Jun 16, 2012

Security FAIL

A couple years back, I wrote a quick post about some phishers that tried to collect my WoW account. I pretty much view any email that even mentions my password as suspect, so when this arrived yesterday from BestBuy, alarm bells started ringing:

Dear Valued Best Buy Customer,
At Best Buy®, we work hard to keep BestBuy.com® secure for our millions of customers, and we routinely conduct security assessments of the site. While we continue to vigilantly work to protect your information, we are asking you to take a few minutes today and update your account.
We are currently investigating increased attempts by hackers around the world to access accounts on BestBuy.com and other online retailers’ e-commerce sites. These hackers did not take username/password combinations from any Best Buy system; they appear to be using combinations taken elsewhere in an attempt to gain access to BestBuy.com accounts. (For additional information on this fraudulent activity, please visit the Merchant Risk Council website.*)
Our investigation indicates that your account may have been accessed by these hackers. We are taking action now to help protect your account; we have disabled your current password, and ask that you take a few minutes to reset it. [Emphasis mine - Z]
To reactivate your account, please do the following:
     • Visit BestBuy.com Password Reset
     • Establish a new password
     • Validate that your personal information is correct
We recommend that you change your password regularly, and choose a username and password combination that is different from those you use elsewhere online. For more information on how to protect your personal information, view the BestBuy.com privacy policy.
We apologize for any inconvenience this may cause. Thank you for your help.
Lisa Smith Vice President Best Buy Enterprise Customer Care 
(All those "links" are dead by my hand.)

The "from" header appeared legit. It was sent to the correct email address. The links appeared to go to bestbuy.com sites when I hovered over them. Out of curiousity, I scooted over to BestBuy's site to see what was what - and sure enough, my account had been disabled. This lends some credence to the email, but clicking links in an email is foolish.

I used the on-site "I forgot my password" link and changed my password using the link they sent - that I requested. All seems to be OK at this point, but I have to give BestBuy a loud and wet Bronx Cheer for approaching the problem this way. Next time, send your customers an email asking them to go to the site and change their password there, don't give them suspicious emails with links - those links that security professionals and your own company tell people not to click:
The spoofed email will look extremely similar to one you’d receive from your financial institution or another company you do business with. It might ask you to “verify your account information” or “confirm your billing information”. The link will direct you to a spoofed site that also mimics that of the company they are posing as. When a user visits the fake site, their personal information can be used to create fake accounts in the victim’s name, ruin their credit or even prevent them from accessing their email or account.

Fail. Utter and complete fail.

No comments: