![]() ![]() I asked CDS Global if their clients had the option of using information beyond what appears on a mailing label to gate their subscribers' accounts. That means to get into a Forbes subscriber's account, you need one of those three combos. “Forbes chose name and address, account number or email address and zip code.” “We have 11 different alternatives for access to subscriber accounts,” says Roy. However, any system that’s designed in a way that ever allows passwords to be displayed in the clear has badly designed defaults. Roy said she could not speak to the decisions other magazines had made, but did say that their platform has a feature for publishers allowing them to hash passwords. "This is not a New Yorker specific issue and should be addressed with CDS," says Cassanos.īeth Roy, chief client officer for CDS Global, says that magazine publishers choose which information to require at log-in to grant access to their subscribers. However, when you access a subscriber's account, the last 4 digits of their credit card are still there at last check. Update, March 14: The New Yorker sent an email to active subscribers on March 13th. "We are planning to email customers who have passwords and let them know about the issue," says New Yorker spokesperson Alexa Cassanos. A spokesperson for the New Yorker says the fix was made by CDS Global at their request. When the New Yorker issue was pointed out on a security mailing list, a developer for the magazine responded and said they were “fixing ASAP.” Passwords are not on display in the clear anymore, the characters replaced with *s. Soltani and I couldn’t find other magazines displaying a person’s password the way the New Yorker was, but all of these magazines will let someone access your account with some variant of the information on your mailing label. That includes all Conde Nast magazines (Wired, Glamour, Allure, GQ, among others), Playboy, O, Garden and Gun, Forbes, and more, which cater to millions of magazine subscribers. The New Yorker's case was particularly bad in that it displayed passwords in the clear, but the ease of access to accounts is an issue for the over 400 magazines using a Hearst Corporation-owned company called CDS Global for their subscription management and payment processing. Honan faulted Amazon, Apple and the technology industry for failing him with "flaws in data management policies endemic to the entire technology industry." But those flaws are not unique to the tech industry the magazines you subscribe to have them as well. The latter is useful for deeper hacking, as reported in 2012 by Mat Honan in New Yorker's sister magazine Wired Honan faulted Amazon for displaying the last 4 digits of his credit card, which was a security key that let a hacker take over his Apple account, wresting control of his iPhone and laptop away from him. Once in the account, a wannabe hacker could change the mailing address for the magazine and see the last 4 digits of a credit card associated with an account. As a frequent mover, I'm grateful that it's easy to get into magazines' subscription systems to change my address, but I was disturbed that it was quite this easy and that sensitive information like my password was available there. ![]() And there it was, in plaintext: the throwaway password I use for many sites across the Web. ![]() ![]() Independent security researcher Ashkan Soltani and I tested it on a series of accounts (including mine) last week with the subscribers’ permission, entering their names and addresses into the New Yorker’s subscription management website. That information, of course, is not hard to find it’s on the label of every issue mailed out, meaning that a magazine with the label still attached passed on to someone on an airplane or in a waiting room is suddenly a security risk. Until last week, if you wanted to see the password that New Yorker subscribers use to access their accounts online, all you needed was their name and address. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |