Friday, March 7, 2014

Why You Should Rip the Mailing Label Off Your Magazines When They Arrive

Kashmir Hill at Forbes writes:
Until last week, if you wanted to see the password that New Yorker subscribers use to access their accounts online, all you needed was their name and address. That information, of course, is not hard to find; it’s on the label of every issue mailed out, meaning that a magazine with the label still attached passed on to someone on an airplane or in a waiting room is suddenly a security risk.
Independent security researcher Ashkan Soltani and I tested it on a series of accounts (including mine) last week with the subscribers’ permission, entering their names and addresses into the New Yorker’s subscription management website. And there it was, in plaintext: the throwaway password I use for many sites across the Web. As a frequent mover, I’m grateful that it’s easy to get into magazines’ subscription systems to change my address, but I was disturbed that it was quite this easy and that sensitive information like my password was available there.
Once in the account, a wannabe hacker could change the mailing address for the magazine and see the last 4 digits of a credit card associated with an account. The latter is useful for deeper hacking, as reported in 2012by Mat Honan in New Yorker‘s sister magazine Wired; Honan faulted Amazon for displaying the last 4 digits of his credit card, which was a security key that let a hacker take over his Apple account, wresting control of his iPhone and laptop away from him. Honan faulted Amazon, Apple and the technology industry for failing him with “flaws in data management policies endemic to the entire technology industry.” But those flaws are not unique to the tech industry; the magazines you subscribe to have them as well.
The New Yorker’s case was particularly bad in that it displayed passwords in the clear, but the ease of access to accounts is an issue for the over 400 magazines using a Hearst Corporation-owned company called CDS Global for their subscription management and payment processing. That includes all Conde Nast magazines (Wired, Glamour, Allure, GQ, among others), Playboy, O, Garden and Gun, Forbes, and more, which cater to millions of magazine subscribers. Soltani and I couldn’t find other magazines displaying a person’s password the way the New Yorker was, but all of these magazines will let someone access your account with some variant of the information on your mailing label.

1 comment: