Online accounts creation safety

A few things to keep in mind for mandatory online accounts:

– never create an account if not required in the first place, avoid "surveys" and member cards as much as possible
– use temporary email addresses redirection if it's a one time thing, like from http://jetable.org
– if you have a VPN, enable it before the creation to avoid being geo-localized (you may choose an IP from the same country however)
– unless absolutely required like for shipping address, enter the least information possible.
– unless required to be valid like for warranty or shipping, never hesitate to enter fake name, fake address, fake age, fake everything. Against Terms Of Services? Don't care.
– if you have the ability to pay things with an unique and temporary credit-card, do that.

During your lifetime, you will have no control over the personal information you gave away on yourself.
Hopefully you'll live a fruitful and long life.
Who knows how many websites and services owning data on you will be breached during this lifetime.
That's why the only defense is least info & random fake info.

The VTech breach explained by +Troy Hunt​​​​​​​​​​​ is an excellent example of why you may apply similar rules to yourself (whatever works), your family and teach them as well to your kids since their whole life will be online.

This one is particularly bad because the unique identifier in this very verbose database allows to contact individually every kid on their capable connected toy, by sending messages, pictures.
VTech didn't inform anyone yet. Yes: That bad.

#supercurioBlog #security



Troy Hunt: When children are breached – inside the massive VTech hack

Source post on Google+

Published by

François Simond

Mobile engineer & analyst specialized in, display, camera color calibration, audio tuning

11 thoughts on “Online accounts creation safety”

  1. Francois, as much as I respect your tech know-how, as sad am I with this post. I have a large online shop and deal with very sensible customer data, because my customers like to be anonymous as long as they don't receive shipped packages. It's a NSFW business…

    The problem is: Just in the last months I suffered from so many Credit Card and Paypal frauds, that I almost had to shut down my entire business.
    The only thing I could do and have done now is probably the reverse of your list:
    – An account is mandatory
    – Customers are geolocated to ensure IP and entered address is the same, otherwise they can't checkout
    – Customers with proxy will be rejected
    – very few countries are blocked by design (as there was only fraud…)

    I hate that I had to do this, but all the anonymous sh*t cost me hundreds of dollars… The coin has always 2 sides.

  2. +Marco D. Rassau​ I think we agree on the principle and I understand the requirements for electronic commerce.
    The idea I talk about here is about sharing as little personal information as possible, limiting to what is absolutely required.

    If some personal information is required to validate the payments, then sure, that's how it works.
    And yes, most merchant are in the worst position since they're the ones taking the loss for everyone. It's certainly a difficult job.

    What damages online trust most is examples like this one where too much information is acquired.

    However the policy of most online services is to collect "as much information as the user is willing to share" as well as "track as much data as possible" just in case it could be useful or monetizable later.
    Then this data is possibly sold or leaked.
    We can only observe this, and hence we need to pay equal attention to share only the minimum of valid information.

  3. +François Simond Agree to the last point. Some of my customers use special mail addresses with my company name in it, so they could see if I sell or use their data, which I don't for sure…
    But yeah, 5 years ago it wasn't such a big deal. As of today, the more the companies sell data, the more customers get unsure. The same time the doors for massive frauds are open. It is cruel.
    A simple Google search and you'll find databases of compromised accounts, CC data and paysafecards – there must be a way for people like me to be on the safe side otherwise many businesses will and have to shut down in future.
    I find it important to sensibilize people in that direction too, that's why I raise my voice here.

  4. Security and fraud are two very different things.
    There's no reason to be sad about this post. I seriously doubt, actually I'm sure, he's not suggesting or condoning fraud.

    Companies like VTech, I bought one of my kids a watch, and nabi, also a tablet, require lots of info just to get into the services. Nabi requires a credit card to create an account for verification or it can't be used. VTech requires an insane amount just for software updates. It's totally not necessary, and a security risk as it's proven time and again some companies aren't very good with our data.
    Ordering a product is one thing, data mining customer data is another.
    And while I didn't go as far as the suggestions, which I may implement in the future, I did obfuscate much of the data I entered.

  5. I can't answer that. I fortunately only bought their watch.
    I think though the big deal with these devices are that they're supposed to be secure in that the child can only communicate with people the parents choose. So chat history should'nt be a big deal.

Leave a Reply to Marco D. Rassau Cancel reply