Web Design Brisbane - Raycon Web Design Brisbane - Raycon

Articles

View full article list

Protect Your Clients' Data!

Mark Edwards
23-09-2003

Regularly, we read about companies who don't protect their client database and find out that it has been vulnerable to entry from hackers. It never seems to happen to us, it is always The New York Times or some other remote operation. We never really perceive the threat to be something that would apply to us. In the last week I learned of a threat that happened to me.



In the last week, I have uncovered a privacy problem with an Australian company (we will refer to them as Company X) who provide client email newsletter services to many financial planners, accountants, solicitors and other businesses. The way Company X built their system allows any receiver of an email sent by them to access the entire client database stored on Company X's server.



The email I received from Company X allowed me to quite easily access personal details of other people who received emails from Company X.



My accountant is part of a large national group of accounting practices. The national group decided to offer client list management services to its member firms and chose Company X as the supplier. As a client of one of these firms I received my first email last week. Immediately, I saw the potential security breach.



By a simple technique known as URL tampering I was able to log into the Company X system as another user. Company X provided personalisation information for you when you logged in. Thus, logged in as another user, I was able to see that user's full name, the name of their accountant or solicitor and their email address.



Company X provides a facility to send feedback to your list manager (in this case my accountant) by simply completing an online form.



This presented a simple opportunity for identity theft. Consider the following scenario:



Someone uses this security hole to log in as me. They are then given my accountant's name and my name. They send my accountant an email saying something like:



Hi Charlie (Not my accountant's real name)



I am on holidays at the moment but am visiting the bank when I get back about a loan. Would you please fax a copy of my last tax return to my hotel at 04 1234 5678 as I want to get my figures together before I see them.



Best regards,



Mark.





My accountant will receive an email that appears to come from me via the Company X system. He would be justified in assuming that I sent it. Now perhaps he might question it and perhaps he might just fax off my tax return. This person could do the same thing to multiple accountants. Within a few minutes I had found the data to do this to over 10 accountants and solicitors!



If the thief gets lucky they have my Tax File Number and a lot of details about me including my full address, date of birth and full name. They even have the name and address of my accountant to use as a referee! This is more than enough to steal my identity.



You may think it is unlikely someone would actually find this weakness and exploit it. This is the kind of thinking that companies use to justify not fixing known security holes in their systems. That thinking is dangerously flawed and I will explain why.



At Raycon we take user security and system security very seriously indeed. Amongst many other measures including robust and secure design, I conduct regular security audits of our client websites to determine if they are vulnerable to common website hacking techniques.



If you think you are a small business and no one would bother targeting you think again. Each week, we record hundreds of random attempts by hackers in the USA and elsewhere to break into parts of our client websites. Company X had a basic weakness in their security for a long period of time leaving their database open to exploitation. It may never be known if anyone used this basic security flaw to access client information.



On seeing this weakness, I phoned my accountant and informed them of the problem. They first wanted me to explain how it worked to their IT department thinking it would be too technical for them to understand. They were surprised when I explained in a short email how it worked and they were able to repeat it themselves. The matter was taken on by the national group CEO the following day for immediate action.



On looking further at Company X's system I could see that URL tampering was possible throughout their system. I suspected that a client of Company X who had administration priviledges on their system would be able to do the same.



I called my accountant again to ask if this was the case. Within five minutes on the phone, by URL tampering, he had convinced the Company X system that he was in fact the legitimate administrator of the client list of another company not even a part of his national group. He could view their whole client list. He immediately sent another email to the national group CEO impressing the seriousness of this security issue to him.



You protect your clients' privacy aggressively. How would your clients feel if they knew how ineffectively your list manager was protecting their data? How would you be affected financially if the identity of one of your clients was stolen in this way?



On the list of ways to hack into a website, URL tampering is rated as the simplest to exploit as it requires only web browser software and no specialist knowledge. It is also the simplest to design around and anyone marketing services in this area should be competent enough to avoid it.



It is reasonable to expect that the company entrusted with your client database should understand how to avoid simple website security breaches that could leave your whole client list open to public scrutiny and identity theft. Part of your responsibility in looking after client databases as an outsourcing company like this is to keep abreast of security issues. It should not be up to your subscribers to find the weaknesses in your system.



Company X is now taking steps to address the identified security holes in their system, however, as a subscriber to a list administered by Company X, I am not comfortable with them being entrusted with my data in future. When their system is back on line I will be requesting the removal of my personal information.





If you would like a professional opinion on the security of your list provider then please feel free to contact us. Also, if you would like your client database administered by a company who take the security of your client data very seriously then you should talk to us!

View full article list