Now it's not really fair to characterise B&Q customers as stupid. I'm sure I've shopped there in the past and will probably do so again in the future. Those customers were just following instructions from a company they trusted, in the pursuit of making life a little bit easier for themselves, and nobody really deserves to be vilified for that. If they chose what were, let's face it, some pretty dumb password reminders, it was probably because they wanted something that would be obvious to them. If they failed to realise that the answers to these prompts would be pretty obvious to just anybody, it was only because they did not expect that just anybody would be given access to those prompts, and certainly not that they would then be given the actual passwords, right there, on screen.
And so the email we received contained a whole list of usernames and passwords which provided access to customer accounts. Some customers stored their credit details on the site, and although these were not displayed in their entirety on the account details page, any crazed hacker DIY freak (and I'm sure there are more out there than were are given to believe) could have ordered anything they wanted.
With a company the size of B&Q it's a given that every common name will already be in use as a username, and from there it was simply a matter of answering some depressingly simple questions.
This was not purely a technical failure on the part of B&Q. Nor was it purely an intelligence failure on the part of its customers. What went wrong was that B&Q failed to take human nature into account when it designed the security processes for its Web site.
There are some pretty simple lessons to be learnt here: that you should always email passwords back to account holders, and never display them onscreen; that you should use a fixed list of password prompts and never, under any circumstances, let users make up their own password prompt questions. But most important of all, that you should watch how people use the technology you have created. Most likely they'll use it in ways much more stupid than you ever imagined.
Oh, and the answers to those questions:
Cold
Horlicks
Monday
Der
Talkback
Hi Matt,
Question for you... I bought a laptop for my son for college/ this years x-mas gift, anyway I was wondering since it is a college and someone might try to steal it is there a chip that can be put in the laptop so when the person who steals it can get caught like through the internet? I am trying to find out through online security sites but not knowing anything about computers thought I would ask you. I just would hate to see all the money they rob you for for a laptop if I can find it if someone steals it. Any or all info. you could provide would be greatly appreciated.
lgibbs0415@aol.com Thanks again Linda