Security, Your On-Line Identity, and ZipRealty’s Poor Example

The purpose of this post is two-fold:

First:  To stress the importance of preserving the security of your on-line identity

Second:  Exposing a company who’s doing an inexcusably poor job of protecting your on-line identity

Most of us don’t realize how insecure the on-line world can be.  You create an account on a website, give it a username and the password of your choosing.  That password is obfuscated with asterisks so someone over your shoulder can’t see it, and many sites even require certain complexity (numbers, upper/lower-case letters, special characters, length, etc) to help assure your password is not easily guessed by a human or a brute-force and/or dictionary attack.  As well, the registration form is usually protected with SSL (aka: Secure Sockets Layer, Transport Layer Security, or when you see https:// in the URL) encryption.  Beyond that, you’ll usually enter an email address where you’ll have to validate that you’re you before you can even proceed on the website.

Sounds like a pretty secure process, right?  In most cases, it is.  The problem with this, is you’re only exposed to how they protect you from OUTSIDE exploits.  Everything mentioned above does nothing to protect you from an INSIDE exploit…and frankly, an inside exploit is FAR more likely than an external one for 99% of the population.  A rogue IT Administrator or Webmaster, or worse yet…an internal company process that ALLOWS employees access to your private information.

ZipRealty is a company that I’ve used for a number of years to help keep an eye on property values in my area.  I set up some criteria for alerts that send me emails, and I had a hankering to make a change to those emails just the other day.  I logged in and found out that the system said I didn’t have any “saved searches”, despite the fact that I was getting emails from them.  So, I asked for help in straightening this out.

When you register at ZipRealty, they assign you to a Real Estate agent.  I’ve had more of these agents assigned to my account than I can keep track of, as it appears they have a fairly high turn-over rate for their agents.  Since all my “alerts” come from this person’s email address, I replied to her.  I asked why it was that I was getting alerts but didn’t seem to have the ability to modify them.  After going back and forth a bit, it came into question whether or not I might have two accounts assigned to the same email address (turns out I didn’t…but that’s not the important part).

In order to verify whether or not this was the case, she emailed me information about my account and asked me, “Is this you?”

Here comes the sad part.  She emailed me, in plain text across the Internet, not only my user account…but my PASSWORD.  It’s bad enough she did that, but the far worse situation is that she actually had ACCESS to my password.  This is an agent that likely signed up to get leads from this service and was randomly assigned to various user accounts.  This person, who will likely not be assigned to me due to turn-over in the next 3 months has access to my username AND password.

The grand point of this post?  There are two of them:

1. Don’t judge a book by it’s cover.  Just because their outward appearance seems secure, does NOT mean the internal workings are anywhere near as secure.
2. Do not use ZipRealty.  If you do?  Change your password to something you do not EVER use anywhere else.  If you have the same username and password on another site…someone from ZipRealty (and possibly other poorly managed companies) has access to that site.  Let’s hope it’s not the same as the account to your on-line banking site.

What’s the best means to protect yourself against inside exploits?

Do not use the same password on any two sites.  I know…I know…how can you remember them all?  Options:

• Build a spreadsheet with all of your passwords (and password protect that spreadsheet.) Also, for good measure, don’t name it “passwords.xls”!
• Use a password management application.  There are lots of them out there.  Assure the ones that store them on-line or in the cloud use master keys and encryption methods that don’t allow anyone but you to decipher them.
• Assuming you have a good password to begin with (secure from outside exploits), you can add characters to this password that pertain to the site you are registering with.  This makes your password unique, albeit only slightly different (and thus, still easy to remember).  For example, if your password is normally “password” (please, tell me that’s not your password)…your new password for ZipRealty.Com might be “ZpassRwordC”.  Be creative, but memorable for you…and not something so obvious that someone looking at ZpassRwordC knows that your WellsFargo.Com password is going to be WpassFwordC.  My example was just a simple example, not a gold standard!

Have you seen similarly poor security practices anywhere?  Have you experienced any security breaches from particular companies?  Please share them in the comments…