Zappos has remained tight-lipped about the nature of their data breach this week. As many as 24 million consumer accounts may have been accessed through an attack on their server in Kentucky. That is as detailed as they’re willing to go. Full credit card numbers were not stolen, since those were stored separately. It would seem that they expect that security measure to reassure consumers of their multi-tier, rock solid security system, but as far as we’re concerned, perceived security does not equal actual security, and the breach that disclosed passwords for user accounts breaches actual security.
Some facts that the typical ecommerce consumer should be aware of:
- Too many users have a single set of login credentials (username and password) for all their online accounts. That means, when someone gets their info from Zappos, they can use it to access Facebook, Amazon, online magazine subscriptions, PayPal, email, gaming sites, online banking, and more.
- “Fixing” an alphanumeric password breach with new alphanumeric passwords doesn’t actually “fix” anything. If I know the guy trying to break into my house is a locksmith, I don’t just cut a new key – I install security measures that a locksmith isn’t an expert in.
- Zappos has chosen the path of least resistance – deploying consumers themselves to fix the breach. Zappos users have to follow instructions given in an email (which may have gone into spam folders), change their passwords, and email Zappos with any questions or concerns. Anyone with an email address they don’t regularly check, an overactive spam filter, or the ‘grandma’ syndrome (not computer savvy, and likely suspicious of ‘official’ email communication) may fall through the cracks.
- Changing the Zappos password doesn’t change all the other similar or identical passwords the consumer uses on other accounts, leaving their customer base open to further attack elsewhere.
One of the key takeaways from this is that ecommerce systems should not be based on ‘security’ systems that rely on users’ unreliable alertness. Users expect the systems that hold their sensitive information to bear the burden of iron-clad security for their data. Strong, two-factor authentication systems aren’t just an option in today’s online environment – they are where the market is heading by default and by necessity. Zappos has shown us exactly how not to handle a data breach. Of course, if more systems used strong mutual authentication, we’d see decidedly fewer breaches like the one this weekend.