If a Stranger Offers You Sweeties...
Common wisdom tells us to distrust strangers, but as you already know, common knowledge rarely applies to information security.
I have recently visited a couple of web sites with some astonishment due to their requests for very sensitive information from their users. The first one is the very well known FaceBook site, that I heard of from several Leo Laporte's podcats. The second is a not so well known but increasingly popular instant messaging service site called eBuddy, that allows you to use several IM platforms (MSN, Yahoo, AIM, GTalk, and MySpace) from the web.
In the first case, when creating an account, FaceBook asks you for your email password to be able to import your contacts and add them to your friends list. It is able to handle several email providers such as Hotmail, Gmail, or Yahoo. I do believe that FaceBook has some real business and that their site is not meant to gather naive user passwords. At least, they allow you to skip this step and add your friends manually. However, I would like to know how many people with no real previous knowledge about the company (other than "somebody told me that is cool!" or even "somebody invited me") has provided them with their email and password.
In the second case, there is no benefit from visiting eBuddy if you don't type your IM user and password. Don't ask me if it works well after that, because there is no chance that I give them that info. But, although I understand that there is no other way to provide that service (at least currently, maybe OpenID and the Identity providers will solve this issues in the near future) than obtaining the usernames and passwords, I leave those advanced services for the brave users that dare to give their usernames and passwords to strangers with the hope that they won't be stored and or used for any other purpose. A very similar case is the service provided by ShapeService to use Skype from the iPhone, that requires you to provide them with your Skype account and password.
So my advice is clear. Please, think twice before you type your user and/or password in any website other than the one they are meant for.
I have recently visited a couple of web sites with some astonishment due to their requests for very sensitive information from their users. The first one is the very well known FaceBook site, that I heard of from several Leo Laporte's podcats. The second is a not so well known but increasingly popular instant messaging service site called eBuddy, that allows you to use several IM platforms (MSN, Yahoo, AIM, GTalk, and MySpace) from the web.
In the first case, when creating an account, FaceBook asks you for your email password to be able to import your contacts and add them to your friends list. It is able to handle several email providers such as Hotmail, Gmail, or Yahoo. I do believe that FaceBook has some real business and that their site is not meant to gather naive user passwords. At least, they allow you to skip this step and add your friends manually. However, I would like to know how many people with no real previous knowledge about the company (other than "somebody told me that is cool!" or even "somebody invited me") has provided them with their email and password.
In the second case, there is no benefit from visiting eBuddy if you don't type your IM user and password. Don't ask me if it works well after that, because there is no chance that I give them that info. But, although I understand that there is no other way to provide that service (at least currently, maybe OpenID and the Identity providers will solve this issues in the near future) than obtaining the usernames and passwords, I leave those advanced services for the brave users that dare to give their usernames and passwords to strangers with the hope that they won't be stored and or used for any other purpose. A very similar case is the service provided by ShapeService to use Skype from the iPhone, that requires you to provide them with your Skype account and password.
So my advice is clear. Please, think twice before you type your user and/or password in any website other than the one they are meant for.
Labels: Social Eng
posted by Jorge Ortiz at 1:31 AM
5 Comments:
All of that "social networks" websites do the same practice. In order to minimize the impact of identity theft is important to change your passwords at regular intervals.
Agreed. As I said I understand the purpose but don't like to give my password to anybody. I don't want to be exposed to identity or information theft even for a really short period. Call it Time Based Security :-)
LinkedIn too prompts for email account passwords so that it can import email ids.
-Deapesh.
I've found even a better one :-)
GotoSSH, http://www.gotossh.com
It is a Web based interface you can use to connect to your SSH servers, and they even claim it is secure: "Is this secure? In short - yes!". It is based ons SSL and they don't keep the connection logs. What they do with your username and password? ;)
Definitely, I'll call it PleaseGiveMeYourCredentials.com
Cool one! Thanks, Raul. That's probably the better it gets...
Post a Comment
<< Home