A co-worker of mine is currently dealing with the possibility of identity theft. He has been doing some online trading of commodities and told me that he had experienced some login issues stating that he was currently logged in when he wasn’t, furthering his suspicion of identity theft. When I asked if his platform used two-step authentication, he asked “what’s that?”
When I logged into my investment site, I decided to change my password. First problem: 6-12 characters, use of non alpha-numeric characters was prohibited. That’s a weak password to me. Even with the multiple security questions (which, if you do some research could be easily answered), there are no other initial security measures. Second problem: after looking for advanced security, such as two-step authentication, I found none.
To my dismay, it is not just trading platforms that are broken (from a security standpoint), but a good majority of other platforms and systems as well. Today I filled out my NCAA bracket for my group of friends. When I was sent the group invitation over email, I was rather peeved that the password was in plain text. After clicking the link, it appears that the outside site provides a redirect to the NCAA site, which issues a GET request as so, where XXX is the group ID, and YYYY is the freaking password.
Even under the assumption that group passwords are not important, you should still not issue them as a parameter in a GET request over HTTP.
I think any site/platform that has actual money invested or access to bank accounts should at least allow for stronger passwords and two step authentication. A lot of these systems are older, but these companies have the resources to accomplish these tasks. Blizzard does it and so does Google – and they really don’t hold a direct line to financial and completely personal information. Steam works great as well, storing and requiring computer authorization through email, adding a layer to what systems can actually be authenticated.
I think there is a lot that can be done and a standard baseline that should be established for security. We exist in a time when such systems using archaic passwords requirements and lack access security should be brought up to speed, especially from companies that can afford to.