How to Suck At Security, By Verizon

I switched to Verizon FIOS a couple of weeks ago. I live in the U.S, so I don’t have access to anything resembling a good Internet provider. This is because a central tenet of our form of capitalism is that utilities must be delivered by poorly run and weakly regulated monopolies.

However I do live in area where I have a choice between a slowly dying cable company in the throes of denial (check out that 90s web design) and a company that only exists because the government won an antitrust suit and then let them ignore it.

I switched to Verizon because they finally offered what I wanted: just Internet. Cablevision advertises they will give you that, and then refuses to actually sell it to you.

So yesterday I realized a bill I was supposed to receive from Verizon hadn’t arrived. I wanted to pay it before I ended up in some kind of debtor’s prison, or worse, without access to Netflix. I went to their site, paid the bill, and while I was there I set my password to a stronger one than I had set up during the install, and also set the “secret question.”

Eighteen hours later I received this text message:


This seemed to be an alert regarding the changes I had made. But eighteen hours later? Really?

I decided to be safe and change them again. I could be sure the account hadn’t been compromised somehow and also see how long it really takes to get the alert.

Here’s the options for security questions:security questionsThe idea behind these questions is “something you know” beyond the password. It’s two factor authentication for companies that don’t really give a crap about their customers, but want to avoid a lawsuit.

The problems with Verizon’s pre-canned questions are two-fold:

What if you don’t have a good answer? For example: what if you’re single? What if you’re older than 12 and don’t have a “best friend?” What if you didn’t stay on campus for college or, gasp, didn’t even go? Etc.

This seems like a trivial issue, but if the questions don’t fit well there’s a chance you’ll use an answer that you can’t remember later.

The other problem is: they can be predicted. If another site is compromised and used the same lame-ass questions, those answers can be used to compromise this one, or vice versa.

The right way to handle this is to let me specify the both the question and the answer. It also requires very little additional development and testing.

Assuming, of course, that you are not trying to spend as little as possible on protecting your clients’ information.

Now here’s where you enter the answer:

enter answer

You only enter it once, and you never see it. What could go wrong?

When was the last time you entered a password, credit card number, or the name of your favorite pet, and was worried about someone watching over your shoulder?

Actually, when was the first time?

I’m going to go out on a limb here: fucking never.

This is an idiotic idea, cooked up by someone way too fond of 1974 Gene Hackman movies. Maybe, just maybe, this precaution is merited for cell phones, although if you think about it: if they can read your screen then watching what you type isn’t much of much of a stretch, is it?

But if you think you’ve got a problem  with people reading your passwords over your shoulder at work or at home on a computer you need a divorce lawyer or a recruiter. Or counseling.

At least give us a “show password” check box. Or maybe take a moment to think instead of following the flock over the cliff of shitty design.

Which brings us here:

No LastPass controls.

I use LastPass to manage my passwords. That’s because like most people in 2016 I have a ton of them to worry about. I like my passwords long and unique. (There’s a joke in there. I’ll leave it to you.) When I see a story or get a email that a website I use was compromised, I don’t have to worry. I can just update that one site and carry on.

LastPass creates unique passwords for me and will will fill them out. At least it will fill them out when the website doesn’t make it difficult with fancy pop-ups, lightboxes, and blatant disregard for their users. Some sites, like Verizon, don’t work with password managers.

I don’t blame low budgets for this one. I blame crappy design. Part of designing a login page/control/dialog should be testing compatibility with password managers built into browsers and at least 1Password and LastPass.

Encouraging your users to manage their passwords responsibly is good security and part of being user-friendly.

I wish I could say that Verizon’s crappy website was somehow unique, but it’s not, and I’m willing to bet it’s ample whitespace (literally), sparse design, and fancy lightboxes won some compliments: from people that don’t have to use it.

However, eighteen hours for a security text? That is uniquely bad. That’s “boy who cried wolf” bad.

By the way, it’s been two hours since I re-updated my password and security question. Still no alert.

Maybe I should find another Internet provider. Ha! Just kidding. I’m American.

Leave a Reply