We think the content in Kiplinger's various publications is first-rate. That is why there is a company subscription and at least one Consumer Help Web person with a personal subscription.
But imagine our recent horror to see that the publications that do so much to educate consumers misses on the most basic of privacy issues.
A subscription invoice grabbed our attention. Always looking to be cost and time-effective, we went to pay the bill online. That is when we found that Kiplinger's marketers had apparently beaten Kiplinger's lawyers in 2 out of 3 falls.
That can be the only explanation for a "customer service" series that first compels the consumer to divulge an email address so that can be matched against the physical address. Then the most basic of all issues -- account security -- goes away. We typed in our address and waited for some sort of prompt. Instead, simply providing an email address and the address of a current or past subscriber was enough to gain access to the account.
No top secret information rests there. You likely won't be the victim of identity theft as a result of this. But an unscrupulous financial planner or other person interested in people who read this magazine can mine the list for details without bothering to purchase a subscriber list. Even worse, this open account system even tells anyone the date a subscription was ordered and its payment status.
Here is how we got there:
1) We typed in the catch-all domain for the publishing company and selected "Customer Service":
2) Now we're presented with a publication list:
3) Selecting Kiplinger's Personal Finance magazine gave us more options:
4) Intrigued by not finding an account challenge yet, we soldier on:
5) We next used the oldest trick in the book and entered the email test@test.com as "our" email address. (Note that we don't know who owns this address, but we know we don't). Doing this led us to an email search that came up empty. Now Kiplinger's allows us to associate an active account with that dummy email address and gives us access to the account.
6) Finally, we entered our name and address. Remember, we haven't been challenged for any personal information.. We were given immediate access to the account even after we had properly registered with a real email address.. We've left a little of each address line in this image to show how the system parrots the information back after confirming that a subscription exists:
7) We're immediately given access to the account with no passwords, no name challenges or security. We had not even paid for 8 weeks, although to be completely honest, we don't usually pay until the first issue is sent.
Our point in this is not to embarrass a good publisher. Instead, we shared this today so that as smart consumers you know to demand better data security everywhere. In a world where even good security systems get hacked, leaving basic information open, no matter how trivial, is inexcusable.
One final note: Kiplinger's owns all images of its site. They were retrieved on a personal computer in an individual's home. We did play with three executives' addresses available through public, unpaid Internet searches, including that of Knight Kiplinger, but ultimately changed no record except one belonging to us. And yes, we paid for our subscription.
Labels: data security, Kiplingers
1 Comments:-
Great post!
Shaun Dakin
By
Shaun, at 11:28 AM
Post a Comment
<< Home