Why don’t services take proper care to protect our valuable details from hackers?
When your customers entrust you with valuable information — especially payment details — all responsible services should take care to…
When your customers entrust you with valuable information — especially payment details — all responsible services should take care to properly protect those details from the very real danger of hackers, but many still don’t. I learned the hard way.
by Simeon Wishlade, Senior Designer, Wilson Fletcher
finally set up an Uber account last December since everyone was raving about it. I have never booked a cab through it (I like to cycle everywhere) so I was surprised when I woke up last week to two Uber receipts for cabs that I’d taken in San Diego. Was I in San Diego? No. I was in London, where I always am, and I certainly hadn’t spent $160 on cab rides, not even in my dreams.
I changed my password for the account (I could still log in — whoever had access to my account hadn’t bothered changing it), changed the password for my associated email account, changed all the settings back to what they had been, verified my phone via text and assumed that would all be OK. I’m quite fastidious about passwords and take care to use uppercase, lowercase, numbers, and symbols, especially when it comes to services that hold my card details.
I woke up days later to another two taxi receipts from San Diego. Not a great advert for Uber’s security.
This had me thinking about user accounts in general, especially for services that withdraw money from your account after you’ve used the service. For services like gas and electricity, which are associated with my house, this seems logical — I doubt anyone will break into my house turn the thermostat up to 30 degrees while I’m out and give me a HUGE bill at the end of the month just to spite me. Mobile phones run on the same principle, but you shouldn’t be able to access my phone without my fingerprint or passcode — although that might be a whole other article.
Still, nearly all digital services give you access to your account details once you’ve logged in: your email address (which was probably part of your log-in credentials), the ability to change your password (sometimes you’re told to enter your old password first — but the hacker has that already) and your mobile number are all easy to locate once you’re in.
That means these details can be changed, so my San Diego Uber Hacker could easily change my phone number to his or her own, meaning the service was open for them to book cabs til their heart’s content. They could have also changed my email and password without any security measures in place, at which point I would have been locked out of my account and with a changed email I would be none the wiser to the taxi receipts.
So what’s the solution?
The answer is having two-tier authentication on all accounts. Details like my name, my email address, my phone number and my password will change very rarely and are valuable pieces of information. Once I log into my account, I might be able to do simple steps like change a preferences, view past purchases/journeys etc, but no valuable information should be seen. Valuable information should be hidden and non-editable.
For services that allow you to buy physical products (Amazon, Asos and Tesco) you are generally asked to enter in at least your CVV number. Whenever you try to shop to a new address that you haven’t sent to before you are forced to re-enter your card details or go though the Verified-by-Visa screen with the unique password you set up on your card. While the ability for a hacker to abuse your account is less, the valuable information should still be hidden behind an extra security layer.
To access the information, all services should require a unique code to access (maybe using Google Authenticator) or a four/six-digit code sent via text that lasts for ten minutes. Once you have access, all the information is available and you can edit your choices. As a back-up precaution once these details are edited, you are then sent an email (to the original email address) saying that details have changed, a link to reset the password and a number to call in case your account has been jeopardised.
During the account set-up process, the user should be pushed towards setting up two tier authentication, and if they don’t have a phone to set it up then making sure they understand that their password should be different to their email address. Then if their account is jeopardised, the email they receive once their details have changed won’t be accessible to the hacker, and the hacking loop comes to an end.