Forgot your password?
typodupeerror
Security Businesses Privacy Your Rights Online

Ask Slashdot: Why Do Firms Leak Personal Details In Plain Text? 252

Posted by timothy
from the more-exciting-that-way dept.
An anonymous reader writes "Having entered my personal details (full real name, home address) to websites with an 'https://' prefix in order to purchase goods, I am still being sent emails from companies (or their agents) which include, in plain text, those same details I have entered over a secure connection. These are often companies which are very keen to tell you how much they value your privacy and how they will not pass your details on to third parties. What recourse does one have to tell them to desist from such behaviour whilst still doing business with them if their products are otherwise desirable? I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation — in any territory — which addresses this?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Why Do Firms Leak Personal Details In Plain Text?

Comments Filter:
  • depends (Score:5, Interesting)

    by bloodhawk (813939) on Saturday May 18, 2013 @11:26PM (#43765951)
    It really comes down to what their privacy policy says, the country you are in and if they claim they do not share any information with 3rd parties and you were smart enough to use separate email addresses or unique identifying information so you can show the information had to originate with them then in many countries there definitely are legal avenues you can follow. But for the most part you are shit out of luck, find someone else to deal with. I started creating unqiue information that I can easily map to individual sites so I will know who is fucking me over whenever I register somewhere.
    • Re:depends (Score:5, Interesting)

      by tysonedwards (969693) on Sunday May 19, 2013 @12:22AM (#43766185)
      Why do firms leak personal details in plain text?
      In the words of Tweak Tweak: "Uh... It's easy?"
      • Re:depends (Score:5, Funny)

        by AmiMoJo (196126) * <(mojo) (at) (world3.net)> on Sunday May 19, 2013 @04:53AM (#43766809) Homepage

        They see it as providing better customer service. Instead of an impersonal bulk email they can send you an impersonal form email with the name you entered at the top of it, complete with the incorrect capitalization that so many people seem to enjoy. Why make you go look for your account number when they can just send it to you in every single communication.

    • Re:depends (Score:5, Interesting)

      by jellomizer (103300) on Sunday May 19, 2013 @02:59AM (#43766529)

      For most Security Leak issues, it comes down to a simpler problem.
      Most people have crappy computer skills.
      You can have a perfect system, but it takes one guy from sales or marketing to take the data, dump it as an excel of csv file and just email it or drop it in a public space because he just doesn't want to be bothered by dealing with IT

      XKCD [xkcd.com] kinda shows this problem. We still don't have a good way to transfer files with people on different network. We have the technology but no clear standard.

      • by tqk (413719)

        XKCD [xkcd.com] kinda shows this problem.

        Not really (but thanks for that anyway :-). My free email acct. allows attachments as big as 50 Mb.

  • by Anonymous Coward
    https is designed to prevent others from intercepting the traffic en route - it has basically nothing to do with how the data are stored. Should everything be encrypted? Yeah. Passwords should be salted+hashed+more because the company has no valid reason to know what the plaintext is. I hope that if I am buying something that they have a valid reason to know what the plaintext version of my address is - I don't think the USPS is that good (yet).
    • by Anonymous Coward on Sunday May 19, 2013 @01:26AM (#43766331)
      He's not claiming that the data is stored encrypted. All he is saying that the data he sends encrypted shouldn't be sent back to him unencrypted later.
      • by Gonoff (88518)

        He's not claiming that the data is stored encrypted. All he is saying that the data he sends encrypted shouldn't be sent back to him unencrypted later.

        He seems to be mainly saying tht he does not like his address getting into the hands of other parties.The fact that these other paties don't give a toss about his privacy does not really seem surprising.

        • by gbjbaanb (229885) on Sunday May 19, 2013 @08:17AM (#43767293)

          and his solution is to mail the IT department at the company, like the PHB there gives a fig (or possibly even understands the problem)

          When he should do is mail the legal department instead, or failing that the CEO or CIO. They might not understand the situation either but they'll understand the words "privacy" and "violation" and sit up, then they'll pass the blame on to the IT PHB and he'll have to "just fix it" in some way. Which he will do by getting an underling to remove most if not all of the personally identifying information from all emails in a overly-broad way, until the Marketing department decides it needs to put your address on every email all over again.

        • by bwcbwc (601780)

          Well, that plus the fact that by sending an unencrypted email that is stored on the mail servers of an unknown number of ISPs and mail forwarders, they are (probably) violating the privacy notice that says they are only sharing his data with affiliated parties, government, etc.

          I was going to suggest S/MIME backed by certificates issued by a low-cost/free certificate authority (this would be a good service for the Open ID foundation or Amazon to get into, since they already have a widely-used SSO service), b

    • by symbolset (646467) *
      HTTPS means that you have a securely encrypted connection with the remote server. Not that the people who own the remote server are going to keep your privacy sacred.
  • by bcjanes (469676) on Saturday May 18, 2013 @11:28PM (#43765971)
    The reason you get emails with your personal information has nothing to do with https (secure) v/s http (insecure), it has to do with the company you did business with sharing/selling your information with their 'business partners' and / or selling it to marketing companies, and the tracking cookies from other websites you've visited.
  • Name and address? (Score:5, Insightful)

    by scottbomb (1290580) on Saturday May 18, 2013 @11:32PM (#43765991) Journal

    People are waaaaay too paranoid these days. There is nothing sacred about your name and address. No one can steal your identity with it. If the email had your SSN or DOB in it, that would be different. But your name and address? If you have a landline phone, it's probably in a phone book and on numerous telephone directory websites and has been for years. Public court records have your name and address too. Nobody cares.

    • Re:Name and address? (Score:5, Informative)

      by Anonymous Coward on Saturday May 18, 2013 @11:47PM (#43766079)

      The thing that gets me is that when people give social security numbers, they always give the last four digits. The problem is that those are really the most sensitive for anyone who got one before the year 2011. I met a guy in college who could construct a whole SSN using your place of birth and birth date. The reason is that the first 3 represented geographic location and the middle 2 were given out in a certain order. The last four ticked up for each person assigned and where therefore the hardest to narrow down and guess. The reason is that they were not designed to be used the way we use them, and instead the government should come up with a ground up, randomly assigned number to actually identify people with or require that the ssn not be used that way.

      • by Anonymous Coward on Sunday May 19, 2013 @12:02AM (#43766125)

        The reason is that they were not designed to be used the way we use them, and instead the government should come up with a ground up, randomly assigned number to actually identify people with or require that the ssn not be used that way.

        Or we could just go with digital signatures aka RSA. It is 2013. Why the fuck are we still relying on a system that, each time you identify yourself to someone via SSN, you give them the non-revocable ability to impersonate you forever? It is earth-shatteringly stupid.

        • Re:Name and address? (Score:5, Interesting)

          by Bing Tsher E (943915) on Sunday May 19, 2013 @01:35AM (#43766347) Journal

          The Government could fix the whole SSN issue by doing something direct and simple.

          Publish all SSN's in a big directory.

          They were never intended to be 'secret numbers' that would be used to validate anybody's identity. They were registration numbers for the Social Security System.

          Publishing them ALL would force businesses and organizations to come up with real 'secure identifiers.'

          • by zyzko (6739)

            This,

            I do not live in the US, and we do have here (an evil and communist) centralized SSN system.

            Still, companies and even government agencies sometimes (although they are getting wiser...) use SSN's as passwords when they should not - SSN should be public, your "GUID", and just identify that "I am this person", but not verify that identity. It is stupid - because once the SSN leaks out it is extremely hard to change, and you can't manage your identification method on per-service basis (on some less importa

    • by Anonymous Coward on Saturday May 18, 2013 @11:50PM (#43766091)

      Well since it's no big deal, what is your name and address?

      • There is a difference in having your name and address returned to you in a plain text email, and having it publishing it on a site like Slashdot.

        To be honest, I always thought the secure information was the credit/debit card number. Now it that was sent in a plain text email I'd be annoyed.
    • Re:Name and address? (Score:5, Interesting)

      by Zontar The Mindless (9002) <<moc.liamg> <ta> <ofni.hsifcitsalp>> on Sunday May 19, 2013 @12:14AM (#43766153)

      I am sure that the incredible fucktards at Air China who sent recently sent me a flight confirmation would like to know that.

      It contained my full legal name, home address, and phone numbers. This does not bother me so much, as this is Sweden where most information of this sort is considered public knowledge. Want to know how much my flat is worth and what I paid for it? Did I pay taxes last year, and if so, how much? Feel free to hop on over to Skatteverket and file an info request.

      The email also contained this:

      Identifying document: US Passport
      Identifying document number: #XXXXXX
      Identifying document valid until: xxxx2020

      Until 3 days ago, as I have not yet actually used this passport for travel, the only people on Earth who knew this number were me, the US Dept of State, and the Swedish Migration Bureau. Now who the fuck knows. Who THE FUCK knows.

      And my girlfriend cannot understand why I threw a fit over this, or why I am talking about legal options.

      • Is the passport number actually useful for anything? I can understand the desire to not send it in plaintext, and I would have been upset if that happened to me too, but I'm having trouble thinking of what an attacker could do with that number.....
        • Use my passport number plus my full legal name and DOB to forge a passport that might easily pass for the real McCoy in some places.

          Airports all have RFID/barcode scanners now, but there are many other ways into and out of countries. E.g., when I visited Cambodia a couple of years ago, the Khmer border guards at both Poipet checkpoints just looked at the photo, wrote down my name/nationality/passport number in their list, and waved me through. (No, I did not merely visit the gambling "free zone", I actually

          • Ya but (Score:4, Insightful)

            by Sycraft-fu (314770) on Sunday May 19, 2013 @04:37AM (#43766757)

            In those places, a $100 bill would work as well or better than a passport for getting through checkpoint guards. The idea that someone would bother with your passport number in trying to forge a passport to get through there is rather laughable, since they didn't even bother to check said number to see if it was legit.

            At a border with better security? Not going to work. Passports have a lot more security to them than that, particularly now.

            Basically if places have weak security, the have weak security. Someone isn't going to bother to try to get a legit name and number to forge a passport. If they have tight security, then it wouldn't do any good as they check the other features, which wouldn't match.

            • "I have all the expensive and complicated tools I need to make a counterfeit passport, but I lack some random dude's name and passport number to put on it! Curses, foiled again!"

      • by houghi (78078)

        I, like probably most here on /., have my own domain. Whenever I need to enter details for something I order, I use a new email alias for each site. e.g. for this site it would be slashdot.org@example.com That way I will know who the fucks were that sold my address, because in many cases it will be sold and not leaked.

        And them , if I know, I could decide what action to take. e.g. in your case none if it were the Americans or a lot, if it were the Swedes.

        It does not prevent anything. It just makes identifyin

      • by caluml (551744)

        "Want to know how much my flat is worth and what I paid for it? Did I pay taxes last year, and if so, how much?"

        Yes! Finally!

    • I fully agree; when I see someone saying "my name/address is private information" I feel like cracking a big smile. Or pitying them. Whichever comes first.

    • It's worse than that. If (say) buying something from Ebay, you need to share your name and address, else how are the third party going to get the physical goods to you?

      What they don't share (and which I always considered the important reason for https) are your payment details.

      Actually, as I often send stuff either to my work address or to friends and family, I like having the destination address recorded in an email so I can confirm it is being sent to where I want it to be sent to!

      (Interesting po
    • People are waaaaay too paranoid these days. There is nothing sacred about your name and address. No one can steal your identity with it. If the email had your SSN or DOB in it, that would be different. But your name and address? If you have a landline phone, it's probably in a phone book and on numerous telephone directory websites and has been for years. Public court records have your name and address too. Nobody cares.

      Remember that the e-mail contains a lot of other information than just the name, address or telephone number. It gives it much more context than just picking some random contact from a phone book.

    • by msk (6205)

      Week before last a mayoral candidate here mailed pre-printed absentee ballot requests to lots of people in the city.

      On postcards.

      They didn't apologize.

      I'll be voting for someone else.

  • ...You're dealing with human beings, and human beings make mistakes.

    That's why.

    • by SeaFox (739806)

      ...You're dealing with human beings, and human beings make mistakes.

      That's why.

      Let's not assign to incompetence that which may simply be apathy.
      For personally identifiable information that is non-sensitive, is there any reason they should care about taking measures to secure it (especially when it's not their own)?

  • by Okian Warrior (537106) on Saturday May 18, 2013 @11:43PM (#43766057) Homepage Journal

    Why should they care?

    There's no benefit to them keeping your information safe, it costs them time, money, and effort to do so, and there's no real consequences when they screw up. They will just put out a statement saying "all of our customer information was stolen, we recommend everyone change their password, and the hole is now patched - it can't happen again!".

    Also, they can blame the thieves. "It wasn't our fault, it was that scoundrel who noticed that you can change the account number in the URL to get into someone else's account."

    As to "we value your privacy", what does that actually mean? It means that companies have discovered that people trust companies that make that statement, and are more likely to purchase from such a company.

    That's all it means, and no more. It doesn't mean that they care or that they abide by the statement, it means that they think they can get more business by using that phrase liberally in their public-facing documents.

    You're living under the naive assumption that companies mean what they say and will do what they promise. They do what the consumer protection laws force them to do - any statement that reflects these laws is probably true, while the rest is simple puffing [thefreedictionary.com].

    • by King_TJ (85913)

      Sure... but even if they really DO care, who's to say they just weren't successful at keeping your info safe anyway?

      I've been saying for years now that "computer security" is largely a sham. Time and time again we find out that the biggest manufacturers of anti-virus software are companies run by shifty individuals with poor coding abilities, and respected makers of firewall appliances and routers sourced components from countries like China which had back-doors built into them at the processor level. Encry

      • The great thing about those pre-fab solutions is that when someone DOES steal consumer data, you have a scapegoat too!
    • See if the point of someone having your information is to, well, be able to access your information then it needs to be stored in that format. A password can be hashed, but something like name and address needs to be stored in text. Encrypting it is the kind of thing that does a limited amount of good. They may well encrypt it on disk, but the software that accesses it still needs to be able to decrypt it, wouldn't be of much use if it couldn't. So if someone busts in through a problem in the software, they

    • by chrismcb (983081)

      Why should they care?

      There's no benefit to them keeping your information safe, it.

      Perhaps that is the reason why the asker asked if there was legislation dealing with this. Then the corporation might care.

  • by dbIII (701233)
    It's just like some fool sending you an encrypted archive with the password in the same email. It looks cool and they don't know how much of a useless waste of time it is. The actual gatekeepers only get the superficial cargo cult appearance of security from the people that should be the gatekeepers, but that's seen as OK since you'd need to employ somebody to do it all properly. Putting on a show is cheaper.
  • Last year, I switched ISPs... My new ISP emailed me my password in plain text as a "confirmation" after signing up for my account. Needless to say, I was horribly pissed off about it.

    • by thegarbz (1787294)

      I fail to see how this is a problem. The ISP will track your IP assigns and logins anyway to ensure you're not "sharing" an account.

      Found that out rather quickly when my sister's router died and I gave her a spare I had here. She was surprised at how plug and play everything was and I got a nasty phone call at the very start of the next business day saying my account has been flagged as two people are logged in from two different IPs. The guy on the phone was able to give me the address and everything.

      This

  • by iceco2 (703132) <(moc.liamg) (ta) (roamriem)> on Sunday May 19, 2013 @12:18AM (#43766171)

    The question is, who are you worried will find this super secret sensitive information (Your name, address and fact you use the site)?
    The government? They don't need to intercept the e-mail they have easier ways of knowing it?
    Some criminal targeting you specifically who manged to intercept this e-mail? He already knows who you are all he learned is you use this site,
    simply seeing the IP is enough?
    Some random script kiddie on the internet? intercepting e-mails is not that easy, yes they are in plain text but they are not broadcast over the internet for everyone to see
    you have to position yourself along the route it travels (and this route normally doesn't change much) and attack somewhere along it, not impossible but hardly effortless. and why would he?
    Which only leaves corporate espionage targeted against the site you are visiting, which though more likely then any other vector still seems a bit far fetched, and in the end all they learn is your name&address.
    There are plenty of serious threats out there on the internet, this doesn't seem like one of them.
    focus your worrying else where.

    • I think it depends which info exactly is in that mail. Sure firstname and lastname are hardly confidential. But often these confirmations also contain credit card numbers, social security numbers (if the site asked for it), and other stuff you may not be confortable sharing with the world at large.
  • by Etylowy (1283284) on Sunday May 19, 2013 @12:43AM (#43766229)

    is there any legislation — in any territory — which addresses this?

    It's forbidden in Poland. Similar rules apply in many european countries

  • If they offer the option of encrypting the email, it's not going to work for 99.9% of people anyways.

    • Yes, it is standard. Go look up S/MIME.

      • by thegarbz (1787294)

        You are talking about A standard. The OP was talking about THE standard.

        I can categorically say in the last 20 years I have not received an email implementing any of S/MIME. S/MIME is only marginly more wide spread than RFC1149 [ietf.org]

  • by Todd Knarr (15451) on Sunday May 19, 2013 @01:23AM (#43766323) Homepage

    Your name, address and phone number are published in the phone book. What's sensitive here?

    On a Web site, it's done over an encrypted connection not to protect the information but to prevent a third party from sitting in the middle collecting payment information. The combination of personal information with payment information (credit card number and expiration date), that would be sensitive. On their own either set of information should be non-sensitive, but combined it's sufficient to pass the authentication checks merchants and credit-card companies do. But just personal information without any associated payment information, what's anyone going to do with that that they couldn't do by looking through your local phone directory?

  • by Anaerin (905998) on Sunday May 19, 2013 @01:47AM (#43766365)

    Generally speaking, retail sites (Ones who have the really important information, like credit card numbers and the like) also only store hashed passwords. So asking for a password will get you a temporary link e-mailed (usually requiring further security questions) to set a new password. Other personal information, your name and e-mail address, are not considered worth securing, as you automatically send them out with every message you send, and all your mail is invariably addressed to you with your full name by your other contacts.

    Postal addresses are generally something of a grey area. On the whole, they're not particularly secured (Anyone who was determined to find out could find your address from the phone book, electoral roll, or other public list). Credit card numbers are typically secured by removing/obscuring all but the last 4 digits, and items ordered are again typically treated as "Better to include with a receipt, as a double-check, than to exclude".

    There is, as always, a fine balance in the "Privacy is required" to "more information is better" debate, but leaving that aside, while SMTP is a plain-text transfer medium, it generally requires quite a lot of work to actually get someone's details. For instance, you have to:

    • Poison a DNS record for a particular host (To point mail traffic at your server), or somehow spoof an IP address/routing record on the open internet

      Note, this will have to be done for the SMTP server(s) of the particular provider's message you want to intercept

    • Intercept the particular mail message you want (There's going to be a lot of mail coming through, most of it inconsequential)
    • Forward all the mail you've received on to the correct host (Which will be tough if you've grabbed their IP address(es)).

      If you don't do this, the provider will quickly notice they're not getting mail anymore and try to find out why, which'll get you discovered quickly

    • Find some way to actually use the mostly useless information you have gleaned.

      So Mr. John Smith lives at 1234 Anyroad, Someville, KY, and bought a can of compressed air and a USB mouse... So what? Start flooding him with ads for compressed air products? Offer him hot USB on PS2 action from waiting serial mice in his area? That'll get you some sales... NOT. Oh, and you can buy that kind of information already, from his credit card company or bank (who make a very nice profit selling those details anyway) for considerably more cheaply and easily than poisoning the entire internet.

    This isn't easy, or practical. Sure, if you want to, you can do it, but what is the point? If you're stalking them, there's much easier methods (going through their trash, trawling public records, google searching their name). If you're selling to them, there's easier ways (Buying details lists from credit bureaus, mass mailing).

    The problem of secure e-mail has been around for a long time, and many solutions have been proposed for the problem (S/MIME, PGP, Domainkeys), but it's largely a chicken-and-egg problem - Secure mail systems are not universally supported, so it's not used/Secure mail systems aren't used, so they're not supported. Solving this problem is left as an exercise for the reader. Obviously.

    • Oh, and you can buy that kind of information already, from his credit card company or bank (who make a very nice profit selling those details anyway) for considerably more cheaply and easily than poisoning the entire internet.

      Scary. Fortunately, in my country we have banking secrecy laws. Ooops, had. Most people are concerned about the tax man, but these shenanigans are actually a much bigger threat when banking secrecy goes away.

  • Fake Name... Most emails I receive from such sites start with "Hello Gofuckyourself!" etc... if you want to be creative you can tailor the message to be as entertaining as you'd like. As an added benefit, if you give a different name at each site, when you get spam, you can know who sold your private data.

  • There's a usual mechanism for password recovery -- tell the site your email address, and it emails you your password. This personal information is sent unencrypted. It's not clear how this would work on encrypted email, because it may also be the email decryption key you've forgotten. Or your password safe's passphrase.

    Any suggestions?

  • Another problem I'm having with companies is after I opt for electronic communications, they still send me postal mail. Ads, confirmations, account info. I try to explain that I don't want any postal mail coming to my house. I don't want all my account details going past housemates. I consider online communication to be more secure. How can I get them to stop exposing my personal information?
  • Because they're obviously paying top-dollar for their staff and listening to their suggestions

  • I mean, why doesnt thunderbird or iceferret or basically any client "generate a key" like ssh does when its instantiated. Why cant the clients have a button to distribute the public key whenever its appropriate? I see no reason why this level of security cannot live on top of ssl. "You have just uploaded your public key, would you like all email from us to be encrypted using this key before we send it?"

    • by Marrow (195242)

      By instantiated, I mean either the first time the product is used, or when the local email setup is created.

  • I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation â" in any territory â" which addresses this?"

    They might be able to sue you for spamming them, but I doubt they have a case.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...