Announcement

Collapse
No announcement yet.

Miva Account Flaw

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Miva Account Flaw

    The Miva account system is flawed. We make accounts optional and as a result, many of our customers who have shopped as guests mistakenly believe they have an account so they enter their email or what they believe is their username and then follow the forgotten password routine. When they get no response they do the whole thing again and again until they are plenty pissed and send us angry emails.

    When they enter a username that does not exist they should not be able to access the forgotten password screen. Instead, they should be told that the username does not exist. Something like:

    "We have no record of an account with username “______”.
    You may have created your account with a different username or, you may have made your previous purchases as a guest. Accounts are always optional at this web site and are only used to remember your contact information for reordering convenience.

    I think this would result in fewer annoyed customers.
    Bill Dunn
    SunCam, Inc.
    http://www.SunCam.com
    [email protected]

    #2
    Re: Miva Account Flaw

    I believe the intent of the way it works currently is to prevent an attacker from determining whether a given email address or username is actually valid. If they are able to determine that remotely without any type of authentication, they can then start trying to log in as that account with random passwords. Or, if they've already hacked someone and are searching for websites where that person has other accounts, this makes it much easier for them.

    For example, currently, at Amazon if someone wanted to determine if [email protected] had an account, they just have to plug it in the forgot password box. It will tell them credentials couldn't be found if that address doesn't exist, but it will say something like "we may or may not have sent a password help email to the address you gave based on whether it is valid or not" if the account does exist. That of course makes no sense since they already tell you if the account doesn't exist if you use a wrong one; perhaps they used to not do that and haven't updated their text.

    I personally don't want people to know what email account I use at Amazon or any other site, so I tend to create unique email addresses for everywhere I shop to intentionally prevent hackers from trying to log in as me if they know any of my email addresses.

    We could probably submit this as a feature request if you'd like more options for how that currently works. I can try to find out if that text is something you can modify; that would be a workaround.
    David Hubbard
    CIO
    Miva
    [email protected]
    http://www.miva.com

    Comment


      #3
      Re: Miva Account Flaw

      Unlike Amazon, we don't save credit card numbers so a hacker wouldn't get much from one of our accounts. Usernames are generally not as protected as passwords so I don't personally see the harm of revealing a username. I just tested the forgotten password link on Amazon using my email address with a typo and got this message:

      "There was a problem with your request
      We're sorry. We weren't able to identify you given the information provided."

      That's what I want from Miva but Miva gives no response at all, no email and no onscreen warning. It is a very bad practice.
      Bill Dunn
      SunCam, Inc.
      http://www.SunCam.com
      [email protected]

      Comment


        #4
        Re: Miva Account Flaw

        This was specifically added during a PCI Audit, and yes for the reasons David mentioned. It's annoying, but it's now considered "best practice".

        You could add a notice that says: For Security Reasons we don't display if you're currently account holder, if you don't get an email within X minutes, please contact us this other way. Kind of thing.
        Thanks,

        Rick Wilson
        CEO
        Miva, Inc.
        [email protected]
        https://www.miva.com

        Comment


          #5
          Re: Miva Account Flaw

          Originally posted by SunCam View Post
          Unlike Amazon, we don't save credit card numbers so a hacker wouldn't get much from one of our accounts. Usernames are generally not as protected as passwords so I don't personally see the harm of revealing a username. I just tested the forgotten password link on Amazon using my email address with a typo and got this message:

          "There was a problem with your request
          We're sorry. We weren't able to identify you given the information provided."

          That's what I want from Miva but Miva gives no response at all, no email and no onscreen warning. It is a very bad practice.
          This is why I combined the account login and order lookup pages. Click account/orders in my header to see what I mean
          Mark Hood
          Vermont Gear

          Comment


            #6
            Re: Miva Account Flaw

            Thanks Mark,
            We have a similar setup at suncam.com. On your site I entered my email address and clicked the forgotten password link and your site said that you sent me an email, same as our site. The problem is that the email never comes and if I was a real customer of yours I would be frustrated.

            Rick,
            How is it possible that annoying customers is a best practice. Best for who?
            Bill Dunn
            SunCam, Inc.
            http://www.SunCam.com
            [email protected]

            Comment


              #7
              Re: Miva Account Flaw

              Bill,

              You'd have to ask the PCI Council and Chase about that one.

              Although what they mean is specifically the "best practice" is you can't do anything to leak if an account holder has an account with only one piece of data.

              So I should never be able to use just someone's email address to reverse engineer if they hold an account at a specific website, that's the opening of a security hole.

              It's also not just about CC info, but even simple things like addresses, since they can be used in Identity Fraud and it's now a criminal (not civil) liability in a couple of states if there's a Personal Information breach (again even just an email address).
              Thanks,

              Rick Wilson
              CEO
              Miva, Inc.
              [email protected]
              https://www.miva.com

              Comment


                #8
                Re: Miva Account Flaw

                Originally posted by Rick Wilson View Post
                So I should never be able to use just someone's email address to reverse engineer if they hold an account at a specific website, that's the opening of a security hole.
                What about looking up someone's entire order history with just an email address and zip code? I assume this is okay with the PCI Council?

                Thanks,
                Eric

                Comment


                  #9
                  Re: Miva Account Flaw

                  We found the "If you don't receive and Email in the next X minutes ..." approach worked well to knock down the anger to about a two on a ten scale.

                  Comment


                    #10
                    Re: Miva Account Flaw

                    Eric,

                    From a security perspective that's still considered a best practice (since it's 2 pieces of data) for people who don't have an account.
                    Thanks,

                    Rick Wilson
                    CEO
                    Miva, Inc.
                    [email protected]
                    https://www.miva.com

                    Comment


                      #11
                      Re: Miva Account Flaw

                      I'd like to tag along on this one, since I have store owners that are also frustrated with the message customers receive. I have also recommended some sort of message that advises to check the Spam folder and to call if additional help is needed.

                      I have one customer that would like an email sent to them when a failed customer login attempt has been made. They feel it would be a more proactive way to assist their customers.
                      Leslie Kirk
                      Miva Certified Developer
                      Miva Merchant Specialist since 1997
                      Previously of Webs Your Way
                      (aka Leslie Nord leslienord)

                      Email me: [email protected]
                      www.lesliekirk.com

                      Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

                      Comment

                      Working...
                      X