Password security in retail websites compared

Impetus

This spreadsheet summarises the results from testing the password vetting systems used by about 90 retailers in online retail environments.

None of the "moron designed" sites lets the user see their password as they enter it - which is very silly, especially for mobile users and assuming one wishes to make it easy for people to use long complex passwords to increase security. At the very least they could provide a checkbox to allow the client to opt to see their password or not (if someone is within gaze).

Apple was the only retailer to get 100 - even though they also thoughtlessly are in the ******** password club.

This is a very wide Google worksheet, so one will have to scroll to the right to see all the columns unless one has an extremely high resolution screen, in which case God bless your eyesight!

https://docs.google.com/spreadsheet/ccc?key=0Amd2_hGKlMYfdG1USE1Ld19JdGt3dFB3TWhVTkxwMFE&usp=sharing#gid=0

AnCatDubh

no ebay or paypal or did i miss them somewhere in there

Impetus

AnCatDubh wrote: »

no ebay or paypal or did i miss them somewhere in there

I didn't compile the list! But I would see ebay as an auction site and paypal is a "shadow bank".... ie neither sells their own merchandise, which is probably an indicator that the business is engaged in "retail".

Impetus

I suspect one of the main drivers for the compilation of this list was the news of the many black hat hacker driven payment card fraud operations in the US.

A potential serious contributor to the reduction in card fraud would be the introduction of EMV cards in the US, using DDA.

While Ireland uses EMV cards, no Irish bank issues DDA* cards to my knowledge. Leaving the system wide open to a hack attack. See link below.

The same applies to the “verified by Visa” and similar Master Card systems. The Irish banks have outsourced the verification process which creates needless risks in many ways.

1) They have not controlled the creation of the password verification code by the client in a secure manner within the banking system infrastructure. Thus the card holder does not see the bank’s security certificate on their web browser – ie they don’t really know who they are interacting with.

2) When you use a card to buy something online, you again get diverted to an outsourced agency – not a bank server, displaying a bank security certificate. So again you don’t know who one is parting with one’s secret to.

3) The outsourcing agencies used by the two large Irish banks are based in GB, and the US – the two countries with some of the highest credit card and hacking fraud rates in the world.

4) An enterprising hacker who wanted to steal identities of Irish bank customers could simply set up a website purporting to sell something “sexy” at a low price – eg New iPhone 5s (or the new Samsung Galaxy S5) – at a low prices – eg around EUR 120 or similar. When the hacker has taken as much data as s/he can get in the order form (name, address, card number, expiry date, CVV, etc), they then shift the shopper to a new fake “verified by Visa” page. They can use this page to collect their DoB, mother’s maiden name, passport number, and anything else that takes their fancy.

The badly managed Irish banks are once again leaving the Irish public exposed to their incompetence, at great risk.

*http://www.openscdp.org/scripts/tutorial/emv/dda.html