If you’re going to use technology to help your business, make sure you know what you’re doing, and don’t be half-assed about it.
I make it a habit to change my passwords periodically. Not as often as I should, but periodically. I also look at web site accounts with a critical eye and close those that I don’t use any more. Having a bazillion passwords to change encourages me to reduce their number! With this in mind, I went to the Camera Canada web site a few weeks back. For the life of me, I could not find how to change my password so I wrote them and asked. To my astonishment, the general manager replied with this gem:
Thank you for your interest in Camera Canada. I have reset your password to cam6325. If you have any further questions please feel free to call or e‑mail.
A weak password, and sent plaintext via e‑mail, no less. I replied, again asking if there was a way I could do it myself, and requesting that my account be deleted if there was not. He replied stating that they have no way for customers to change their passwords, and that he had my account deleted. I promptly went and confirmed that my log-in credentials didn’t work.
If your site has no way for a customer to change their own password, I question how secure the site is, and I didn’t want my personal information on it.
On a different front, my credit card expired a while back and I received notices from a few companies who use my card for regular payments, requesting updated information. Alarmforce in particular drew my notice. They sent a letter in which they suggested three ways to deliver my new credit card information to them. I could return the form they provided by postal mail, by fax, or I could send them the information by e‑mail.
They should know better. I’ve heard it stated that regular e‑mail is roughly analogous to sending a postcard through the mail. It’s not exactly right, but close enough. At a minimum, the folks at my ISP, and the folks at their ISP can easily read the information I send them. And it’s not impossible that somewhere along the line there’s some routing through other servers which only serves to increase the exposure. Alarm force may know about physical security, but their suggesting I send my credit card information via e‑mail is terrible advice, and tells me they know nothing about data security. You might say that an alarm company doesn’t deal with data security, but they have my credit card information and I expect them not to let others have it because of their (lack of) data security practices.
If you’re going to use the Internet to help your business, make sure you know what you’re doing. If you don’t have experienced people in-house and aren’t willing to hire, contract it out. It’s cheaper than rebuilding your reputation after a security breach.