An Open Email to Blackwing602.com About Their Poor Account Security
I'm a Blackwing pencil fan. But I've had some problems with their web site account management. A few days ago I wanted to verify the email address on my account because I kept getting shipping notifications to an old email address. I wasn't able to log in using either email address, and the error message was that there was no such account.
I emailed Blackwing. Here's the reply I received, and my response. I've emphasized the key statement that triggered my response.
I've just sent an account activation email for your Blackwing account, and once you activate that, you should be able to log in.
With regards to Pencils.com or Blackwing602.com account changes (such as email address), only we can change that on our end (for security). If you need us to make adjustments, let us know.
The [-----------] email address is the one that will have the Volumes shipment.
Please let me know about your security concerns on Pencils.com and I can look into it.
We had recently switched our sites to Shopify, which is one of the most used ecommerce platforms, and it seems we're just experiencing some growing pains from the move. Thank you so much for your patience in this time.
Let us know if you have any questions! I'm also available via phone at [------------], from 8am-5pm Pacific.
Thank you for sending the link. I've reactivated my account. I need to address several points in your email.
Volumes Shipment Email
My email address is [------------]. Please do whatever you have to to get my shipping notification email changed. The address you're using is old, I haven't used it for two years. I've made this request more than once.
Web Site Security
I'm very concerned by your reply on security. I'm a veteran software engineer with twenty-plus years of experience, focused mainly on web applications, so I've had to research and implement web site security.
Below are screen shots of the Blacking602/Pencils account pages. Let's see what customers can do before discussing what they should be able to do.
From the main page, a customer can only change addresses. Clicking the Edit link opens this page.
What's going on here?
- Is a customer changing this information, or creating a new account?
- Why aren't First and Last name populated?
- If allowed to change password, why no password confirmation field?
- No Back or Cancel link, making it obvious the customer can back out of the changes.
I didn't even try to update anything. Based on our conversation, I didn't trust what would happen.
I want you to read that again. I didn't trust what would happen.
From this main page, there's not even an edit link to--potentially--allow any account information changes.
You say in your email, "With regards to Pencils.com or Blackwing602.com account changes (such as email address), only we can change that on our end (for security)."
I'm sorry to be blunt, but this is dead wrong. It's the opposite of good security and support.
It isn't user-friendly. At all.
Let's say a customer has changed her email address. She's going through all of her sites. She gets to Blackwing/Pencils and doesn't see any way to change her email. She clicks around for a minute. She checks the FAQ. How is she supposed to know that she has to email customer service to change her information? Well, you could put a message on the account page, with an email link to email@example.com. That would be terrible. What's to prevent a DDoS attack on that link? OK, how about a form requesting the change? So now the user is thinking, "If I'm entering my request for change online anyway, why don't the just automate it?"
Another situation. A customer has legally changed his/her name. They have to email Blackwing to make that change? What's more likely, in both the above, is the user gives up, doesn't make the change, and eventually stops buying from the company because it was so easy to change at every other business. He or she had a messy divorce, and doesn't want to be reminded of it.
It isn't secure for a user's worst case.
I submitted my question on May 31. I got your email June 3. That's four days. Let's say a customer finds out he's been hacked. He hasn't been careful, and used the same password at lots of places. Is Blackwing saying he has to wait four days to get his password changed? The question is the same for changing the email. It's suddenly--for the customer--a security risk, an emergency, and Blackwing is preventing an immediate change. Even worse, as stated above, is that the customer has no clue how to even make the change. You just end up with an angry customer.
It implies poor security, because users are giving their changes to a person whom they don't know they can trust.
I trust you. No, wait...do I? If Blackwing is making me email you to change my account, that means I should trust you to enter the information more than myself. What if you get my email wrong? It's going to happen. Now I'm locked out of my account and I have to email you, and it could be on a weekend when there's no response, and I was going to order these items for a wedding anniversary gift, and now they're going to arrive late.
Do you see the problem?
It implies customers should send you their changed passwords. And if they're not, and you're sending them to a password reset form, why not make that available online in the first place?
I think this is self-explanatory.
It isn't scalable in a breach worst case.
Pencils.com has a security breach. Tens of thousands of passwords have been stolen. What next? First, Pencils does the right thing, of course, and notifies their customers immediately. Then, those customers go to the site to change passwords and/or emails and discover...they can't.
OK, so you email everyone a reset link, like you did for me. Thirty percent of your customers don't do the reset and...back to the above. Another twenty percent perform the reset, then decide they want to change their passwords to something stronger, or check on their account info and...find they can't make any changes there.
It damages the business's reputation.
For instance, if your account maintenance is non-standard, then what else about my account isn't being handled in a standard way?
- Is my password being stored securely (using a one-way hash at minimum).
- Is there auditing of changes in place?
- If so, why does there need to be auditing in place? Why is any employee able to directly change a user's security information? That is fundamentally insecure.
From bad to worse
I asked above, again, to get my shipping notification email changed. That's bad. It means two things:
- The original request was never honored, so Blackwing's reputation with me is soured.
- There's no automated system in place to update the shipping and notification information from the customer account information. And I've experienced this. I have zero confidence that, if I were to change my address online, my shipments would come to my new address. It's failed before, and the changes to account management make me trust the system less, not more.
What To Do
While there can be a lot to consider when it comes to account security (see References), they are by-and-large known and solved problems. If Pencils/Blacking site developers don't know how, they need to (not should) hire someone to implement the features properly and securely.
For instance, the answer to resetting a password (the Forgot Password scenario) is to send a reset URL that's unique to that reset request, and will expire. An answer to changing the email address, which is also the account id, is to likewise send a confirmation URL.
I've spent about an hour and a half on this email, which I've posted to my blog: An Open Email To Blackwing602.Com About Their Poor Account Security
As a customer, I'd like two things:
- A confirmation you've received and read, even if you don't agree.
- An assurance this email will be forwarded to the IT and Sales directors. IT because it's a security issue, and Sales because it's a customer-retention issue.
On the positive side, I truly do love my Blackwings, and am grateful the brand was revived. I'm asking you to be the messenger--I don't consider you responsible for these problems, and I value your courtesy.
These are just two discussions, from security expert Troy Hunt, of the problems of web site security. But notice that "don't allow changes" never comes up as a solution. Because it isn't.
- Troy Hunt: Everything you ever wanted to know about building a secure password reset feature
- Troy Hunt: Introducing the “Secure Account Management Fundamentals” course on Pluralsight
Charles L Flatt