|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
The Auto Beat
Byte of the Apple
Europe Insight
Eye on Asia
Getting In
Investing Insights
The New Entrepreneur
NEXT: Innovation Tools & Trends
On Media
Technology at Work
The Tech Beat
Traveler's Check
TECHNOLOGY
Product Reviews
Tech Stats
Hands On
AUTOS
Home Page
Auto Reviews
Car Care & Safety
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip FINANCE Investing: Europe Annual Reports Bloomberg BW50 SCOREBOARDS Hot Growth Companies: 2008 Mutual Funds Info Tech 100 B-SCHOOLS Undergrad Programs Rankings & Profiles | |
MAY 26, 2005
By Stephen H. Wildstrom Leaky Web Sites Tell All About You They make it creepily easy for Net snoops to retrace your steps. And it takes so little for users' privacy to be protected better Fred Fluffernutter is a pro-choice baseball fan who reads the electronic version of The Washington Post and shops online at Victoria's Secret, Amazon.com (AMZN ), and L.L. Bean. I know every Web site where Fred is registered because I invented him and filled out the forms. But it is distressingly easy for anyone to assemble a profile of Fred -- or you or me -- because of the way Web sites leak personal information. A simple and legal way of harvesting personal data from many sites was described to me by Blue Security, an Israeli company, which calls the technique "hostile consumer profiling." A marketer or would-be identity thief begins by obtaining someone's e-mail address, in this case, fred_fluffernutter@hotmail.com. Many sites that require registration use your Net address as a user name; in other cases, people are likely to choose login names, such as fred_fluffernutter, based on their Net address. FRUSTRATING AVAILABILITY. Partly because of that convention, it's all too easy to find out who is registered for what activities. For example, if you attempt to register at NARAL Pro-Choice America with a name already in use -- say, Fred's -- a message pops up on the screen, saying: "Thank you for confirming your membership." An impostor or a marketer building a profile can now infer that Fred is a likely supporter of abortion rights. Other sites can be tricked into confirming a registration. For example, if you request a "lost" password, they will report either that the password has been sent to the registered e-mail address or that no such address is recorded. I used such tricks to verify that Fred had registered at the Web sites of Major League Baseball, The Post, Victoria's Secret, and L.L. Bean, and the same techniques could be used with thousands of other sites. Harvesting this information one site and one user at a time would be economically impractical, but it doesn't take a great deal of skill to write a program that will automate the chore, checking thousands of addresses against dozens of sites. The frustrating thing is that this information is so readily available -- when it would take so little for Web sites to protect users' privacy by acting responsibly. Blue Security found that no online banks give up information to these simple-minded attacks. One reason, of course, is that they typically base the identity of their users on account numbers, not e-mail addresses or self-chosen names. NO EXCUSE. Security-savvy organizations often include a sort of puzzle in the registration process. Typically, this is a random word displayed in distorted type against a complicated background. To go forward with a request, you must type the word into a box. The trick is that the word is easy for people to read, but difficult or impossible for a computer, so it frustrates automated harvesting of information. But the organization must make special provisions for the visually impaired. A better approach is taken by the Gay & Lesbian Alliance Against Defamation. When you register on glaad.org, you are sent an e-mail to confirm. If someone else tries to sign up using the same e-mail address, the registration appears to be accepted, but the site issues another e-mail requesting confirmation. The phony registrant learns nothing, and the real account owner is notified of the spoofing attempt (and is asked to forward the message back to GLAAD). The sort of information leaked by poorly designed Web sites won't let anyone else run up charges on your credit card. But the ease with which someone can build a profile of your interests and activities is more than a little creepy. And the information harvested can be used to create targeted spam or individualized phishing attempts that leverage information about you -- "Special for Boston Red Sox fans!" -- to extract more valuable data, such as account numbers and passwords. Considering how easy it is to prevent such attacks, Web site operators have no excuse not to take the steps needed to protect their customers or members.  Wildstrom is Technology & You columnist for BusinessWeek. You can contact him at techandyou@businessweek.com
BW MALL
SPONSORED LINKS
Buy a link now!Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | |
 Copyright 2005, Bloomberg L.P.Terms of Use | Privacy Notice |
Printer-Friendly Version
