Large companies spend a lot of money on keeping customers safe, but many also create loopholes that, while making it faster and easier to buy stuff, enable hackers to rob you.
Should companies make you safer or make it more convenient for you to use their products? And is it better to actually keep you safe, or to put you through frustrating processes just so you think you’re safe? The answers don’t always have your best interests at heart.
Here are some of the most common ways companies make life easier for hackers. This is by no means a complete list — we won’t talk about storing passwords in plain text, for example — but it should cover the basics in lapsed judgment.
Allowing a password bypass before purchasing with PayPal
You probably don’t like entering passwords. Most people don’t — it’s a monotonous task that can quickly become more frustrating if you mistype or misremember a password. Allowing people to avoid entering passwords is a big win for convenience, but it’s also a problem whenever money is changing hands.
Say you’ve set up a PlayStation Network account. You can use PayPal to add funds to a digital wallet that is then used to purchase items. This circuitous method of buying things feels more secure — two logins have to be compromised but it isn’t. If someone learns your PlayStation Network credentials, and you decide not to require a password every time PayPal is used to add funds to your wallet, that person can steal untold amounts of money from you without your knowledge.
Letting you set four-digit PINs instead of requiring a password
Here we go with the passwords again. This time it’s about letting people set PINs instead of requiring them to type a password. Sounds great! But the consequences range from making you slightly less secure (using a PIN instead of a passcode on iOS) to dangerously insecure depending on how they’re used.
Consider the warning from France’s Chair of the National Data Protection Commission that Windows 10 users can set a PIN for their Microsoft accounts. That isn’t too bad … except someone can guess at that PIN as many times as they like, which means your account is secured with the digital equivalent to a Rubik’s cube: Eventually someone’s going to stumble upon the way to solving the issue.
Making you use predetermined security questions (and answers)
Let’s say you live in the United States and you pay your taxes. This is easier (though by no means “easy”) if you set up an online account with the IRS. In doing so, you discover that the IRS requires you to set up security questions, and it’s come up with a handy drop-down list of acceptable queries for you to answer.
That’s a horrible idea. Most pre-generated questions rely on public information. It’s not hard in the Facebook age to find out someone’s first address, or their mother’s maiden name, or the name of their first pet. Your account is actually less secure because someone can use this easily collected information to access it.
Requiring you to frequently change your passwords
Alright, so you’ve found a password that is easily typed and remembered. Great! Now repeat that process in the next 90 days, please, because we still believe that using a password for a long time is a security risk. Is that true? Are people safer if they regularly change their passwords instead of using them in perpetuity?
No. Changing passwords is a security risk, as the FTC has continually pointed out because it encourages you to use bad passwords. An insecure password is practically an invitation to have an account hacked.
Leaving you vulnerable to social engineering hacks via customer support
Many companies pride themselves on customer service. It’s their job to make you happy so you don’t complain, take your money elsewhere, and recommend that people stop going to that particular business in the future. But sometimes the systems designed to make you happy can be used against you.
Just look at Amazon. The company is famous for its customer support — it’s often willing to do just about anything to make sure its customers keep coming back. Yet someone could use that desire to break into your account using public information (there we go with that again) with relative ease.
Forcing you to comply with arcane password requirements
This is the last time we’re going to talk about passwords, promise. But it’s worth noting that password requirements that make you add a number, a capital letter, a symbol, and whatever other glyphs a company can force you to type doesn’t really make you more secure. It’s supposed to, and it feels like it does, but it doesn’t.
Passwords have to be unique, secure, and convenient to enter. Adding requirements should make it more secure, but in reality it just makes people come up with systems for new passwords, especially when combined with other issues like the need to change a password at regular intervals. Instead of using something strong, like “Cq6U/?i8zV,” you end up using “p4ssword1” and “p4ssword2” or something similar. Those passwords are easy to guess, and if one is compromised, any passwords using a similar formula will also be affected.