Don't let slow dial-up Internet get you down. Super-fast up to 20Mb broadband from only 9.99 per month. Free setup now available - terms apply. PlusNet broadband.

Tuesday, 2 October 2012

7DayShop security - lack of transparency, or understanding?

[Short link to this post if you need it - - or retweet me]

Recently a number of people received password reset notifications from the 7dayshop website - a site that many people I know use that supplies batteries, camera accessories and the like, and I've used them for a few years now. The email came through as the sort of email you get when you go to a site and request a password reset. The notification included the text

  There was recently a request to change the password for your account.
  If you requested this password change, please click on the following link to reset your password: [Link removed]
  If clicking the link does not work, please copy and paste the URL into your browser instead.

  If you did not make this request, you can ignore this message and your password will remain the same.

So there is no indication in there that it was intentionally sent out by the company, and the last line explicitly seems to suggest otherwise. Now this, understandably, made a few people panic and go around change many other passwords in case the site had been somehow compromised. So what had happened to make so many people receive password reset notifications - was it a real attempt to break into people's accounts? Here's a perfectly reasonable train of thought by anyone who takes security seriously.
  1. Maybe someone's trying to break into my account
  2. If such an attacker is doing a reset in this way, maybe it's because they've already broken into my email account and can get the notification
  3. Maybe they've already reset a number of other accounts this way, and already comporomised my other online accounts
  4. I might not know if they've done this, as they could delete the evidence if they have access to my mailbox!
  5. I'd better change all my passwords on all my systems.
The above thought process is entirely reasonable, and obviously generates a bit of work for the person receiving 7dayshop's mail.  So what really happened?

I found some more information when later in the day they made this post on their facebook page suggesting that as a result of changing their website they had "improved security". The also acknowledged "I agree that the wording could have been better but we will learn from our mistakes" OK, both those points are superficially good things, but it also included the following:

"all customers who had passwords less than 5 characters or passwords with special characters, which were not transferred over to the new site, were sent a new computer generated password."

OK, so that might explain the reset requests - although "sent a new computer generated password" isn't quite the same as "We've forced the reset process on you and suggested you'd initiated it yourself" More worryingly is that they appeared to know which passwords were <=5 characters. Surely any site that hashes passwords properly would have no idea how long the passwords were? They have confirmed that passwords were encrypted before and after the update - I suppose it's possible they're stored with an encryption key somewhere rather than a 1-way hash algorithm, although that would mean if that key is stored on their servers it's potentially subject to compromise if someone gets into their systems, so is less than ideal. Another comment they made to me was this:

A number of customer records did not migrate correctly onto our new system. We issued an email to these customers informing them to change their password. We received great feedback from our customers that implied the majority of issues were due to short passwords

I have to wonder who was providing this "great feedback" - I wouldn't normally think to tell the company I had a short password when I get a random reset notification, so I wonder what the nature of this feedback is. I emailed "Mandy" mentioned in the facebook thread, but that did not elicit a response. In order to try and get some concrete information I chose to email their customer support directly, instead of the general customer service people on Facebook. This is how it went:

Hi, I've tried to get this question answered via your facebook page, but the person on the end doesn't appear to answer the issues directly, merely skirting around the issue. I also tried emailing the address they gave me in that thread, but did not receieve a reply. All I'm getting is "We take security very seriously" and "we store encrypted passwords". Can you get someone with a clue about online security to please answer these two questions:

1) Were the passwords encrypted PREVIOUSLY i.e. prior to the site makeover.

2) If the answer to the first question is no, how do you know which passwords had the problem. You refer to vague "migration issues" but what were the issues that lead you to believe that the 5 character etc. ones were the ones that caused problems. If encrypted/hashed, you wouldn't be able to tell, and it shouldn't have mattered. Vague "feedback from our customers that implied the majority of issues were due to short passwords" is dancing around the question.

Please back up your statement about taking security seriously by providing answers to the questions. since if you haven't got someone who is technically capable of understanding the questions, then you cannot claim to take security seriously.

I'm just looking for a straight answer

And here is the response I got:

Hi Stewart

1. yes
2. Some records did not load. We dont know the exact reason. But customers mentioned about short passwords. Seems a logical link.

Is that straight enough?

So there you go - they have no technical explanation, and merely anecdotal evidence that the "migration failures" were caused by short passwords. I find it very strange that they would not be able to know for sure based on the sorts of failures they were seeing what caused the issues. Based on the evidence the most likely explanation seemed that they were previously unencrypted, and the insertion process into the new system had stricter rules, which many people's passwords were violating. But we have to believe them when they say that wasn't the case and that they've always been encrypted. But if a developer of a site for my company came to me and said they couldn't provide an explanation for password migration failures other than anecdotally from the end users, I'd be very concerned as to their competence. On the basis of them now knowing why they're system had problems, I do not see myself dealing with 7dayshop in the future.