wanted to remind all of you that you need to pay attention to your security all the time. Don’t assume that just because someone has an “IT guy” and says that something is secure that they necessarily know what they are doing!
Be careful, be suspicious, be paranoid if necessary!
Tagged with: file sharing
Blog Features
Archives
- April 2013 (2)
- March 2013 (1)
- December 2012 (2)
- November 2012 (2)
- September 2012 (5)
- August 2012 (1)
- June 2012 (5)
- May 2012 (8)
- April 2012 (2)
- March 2012 (10)
- February 2012 (4)
- January 2012 (5)
- December 2011 (3)
- November 2011 (10)
- October 2011 (5)
- September 2011 (8)
- August 2011 (20)
- July 2011 (19)
- June 2011 (13)
- May 2011 (14)
- April 2011 (24)
Tags
Backup CCleaner cell phone Cloud computing computer maintenance defrag Dropbox e-mail encryption Facebook failback failover FDE file sharing firefox firefox extensions firesheep firewall GPU Hacking HTTPS: IronKey keepass keylogger Linux load balancing Mac Malware passwords PGP phishing Playstation privacy router S/MIME scam Twitter Ubuntu usb flash drive USB Hard Drive Virus VMWare VMware Player WiFi Windows
