Mozy Affiliate Site Security
I received an email a while back about updating information in my affiliate account so that I could receive payment and put it on the todo list for another time. On August 30th I decided to browse the site to see if I could enter the information online, and just as I was about to enter my Tax ID/SSN I noticed it was on an insecure connection. I asked for a fax number and mentioned that they were not forcing SSL on that page. On September 3rd I emailed them again after reading their privacy policy, where I read the following:
Berkeley Data Systems uses industry standard security measures to protect against the loss, misuse and alteration of the information under our control. Although we make good faith efforts to store the information collected by Berkeley Data Systems in a secure operating environment that is not available to the public, Berkeley Data Systems cannot guarantee complete security. Further, while we take reasonable steps to ensure the integrity and security of our network and systems, we cannot guarantee that our security measures will prevent third-party “crackers” from obtaining this information.
We’ll start here, they are talking about the steps they take to ensure the security of your information, but by default when I logged into their affiliate site I was on an insecure connection. I don’t think that is reasonable, if it was just a few bits of information, or maybe the ability to change my password I could let it slide as a large number of sites allow you to change your password without SSL. The problem with their site is that they are asking you for too many key pieces of information over an insecure line. In the screen shot at the bottom of this post you will see what I am talking about. They asked me for my full name, company information, and my Tax ID, which would be my SSN if I was not putting this under a company. In the next section they ask for your full address, which is used by banks, credit cards, and other companies as additional verification information. The last box is your Paypal account email address.
I left one box out and that was the two fields for changing your password and will go into details on this now. A lot of people use the same password for multiple accounts, I know I do, but I also have a number of different passwords I use depending on how important I feel that information is. For the average Joe, they will use the same password for all their accounts and in most cases it will not be secure to start with. When you view this page the password fields are completely blank, there are no fields that contain your original password for someone to use a revealing program on. However, you did login over an insecure connection with this password, so if anyone had been “listening”, they just got access to your account. Now I usually use a generic password for signing up on an account and change it later over the secure connection so if someone was able to read my email they would not have the actual password. If I followed that procedure over the insecure connection my password could be sniffed. So even my paranoia would not have saved me.
What is the problem with all of this? I will run down through the attack for you. Jason is in college working towards a business degree and he has a blog that he uses to teach others the things he learns in his classes. Well like most college students Jason needs some money, so he signs up for the Mozy affiliate program because his blog does very well and feels he can make a decent amount of money. Afterall Mozy is a pretty sweet backup setup and his friends can get free accounts with more than enough room to backup their school work. Well Paul, who happens to live in the same dorm likes to “listen” to his neighbors traffic, and he found out about this slip up and kept a watch on the dorm traffic for http://affiliates.mozy.com. One day Jason logs into his account and Paul nabs his password, well like me Jason slacks off on entering in the information. Paul knows it is only a matter of time before Jason enters the information, so to speed things up Paul visits Jason’s blog and creates a number of Mozy accounts using Jason’s affiliate banner to generate some cash in Jason’s account so that he has more interest in entering the information. One day Jason enters his SSN, full address, and paypal account so he can get paid. In the process Paul was able to get Jason’s full SSN, and his full address. Since Jason probably uses the same password for his Paypal account, Paul is able to login to his Paypal account and find out what banks Jason is using. Paul now has enough information to call up Bank of America and say he doesn’t have his account number handy, which will be followed by the customer service rep asking him for his social and most likely verify the address and phone number. Paul can now use some social engineering skills to get the remaining portions of the account number, maybe even gain access to the online banking system by having them reset the password. So with one false move on Jason’s part Paul could gather enough information easily to completely take over Jason’s life.
I will say there is a chance I am wrong, and the Tax ID field is not somewhere to enter your SSN, but on most forms they ask for your Tax ID or if you are a sole proprietor without a Tax ID you enter your SSN. The IRS actually prefers sole proprietors to enter their SSN vs entering a EIN. So the likely hood is that someone will enter their social security number in this box is very high.
Below are copies of the emails that I sent and the reply I received. By the way, it took 11 days and me having to email again before I heard back about this issue. Excuse the poor organization of the email, I wasn’t too interested in being poetic about it. In the original email I also mention how they ask you to email the W9, another chance for your SSN to be exposed to malicious individuals.
I went to the affiliate site the other day to enter in my information to redeem the money I have earned. Under settings it has field Tax ID, which if you are not using a tax id would be your SSN. The connection is not being forced to SSL. I find this to be a pretty serious security issue, and I will not enter my information until I am assured my SSN is not going to show up in that field. I was also originally asked to email a W9, which is another security issue as my SSN would be transmitted over an insecure connection. I did receive a fax number later, but there are a lot of people that do not think about those things and would be leaving themselves wide open. In the privacy policy you mention taking reasonable steps to assure security, but I feel these issues come close to violating that statement. On an insecure connection you allow changing a password, entering a tax id, a Paypal account address, and a full address to accompany all the other information. Seeing how a lot of people will use the same password for a number of accounts you leave that person’s paypal account pretty much open for being taken over, which of course is their fault in some ways. I need a reply as to why these problems exist or when they will be fixed.
I received this in response to my email.
I’ve consulted with our programmers, and this was the response I was given:
The reason we do not force SSL is because there are certain aspects of the program where SSL is uneeded. In addition adding a secure element to a non-secure page produces an error box as well if you do the reverse. That is why we leave the program open with the option of using non-secure and secure elements.
However, although there are no plans to force SSL, all links to our signup and affiliate dashboard pages will be (if they’re not already) pointing to the secure versions of the page.
So if they give you the option to make it SSL by changing the URL and they have made all their links now point to https, what’s the big deal with adding an apache vhost to make it redirect the request to a secure version of the site. That isn’t a huge task.
Since I contacted them, they have updated the default links to point to HTTPS, which is good, but previous bookmarks users have are still pointing to HTTP. In a number of circumstances it can be difficult to sniff the traffic on the network, but when I was in California I would be out and about and connect to random WiFi access points near my friends house. There is nothing to stop someone from doing that and maliciously gathering sniffing the traffic in the neighborhood. Sure it would take sometime to find someone that has an affiliate account, but here is another example for you.
Anyone who visits this blog sees I have an affiliate account by looking to the right and seeing the banner. You know my name, and what state I live in, so you could find my address. If I ran an insecure wireless network in my house you could have sniffed my traffic and found out what was up. Southern Cali has some insanely priced houses and some incredibly rich people, it would not be hard to find someone using the affiliate program, generate income under their account and follow that up with a little war drive down their street to gather the remaining intel needed.
How much time would you spend if the end result would be a new identity and the possibility of access to accounts with hundreds of thousands of dollars? I’m sure you can think of some people that would go to great lengths to get that information.
Before I end this with the screen shot I do want to say that I think Mozy has a nice service, and from what I have seen their backup services are secure. I support Mozy and will continue to fly their banner on the right, but I do have a serious problem with the security measures they have not taken with the information being transmitted on their affiliate site.
This completes my first contribution to the security community. I hope some read this and begin adapting more secure standards of how information is transmitted to and from their websites. I also hope that users will make sure to use various levels of passwords to segment the information that can be retrieved about them.
