A pleasant walk through computing

Comment for me? Send an email. I might even update the post!

An Open Email to Blackwing602.com About Their Poor Account Security

I'm a Blackwing pencil fan. But I've had some problems with their web site account management. A few days ago I wanted to verify the email address on my account because I kept getting shipping notifications to an old email address. I wasn't able to log in using either email address, and the error message was that there was no such account.

I emailed Blackwing. Here's the reply I received, and my response. I've emphasized the key statement that triggered my response.

Blackwing Email

Hi Charles,

I've just sent an account activation email for your Blackwing account, and once you activate that, you should be able to log in.

With regards to Pencils.com or Blackwing602.com account changes (such as email address), only we can change that on our end (for security). If you need us to make adjustments, let us know.

The [-----------] email address is the one that will have the Volumes shipment.

Please let me know about your security concerns on Pencils.com and I can look into it.

We had recently switched our sites to Shopify, which is one of the most used ecommerce platforms, and it seems we're just experiencing some growing pains from the move. Thank you so much for your patience in this time.

Let us know if you have any questions! I'm also available via phone at [------------], from 8am-5pm Pacific.

My Response

Thank you for sending the link. I've reactivated my account. I need to address several points in your email.

Volumes Shipment Email

My email address is [------------]. Please do whatever you have to to get my shipping notification email changed. The address you're using is old, I haven't used it for two years. I've made this request more than once.

Web Site Security

I'm very concerned by your reply on security. I'm a veteran software engineer with twenty-plus years of experience, focused mainly on web applications, so I've had to research and implement web site security.

Below are screen shots of the Blacking602/Pencils account pages. Let's see what customers can do before discussing what they should be able to do.

Blackwing602

From the main page, a customer can only change addresses. Clicking the Edit link opens this page.

What's going on here?

  • Is a customer changing this information, or creating a new account?
  • Why aren't First and Last name populated?
  • If allowed to change password, why no password confirmation field?
  • No Back or Cancel link, making it obvious the customer can back out of the changes.

I didn't even try to update anything. Based on our conversation, I didn't trust what would happen.

I want you to read that again. I didn't trust what would happen.

Pencils

From this main page, there's not even an edit link to--potentially--allow any account information changes.

Security

You say in your email, "With regards to Pencils.com or Blackwing602.com account changes (such as email address), only we can change that on our end (for security)."

I'm sorry to be blunt, but this is dead wrong. It's the opposite of good security and support.

It isn't user-friendly. At all.

Let's say a customer has changed her email address. She's going through all of her sites. She gets to Blackwing/Pencils and doesn't see any way to change her email. She clicks around for a minute. She checks the FAQ. How is she supposed to know that she has to email customer service to change her information? Well, you could put a message on the account page, with an email link to account_changes@blacking602.com. That would be terrible. What's to prevent a DDoS attack on that link? OK, how about a form requesting the change? So now the user is thinking, "If I'm entering my request for change online anyway, why don't the just automate it?"

Another situation. A customer has legally changed his/her name. They have to email Blackwing to make that change? What's more likely, in both the above, is the user gives up, doesn't make the change, and eventually stops buying from the company because it was so easy to change at every other business. He or she had a messy divorce, and doesn't want to be reminded of it.

It isn't secure for a user's worst case.

I submitted my question on May 31. I got your email June 3. That's four days. Let's say a customer finds out he's been hacked. He hasn't been careful, and used the same password at lots of places. Is Blackwing saying he has to wait four days to get his password changed? The question is the same for changing the email. It's suddenly--for the customer--a security risk, an emergency, and Blackwing is preventing an immediate change. Even worse, as stated above, is that the customer has no clue how to even make the change. You just end up with an angry customer.

It implies poor security, because users are giving their changes to a person whom they don't know they can trust.

I trust you. No, wait...do I? If Blackwing is making me email you to change my account, that means I should trust you to enter the information more than myself. What if you get my email wrong? It's going to happen. Now I'm locked out of my account and I have to email you, and it could be on a weekend when there's no response, and I was going to order these items for a wedding anniversary gift, and now they're going to arrive late.

Do you see the problem?

It implies customers should send you their changed passwords. And if they're not, and you're sending them to a password reset form, why not make that available online in the first place?

I think this is self-explanatory.

It isn't scalable in a breach worst case.

Pencils.com has a security breach. Tens of thousands of passwords have been stolen. What next? First, Pencils does the right thing, of course, and notifies their customers immediately. Then, those customers go to the site to change passwords and/or emails and discover...they can't.

OK, so you email everyone a reset link, like you did for me. Thirty percent of your customers don't do the reset and...back to the above. Another twenty percent perform the reset, then decide they want to change their passwords to something stronger, or check on their account info and...find they can't make any changes there.

It damages the business's reputation.

For instance, if your account maintenance is non-standard, then what else about my account isn't being handled in a standard way?

  • Is my password being stored securely (using a one-way hash at minimum).
  • Is there auditing of changes in place?
  • If so, why does there need to be auditing in place? Why is any employee able to directly change a user's security information? That is fundamentally insecure.

From bad to worse

I asked above, again, to get my shipping notification email changed. That's bad. It means two things:

  • The original request was never honored, so Blackwing's reputation with me is soured.
  • There's no automated system in place to update the shipping and notification information from the customer account information. And I've experienced this. I have zero confidence that, if I were to change my address online, my shipments would come to my new address. It's failed before, and the changes to account management make me trust the system less, not more.

What To Do

While there can be a lot to consider when it comes to account security (see References), they are by-and-large known and solved problems. If Pencils/Blacking site developers don't know how, they need to (not should) hire someone to implement the features properly and securely.

For instance, the answer to resetting a password (the Forgot Password scenario) is to send a reset URL that's unique to that reset request, and will expire. An answer to changing the email address, which is also the account id, is to likewise send a confirmation URL.

I've spent about an hour and a half on this email, which I've posted to my blog: An Open Email To Blackwing602.Com About Their Poor Account Security

As a customer, I'd like two things:

  • A confirmation you've received and read, even if you don't agree.
  • An assurance this email will be forwarded to the IT and Sales directors. IT because it's a security issue, and Sales because it's a customer-retention issue.

On the positive side, I truly do love my Blackwings, and am grateful the brand was revived. I'm asking you to be the messenger--I don't consider you responsible for these problems, and I value your courtesy.

References

These are just two discussions, from security expert Troy Hunt, of the problems of web site security. But notice that "don't allow changes" never comes up as a solution. Because it isn't.

Sincerely,

Charles L Flatt

Weekly Sugar: Take a Walk

You've been stuck on a thorny problem for an hour, and the forehead-shaped dents on your desk are going to upset the maintenance department--again. You're about to run out of coffee. The problem is attached to you like a squid on the Nautilus. What's the next step?

Science says the next step is, literally, steps. Take a break and walk. Eyes off screen, don't read your phone. Go outside if you can. The "extra" ten minutes will often save another hour of struggle as you give your brain a chance to do what it's good at: reforming patterns.

Try it today. Stop. Breathe. Take a walk.

Reference

A Response to Jonathan Cutrell's Podcast Episode "Crafting Your Work By Your Strengths"

File:Karate WM 2014 (2) 019.JPG - Wikimedia Commons

Up Front

I always look forward to Jonathan's podcast, and rarely find myself critical, but I found this episode somewhat unclear and unfocused. I'd like to help clarify what I think Jonathan wanted to promote.

Key Points

  • Map your skill/knowledge strengths/weaknesses to the job's required core/ancillary skills/knowledge.
  • Improve your weaknesses that are in the job's core.
  • Improve your strengths that are in the job's core.
  • Don't deprecate yourself for weaknesses and mistakes.

Discussion

As developers, workers, and people, we're faced with deciding whether to improve our weaknesses or our strengths, and which ones. We need to do both. Focusing on only one or the other is unlikely to lead to success. There's science supporting that only repeating what you're good at doesn't lead to improvement. However, only working on what you're not good at leads to atrophy of your strengths.

I'm a martial artist. If my left side kicks aren't as good as my right side kicks, then I need to work harder at my left ones. There's an implicit goal of parity. However, we sometimes forget (as students and teachers) that the purpose of that goal is improvement, not achievement. It's OK if my left side kicks are never as good as my right ones. It's also OK if I work hard to make my right kicks amazing.

But--to continue the analogy--should I focus on being able to side kick to someone's head who is over six feet tall and hold that kick in place? Some kata competition champions can do this. It's their strength. It's not mine. The short answer is "no," because this is important in the context of competition, but not in my interest which is daily health and self-defense.

With that context, let's go back to the podcast and pull the benefit from it. What's a way to help clarify which job skills we should improve?

Create two lists. One is your skill/knowledge strengths and weaknesses. The other is the job's required core and ancillary skills/knowledge.

Skill/Knowledge Lists

( * Starred items are ones I'm naturally good at.)

ME JOB
Strong Core
Tenacity* C#
System Organization* Customer requirements gathering
Understanding Customers' Needs* REST-ful APIs
C# Scalable architecture
WebAPI
Documentation
Weak Ancillary
Self-confidence Employee management
Proven scalability experience Documentation
Python

To meet the job's needs, we should always work on the core skills. Give these lists, here's what I'd recommend the fictitious developer focus on improving:

  • C#, keep improving
  • Customer needs, leverage your strength into becoming an expert
  • WebApi, keep improving
  • Scalable architecture, work hard at improving this weakness

And don't spend much time on:

  • System organization, Tenacity, or Documentation, you're already good enough
  • Personnel management

Wrap Up

I really think this is the essence of what Jonathan was trying to say, but--unusually--the message got lost on a first listen. I'd say a few lesser episodes out of almost seven hundred is pretty darn good.

Thanks, Jonathan!