Last week I had to renew my car insurance. Sure, I work for an insurance company, but I'm a customer too, I want to shop about an get the best product/price for me.
I'm not going to name the company, but I will describe the process, then send them details of this blog entry.
So, my renewal comes through. They kindly send me a link along the lines of...
https://www.[insurance company name].co.uk/renewmotor?policy=[policy number]
Kindly, this quick little link allows be straight in to my policy. How convenient. It did show a login screen with my details populated, I just had to click the login button.
Before I proceeded I noticed the password starred out and a toggle switch next to it. Yup, the toggle switch revealed my password to me.
WTF? Surely not.
Why is this so bad?
Firstly, emails are not secured. So anyone could get access to access to it's contents. Secondly, it was just my policy number in the url. Anyone could guess this. Or if I'd had an accident, I'd have had to reveal my policy number to the third party.
So, from my policy number, you've now got access to my account? I hope not. I've got personal information in there, like name, address, date of birth and MY PAYMENT INFORMATION.
But to have a pre-populated password that has a toggle switch allowing me to view my actual password? What's the point in password protecting the site in the first place?
I've thought about how this could be done safely and I can't work out away.
Maybe they've pre-populated the password as I already had an authenticated session on their site? I don't think I did. Even so, they shouldn't be releasing my password to me, they should just log me straight in.
Maybe they'd written a cookie to my machine..? But with my password in clear text in a cookie? Nope, that's not secure either.
Maybe when I clicked on the link, they've dragged my password out the database and repopulated it server side? What?! They're not encrypting my password in their database? Even if it's encrypted, they must have two way encryption on the go, which is also bad. What's the point in encrypting a password if it can be decrypted again?
No matter how I think about how they've done this, I can't think of any way it's been made secure. I just wish I'd taken a few screen shots to show this, as now I'm out of my renewal period, I no longer have access to that functionality on their site.
I've been very impressed with the insurance company since I raised my concerns. Not only did I get a response from a senior member of staff saying they would look in to this as a matter of urgency, they have also replied with a detailed explanation saying how there is no risk.
ReplyDeleteThe policy number in the Id is not used for authentication. I was actually tricked by my own browser in to thinking it was.
I hadn't realised that my browser had saved my password. The reveal password functionality is a trick that simply swaps the password box for a normal plain text text box. It must have been this that got me fooled.
It is my browser that is storing my password insecurely, and (thankfully) not my insurance company.
The explanation they gave about how their passwords are stored and secured was very detailed and thorough.
I'm pleased I raised the issue as it did look worrying at first. I'm even more pleased with the way the company dealt with my query and gave me a good explanation. They could easily have fobbed me off or ignored me.