Networking

09:58 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%
Repost This

Follow Amazon Example In User Account Management

Organizations that manage sensitive customer information have largely done their users a disservice by using links in emails. While they are trying to be helpful by providing links, the critical side effect is that users get used to clicking on them, and that is one way of facilitating phishing.

The other day my wife received an email from Amazon.com saying that her account name, and possibly her password, was found on a website and the information might be real. Amazon wasn't breached. The list of accounts was one of 67,000 released by Lulzsec, and some of them seem to have come from another site unrelated to Amazon.com that she was registered with. Since users tend to re-use passwords, Amazon customer service sent an alert. Unlike other alerts and regular customer communication from other companies, this email didn’t contain any links but did tell her to enter www.amazon.com into her browser and then how to reset her password. That is the proper and safe way to notify users and have them change a password. More companies should follow Amazon’s lead.

User account management and outreach is an important part of any organization's customer service efforts. For many years, banks, insurance companies and other organizations that manage sensitive customer information have largely done their users a disservice by using links in emails. While they are trying to be helpful by providing links, the critical side effect is that users get used to clicking on them, and that is one--one of many--way of facilitating phishing. Users get used to clicking on links in emails, emails that look legitimate (even with horrible misspellings). Phishers use that knowledge, plus various techniques, to hide malicious URLs behind HTML anchor tags.

If you work for a company that interacts with customers, do your customers a favor and stop sending emails with links in them. Rather, examine your customer service processes for account management and make them easy (but secure!) to use. Then, create your email templates telling customers to enter the URL in a browser and take the following steps to manage their accounts. If customers complain, and some will, tell them why you are doing so. They’ll get it, and you will have done one small but effective thing to slow the success of phishing.

I tell everyone I know not to click on links in emails, regardless of how legitimate the email looks. If they are telling you to do something, then type the URL in your browser or use a bookmark. If the email is legitimate, then you can always verify that by going to the website directly. Yes, it is slightly less convenient to click a bookmark or type in a URL, but it’s better than having your account credentials stolen.

I also encourage everyone to use a password manager and not re-use passwords across sites. This is slightly harder to do in practice, since it requires extra effort and you have to protect the password manager database, but the benefit is that, if one account is stolen, attackers can’t use one password to get in everywhere. There were a number of Tweets, unverified, of people using the account information in the posted password file to access a number of sites and change the information of victims.

I’d like to thank whoever at Amazon took the initiative to get the list, run a comparison of account names against Amazon’s customer list, and then notify customers of a potential problem. Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio

Comment  | 
Print  | 
More Insights
Hot Topics
6
IT Certification Exam Success In 4 Steps
Amy Arnold, CCNP/DP/Voice,  4/22/2014
6
Edge Devices Are The Brains Of The Network
Orhan Ergun, Network Architect,  4/23/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed