Ignorance of Security isn’t Acceptable in 2014

I noticed the other day that on one of my accounts for a company I have done business with in the past (lets call them “Marketing File” as that is what they are called) was using what I considered to be a weak password. When I went to change it I found that I couldn’t do it through the web interface but had to call their support department. At this point I could hear the sound of faint alarm bells in the back of my head.

When I called the number and explained that I wanted to change my password I was asked what I wanted it to be. I was a little taken aback but not unduly surprised so I asked “you want me to tell you my password?” to which the blunt reply was “yes”. I explained that I considered that to be a security risk that I wasn’t willing to take and was told that they could already see my existing password. I had already thought that the passwords were being held in plain text but this comment merely confirmed it.

I therefore decided that I would like to close my account and have my details removed. At which point, in order to try and persuade me to stay, I was firstly told that the account was secure as there weren’t any details held on the internet, which was plainly rubbish as you have to login to their website. Next I was told that their site is used by many big organisations spending thousands of pounds with them. This may well be true but is missing the point somewhat as I wasn’t questioning the service just their security or lack thereof.

So I reiterated that I wanted to have my account removed and was informed that they would make it “inactive”. I pointed out that this wasn’t the same thing and I wanted me account removed completely. This I was told wasn’t possible and the best that they could do was to change my details. Given that this was all that was being offered I had no choice but to accept but I have no way of validating that it has been done.

This is such an awful tale of poor security I simply don’t know where to begin. Troy Hunt would have a field day. It is bad enough that the security is as bad as it is on Marketing File but the ignorance shown was just as bad. Given that their primary job is selling business lists full of personal details it makes you wonder how vulnerable that is.